viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2663 commits 2 branches 0 tags 2.3 GiB
Commit graph

32 commits

Author SHA1 Message Date
Viktor Barzin
63cb53818d state(mailserver): update encrypted state 2026-04-15 19:52:59 +00:00
Viktor Barzin
0f4010d925 state(mailserver): update encrypted state 2026-04-15 19:51:51 +00:00
Viktor Barzin
81d6644818 state(mailserver): update encrypted state 2026-04-15 19:51:41 +00:00
Viktor Barzin
7bdbd7ac17 state(mailserver): update encrypted state 2026-04-15 19:20:04 +00:00
Viktor Barzin
c5d1120715 state(mailserver): update encrypted state 2026-04-15 19:08:08 +00:00
Viktor Barzin
8b2589f269 state(mailserver): update encrypted state 2026-04-15 19:07:59 +00:00
Viktor Barzin
56cf1a901c state(mailserver): update encrypted state 2026-04-15 19:07:52 +00:00
Viktor Barzin
bf66d77b6a state(mailserver): update encrypted state 2026-04-15 19:07:42 +00:00
Viktor Barzin
43342f860c state(mailserver): update encrypted state 2026-04-14 19:13:46 +00:00
Viktor Barzin
4e80ac40c4 state(mailserver): update encrypted state 2026-04-12 22:16:25 +01:00
Viktor Barzin
e71a65acc4 state(mailserver): update encrypted state 2026-04-12 22:15:44 +01:00
Viktor Barzin
887152194c state(mailserver): update encrypted state 2026-04-12 22:12:43 +01:00
Viktor Barzin
2ba456e070 state(mailserver): update encrypted state 2026-04-12 21:46:34 +01:00
Viktor Barzin
92881ee6af state(mailserver): update encrypted state 2026-04-12 20:43:56 +01:00
Viktor Barzin
78373dcce4 state(mailserver): update encrypted state 2026-04-12 14:02:49 +01:00
Viktor Barzin
06359aa3fa state(mailserver): update encrypted state 2026-04-06 13:17:27 +03:00
Viktor Barzin
9c47311d45 state(mailserver): update encrypted state 2026-04-05 22:23:12 +03:00
Viktor Barzin
0ca177ff98 state(mailserver): update encrypted state 2026-04-05 21:55:30 +03:00
Viktor Barzin
3dccbca95b state(mailserver): update encrypted state 2026-04-04 17:55:54 +03:00
Viktor Barzin
a48149ff0d state(mailserver): update encrypted state 2026-03-25 22:58:35 +02:00
Viktor Barzin
49de96a0c1 state(mailserver): update encrypted state 2026-03-25 22:20:02 +02:00
Viktor Barzin
d1036de313 state(mailserver): update encrypted state 2026-03-25 22:16:06 +02:00
Viktor Barzin
f33940cbce state(mailserver): update encrypted state 2026-03-25 22:10:26 +02:00
Viktor Barzin
26ab7acbda state(mailserver): update encrypted state 2026-03-25 22:08:50 +02:00
Viktor Barzin
327787effe state(mailserver): update encrypted state 2026-03-25 02:10:38 +02:00
Viktor Barzin
dbdc603cac state(mailserver): update encrypted state 2026-03-24 18:21:06 +02:00
Viktor Barzin
461961c179 state(mailserver): update encrypted state 2026-03-24 18:19:13 +02:00
Viktor Barzin
03f5f305e2 state(mailserver): update encrypted state 2026-03-21 11:31:05 +00:00
Viktor Barzin
77143dfd6b state: per-stack Transit keys for namespace-owner access control 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
 2026-03-17 23:08:18 +00:00
Viktor Barzin
4e7ca1ad61 state: add Vault Transit as primary SOPS backend, age as fallback 
- .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state
- state-sync: try Vault Transit first, fall back to age key on disk
- Re-encrypted all 101 state files with both Vault Transit + age
- Normal workflow: vault login → decrypt via Transit (no key files)
- Bootstrap/DR: age key at ~/.config/sops/age/keys.txt
 2026-03-17 22:56:33 +00:00
Viktor Barzin
9f80eb7ba0 state: add devvm as SOPS recipient 
Add devvm age public key to .sops.yaml and re-encrypt all 101 state
files with both laptop and devvm keys.
 2026-03-17 22:41:19 +00:00
Viktor Barzin
b6faa24349 state: add SOPS-encrypted terraform state to git 
- SOPS + age encrypts all 101 .tfstate files (JSON-aware: keys visible, values encrypted)
- scripts/state-sync: encrypt/decrypt/commit wrapper
- scripts/tg: auto-decrypt before ops, auto-encrypt+commit after apply/destroy
- terragrunt.hcl: -backup=- prevents backup file accumulation
- .gitignore: track .tfstate.enc, ignore plaintext .tfstate
- Cleaned 964MB of stale backups (state/backups/, .backup files)
 2026-03-17 22:37:56 +00:00