viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/docs/architecture
History
Viktor Barzin d4ec5768b2 vault-token-renew: version the devvm renewer + user units in the repo 
The devvm periodic Vault admin token (token-devvm-wizard, period=768h, policies default+sops-admin+vault-admin) is kept alive by a systemd user timer, but the renewer script + units lived only under ~/.local/bin and ~/.config/systemd/user — lost on a devvm rebuild. Move them into the repo as the source of truth so a rebuild can restore them. (version-only scope: behavior unchanged; no canonical-file/self-heal added.)

- scripts/vault-token-renew.{sh,service,timer}: renewer + user units, refactored into pure drift-guard functions + a guarded main (behavior identical; deployed live and verified still renewing with full write access).

- scripts/test-vault-token-renew.sh: unit-tests the drift guard + lookup-JSON parsing, incl. the 2026-06-05 woodpecker-clobber case (17 assertions).

- docs/runbooks/vault-token-renew-devvm.md: deploy, mint/re-mint, health-check, drift recovery.

- docs/architecture/secrets.md: correct the stale '~/.vault-token = OIDC token' description for devvm.

[ci skip]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-07 22:10:06 +00:00
..
agent-task-tracking.md Add agent task tracking documentation 2026-04-15 17:11:26 +00:00
authentication.md docs: dashboard SA cluster-read tightened to namespace-list + nodes only [ci skip] 2026-06-05 09:19:11 +00:00
automated-upgrades.md claude-agent-service: wire parallel execution (git-crypt mount, memory, MAX_CONCURRENCY) 2026-06-03 10:24:24 +00:00
backup-dr.md backup: stop offsite-copying regenerable data; shrink nextcloud backup; pin nextcloud image 2026-06-01 15:15:26 +00:00
chrome-service.md chrome-service docs: clarify f1-stream is not a real caller 2026-06-05 09:19:10 +00:00
ci-cd.md docs: f1-stream is Woodpecker-native (Forgejo viktor/f1-stream), not GHA/repo-10 2026-06-05 09:19:12 +00:00
compute.md docs(architecture): fix stale 5-node claim -> 7 nodes (k8s-node1..6) [ci skip] 2026-06-05 20:03:58 +00:00
databases.md redis: revert 3-node Sentinel HA to single standalone instance [ci skip] 2026-05-30 17:49:43 +00:00
dns.md docs(architecture): fix stale 5-node claim -> 7 nodes (k8s-node1..6) [ci skip] 2026-06-05 20:03:58 +00:00
homepage.md add homepage auto-discovery documentation [ci skip] 2026-03-25 13:06:43 +02:00
incident-response.md [claude-agent-service] Migrate all pipelines from DevVM SSH to K8s HTTP 2026-04-18 10:12:02 +00:00
llama-cpp.md immich: set MACHINE_LEARNING_MODEL_TTL 0->600 to stop GPU VRAM hog 2026-06-02 20:16:11 +00:00
mailserver.md docs(architecture): fix stale 5-node claim -> 7 nodes (k8s-node1..6) [ci skip] 2026-06-05 20:03:58 +00:00
monitoring.md monitoring: add local-only prometheus-query.lan ingress for ha-sofia SNMP sensors 2026-06-05 17:25:06 +00:00
multi-tenancy.md docs: dashboard SA cluster-read tightened to namespace-list + nodes only [ci skip] 2026-06-05 09:19:11 +00:00
networking.md technitium: CoreDNS rewrite forgejo.viktorbarzin.me -> Traefik ClusterIP 2026-06-04 07:34:30 +00:00
overview.md docs(architecture): fix stale 5-node claim -> 7 nodes (k8s-node1..6) [ci skip] 2026-06-05 20:03:58 +00:00
secrets.md vault-token-renew: version the devvm renewer + user units in the repo 2026-06-07 22:10:06 +00:00
security.md docs(security): bot-block-proxy is a no-op while poison-fountain is at 0 [ci skip] 2026-06-06 16:51:26 +00:00
storage.md docs(storage): record harden-half shipped (orphan cleanup + ghost-reconcile) 2026-06-05 21:39:36 +00:00
vpn.md docs: Technitium DNS IP — 10.0.20.101 → 10.0.20.201 2026-05-23 08:53:52 +00:00
wave1-egress-observation-2026-05-22.md security(wave1): W1.7 analysis snapshot — observation data → allowlist plan 2026-05-22 15:22:25 +00:00