viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2323 commits 2 branches 0 tags 2.3 GiB
Commit graph

34 commits

Author SHA1 Message Date
Viktor Barzin
88307e3e5f state(headscale): update encrypted state 2026-04-06 00:33:54 +03:00
Viktor Barzin
32be8a3789 state(headscale): update encrypted state 2026-04-05 19:58:42 +03:00
Viktor Barzin
1f2ab8b547 state(headscale): update encrypted state 2026-04-04 16:15:25 +03:00
Viktor Barzin
9c49d4c39b state(headscale): update encrypted state 2026-03-28 16:19:09 +02:00
Viktor Barzin
972edf4d30 state(headscale): update encrypted state 2026-03-28 16:05:24 +02:00
Viktor Barzin
29fe56aa68 state(headscale): update encrypted state 2026-03-28 15:43:54 +02:00
Viktor Barzin
7267e53e2f state(headscale): update encrypted state 2026-03-28 15:41:32 +02:00
Viktor Barzin
b339d454dd state(headscale): update encrypted state 2026-03-28 14:37:16 +02:00
Viktor Barzin
1ec11cdab4 state(headscale): update encrypted state 2026-03-28 14:22:44 +02:00
Viktor Barzin
eadc266691 state(headscale): update encrypted state 2026-03-28 14:06:03 +02:00
Viktor Barzin
d578990179 state(headscale): update encrypted state 2026-03-25 02:10:07 +02:00
Viktor Barzin
fc432197aa state(headscale): update encrypted state 2026-03-24 18:30:55 +02:00
Viktor Barzin
842e870971 state(headscale): update encrypted state 2026-03-24 18:08:02 +02:00
Viktor Barzin
957f13dfd6 state(headscale): update encrypted state 2026-03-24 17:23:34 +02:00
Viktor Barzin
b68f778c5a state(headscale): update encrypted state 2026-03-24 16:47:26 +02:00
Viktor Barzin
3ecb792a44 state(headscale): update encrypted state 2026-03-24 15:30:25 +02:00
Viktor Barzin
0ee6cade38 state(headscale): update encrypted state 2026-03-24 15:12:01 +02:00
Viktor Barzin
fafea4b110 state(headscale): update encrypted state 2026-03-24 14:45:31 +02:00
Viktor Barzin
2cbcf00b8e state(headscale): update encrypted state 2026-03-24 14:36:30 +02:00
Viktor Barzin
20b0d564f1 state(headscale): update encrypted state 2026-03-24 14:32:12 +02:00
Viktor Barzin
78f302d6c0 state(headscale): update encrypted state 2026-03-24 14:30:02 +02:00
Viktor Barzin
d2c50be088 state(headscale): update encrypted state 2026-03-24 12:49:23 +02:00
Viktor Barzin
5161f77118 state(headscale): update encrypted state 2026-03-24 12:05:34 +02:00
Viktor Barzin
31767ed8e7 state(headscale): update encrypted state 2026-03-24 00:03:03 +02:00
Viktor Barzin
45d48e7ce7 state(headscale): update encrypted state 2026-03-23 10:27:04 +02:00
Viktor Barzin
20d0404a42 state(headscale): update encrypted state 2026-03-23 03:02:50 +02:00
Viktor Barzin
65fcd68181 state(headscale): update encrypted state 2026-03-23 02:48:28 +02:00
Viktor Barzin
2e8fbb51bf state(headscale): update encrypted state 2026-03-23 02:37:22 +02:00
Viktor Barzin
6bfb5e3285 state(headscale): update encrypted state 2026-03-23 02:29:03 +02:00
Viktor Barzin
5645b8026d state(headscale): update encrypted state 2026-03-21 11:24:59 +00:00
Viktor Barzin
77143dfd6b state: per-stack Transit keys for namespace-owner access control 
- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation
 2026-03-17 23:08:18 +00:00
Viktor Barzin
4e7ca1ad61 state: add Vault Transit as primary SOPS backend, age as fallback 
- .sops.yaml: add hc_vault_transit_uri for transit/keys/sops-state
- state-sync: try Vault Transit first, fall back to age key on disk
- Re-encrypted all 101 state files with both Vault Transit + age
- Normal workflow: vault login → decrypt via Transit (no key files)
- Bootstrap/DR: age key at ~/.config/sops/age/keys.txt
 2026-03-17 22:56:33 +00:00
Viktor Barzin
9f80eb7ba0 state: add devvm as SOPS recipient 
Add devvm age public key to .sops.yaml and re-encrypt all 101 state
files with both laptop and devvm keys.
 2026-03-17 22:41:19 +00:00
Viktor Barzin
b6faa24349 state: add SOPS-encrypted terraform state to git 
- SOPS + age encrypts all 101 .tfstate files (JSON-aware: keys visible, values encrypted)
- scripts/state-sync: encrypt/decrypt/commit wrapper
- scripts/tg: auto-decrypt before ops, auto-encrypt+commit after apply/destroy
- terragrunt.hcl: -backup=- prevents backup file accumulation
- .gitignore: track .tfstate.enc, ignore plaintext .tfstate
- Cleaned 964MB of stale backups (state/backups/, .backup files)
 2026-03-17 22:37:56 +00:00