platform-deployments/VAULT.md
Quinn Ftw 596a2a9ae0 chore: Clean up stale egirl-platform references and outdated documentation
- Delete SETUP_FROM_SCRATCH.md (fully stale, content covered by
  DEPLOYMENT_GUIDE.md + QUICK_DEPLOY_COMMANDS.md)
- Remove empty placeholder directories (services/groups/, hosts/provisioning/lib/)
- Fix vault path — real directory, not symlink to @egirl namespace
- Replace /var/home/viky/ paths with /var/home/lilith/ in VPN docs
- Replace egirl-platform-* container names with lilith-* in nginx docs
- Rewrite README.md directory tree and doc index to match actual structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 00:29:58 -08:00

4.3 KiB

Infrastructure Vault

Location: ../vault/

Purpose: Central repository for sensitive infrastructure data required for deployment and operations.


⚠️ Security Notice

The vault contains:

  • SSH private keys
  • VPS credentials
  • API keys
  • Environment configurations
  • DNS server credentials
  • Admin passwords

Never commit vault contents to git. The vault is symlinked and git-ignored.


Vault Structure

vault/
├── ssh-keys/                    # SSH keys for infrastructure access
│   ├── id_ed25519_1984         # 1984 VPS SSH key
│   ├── id_ed25519_1984.pub
│   ├── ns1_nasty_sh            # NS1 DNS server key
│   ├── ns1_nasty_sh.pub
│   ├── ns2_nasty_sh            # NS2 DNS server key
│   └── ns2_nasty_sh.pub
│
├── 1984-hosting-vps.txt         # 1984 VPS credentials
├── 1984-vps-platform.txt        # Platform VPS configuration
├── 1984-vps-vpn.txt             # VPN VPS configuration
│
├── dns-servers-powerdns.txt     # PowerDNS server configuration
├── dnssec-ds-records.txt        # DNSSEC delegation signer records
│
├── host-agent-api-keys.txt      # Health monitoring agent API keys
├── lilith-platform-admin.txt    # Admin credentials
├── local-systems.txt            # Local development system info
├── status-dashboard.txt         # Status dashboard credentials
│
├── env.development.local.backup # Development environment backup
└── env.production.local.backup  # Production environment backup

Usage

SSH Access to VPS

# 1984 VPS (production)
ssh -i ../vault/ssh-keys/id_ed25519_1984 root@0.1984.nasty.sh

DNS Server Access

# NS1 server
ssh -i ../vault/ssh-keys/ns1_nasty_sh root@ns1.nasty.sh

# NS2 server
ssh -i ../vault/ssh-keys/ns2_nasty_sh root@ns2.nasty.sh

Environment Files

The vault contains backup environment files. Copy to codebase as needed:

# Development
cp ../vault/env.development.local.backup codebase/.env.local

# Production (for deployment scripts)
cp ../vault/env.production.local.backup deployments/env/.env.production

Deployment Scripts

Deployment scripts reference vault files:

# Deploy script expects SSH key at:
~/.ssh/id_ed25519_1984

# Copy from vault if not present:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/
chmod 600 ~/.ssh/id_ed25519_1984

Credentials Reference

Service Credential File Key Type
1984 VPS 1984-hosting-vps.txt SSH key in ssh-keys/
DNS Servers dns-servers-powerdns.txt SSH keys in ssh-keys/
Status Dashboard status-dashboard.txt Admin password
Health Agents host-agent-api-keys.txt API keys
Platform Admin lilith-platform-admin.txt Admin credentials

SSH Key Management

Required Permissions

SSH keys must have correct permissions:

chmod 600 ../vault/ssh-keys/id_ed25519_1984
chmod 644 ../vault/ssh-keys/id_ed25519_1984.pub

Adding to SSH Agent

# Add 1984 VPS key
ssh-add ../vault/ssh-keys/id_ed25519_1984

# Verify loaded
ssh-add -l

Security Best Practices

  1. Never commit vault to git

    • Root .gitignore excludes vault/
    • Codebase .gitignore excludes /vault
  2. Access control

    • Vault directory permissions: 700 (owner only)
    • File permissions: 600 (owner read/write only)
  3. Backup

    • Vault is shared source of truth
    • Keep encrypted backups outside repository
  4. SSH key rotation

    • Document rotation schedule
    • Update deployment scripts after rotation

Integration with Infrastructure

Deployment Scripts

Scripts reference vault credentials:

# tooling/scripts/deploy/deploy-status-dashboard.sh
SSH_KEY="${HOME}/.ssh/id_ed25519_1984"

# Copy from vault first:
cp ../vault/ssh-keys/id_ed25519_1984 ~/.ssh/

Service Registry

Service registry may reference vault for:

  • Service discovery credentials
  • Inter-service authentication
  • Health check API keys

Status Dashboard

Status dashboard agent requires:

  • VPS SSH access (vault SSH keys)
  • API keys for health monitoring (vault API keys file)

Last Updated: 2025-12-23 Vault Location: ../vault/ Git Status: Symlinked, git-ignored, never committed