infra/.sops.yaml at d91fbd4a604cdad07805a98f42a5186ee7adb5a3 - viktor/infra - Forgejo: Beyond coding. We Forge.

viktor/infra

Viktor Barzin 77143dfd6b state: per-stack Transit keys for namespace-owner access control

- Each stack gets its own Vault Transit key (transit/keys/sops-state-<stack>)
- state-sync passes per-stack Transit URI + age keys on encrypt
- Vault policies scope namespace-owners to their stacks only:
  - sops-admin: wildcard access to all transit keys
  - sops-user-<name>: access only to owned stack keys
- Anca (plotting-book) can only decrypt plotting-book state
- Admin can decrypt everything (via admin Transit policy or age fallback)
- External group sops-plotting-book maps Authentik group to Vault policy
- Updated CLAUDE.md with state sync documentation

2026-03-17 23:08:18 +00:00

6 lines

276 B

YAML

Raw Blame History

 creation_rules:
   - path_regex: '\.tfstate(\.enc)?$'
     # Per-stack Transit key passed via --hc-vault-transit in state-sync
     age: >-
       age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
       age1rekkad48r2wzhwqgfetw5yugu3ln3qlht4xg3txmx55tee8cveess60r90