Initialize ops repository

2025-12-17 15:13:19 +00:00
commit f375d21a9e
51 changed files with 590 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,33 @@
 .DS_Store
 *.swp
 *.swo
 *~
 .vscode/
 .idea/
 # Terraform
 **/.terraform/
 **/*.tfstate
 **/*.tfstate.*
 **/crash.log
 **/crash.*.log
 # Common secret material (keep out of Git)
 *.pem
 *.key
 *.p12
 *.pfx
 *.jks
 *.kubeconfig
 *.ovpn
 *.mobileconfig
 .env
 .env.*
 !.env.example
 *.tfvars
 *.tfvars.json
 !.tfvars.example
 !.tfvars.json.example
 # Decrypted scratch areas
 vault/tmp/
--- a/00-doctrine/.gitkeep
+++ b/00-doctrine/.gitkeep
@@ -0,0 +1 @@
--- a/00-doctrine/README.md
+++ b/00-doctrine/README.md
@@ -0,0 +1,7 @@
 # Doctrine
 This directory defines the non-negotiable rules of operation.
 - `operator-charter.md` is the one-page version you keep visible.
 - `personal-operating-doctrine.md` is the full doctrine that everything derives from.
--- a/00-doctrine/backup-doctrine.md
+++ b/00-doctrine/backup-doctrine.md
@@ -0,0 +1,25 @@
 # Backup Doctrine
 ## Principles
 - Backups exist for **calm recovery**, not comfort.
 - Encrypt backups **before** they leave the system.
 - A backup that cannot be safely lost is incorrectly scoped.
 - Restores are verified: a backup without a restore test is a hope, not a backup.
 ## In-repo boundaries
 - What is backed up, where it is stored, and how it is restored is recorded in `60-backups/manifests/`.
 - Proof that restores work (restore drills, checksums, validation notes) lives in `60-backups/restore-tests/`.
 ## Minimum standard
 For each backup set, record:
 - Source (what)
 - Destination (where)
 - Method (how)
 - Frequency (when)
 - Restore procedure (how to get it back)
 - Validation (how you know it worked)
--- a/00-doctrine/identity-law.md
+++ b/00-doctrine/identity-law.md
@@ -0,0 +1,27 @@
 # Identity Law
 ## Principles
 - Operate via **roles**, not personalities.
 - Issue access as **leases** (time-bound, revocable), not permanence.
 - Prefer **short-lived credentials** over long-lived secrets.
 - Public keys are safe to store; private keys are not.
 ## In-repo boundaries
 - Role definitions live in `20-identity/roles/`.
 - Policies and intent live in `20-identity/policies/`.
 - Leases (who/what has access, until when) live in `20-identity/leases/`.
 - Public keys live in `20-identity/keys/public/`.
 - Private keys and plaintext secrets never live in this repo.
 ## Required properties (revocation)
 Every identity mechanism must support:
 1. **Revoke**: shut it off quickly.
 2. **Rotate**: replace it predictably.
 3. **Prove**: show what changed and when.
 If any of the above is not true, the mechanism does not belong in the core.
--- a/00-doctrine/operator-charter.md
+++ b/00-doctrine/operator-charter.md
@@ -0,0 +1,113 @@
 # The Operator Charter (One Page)
 *(v1.0)*
 ## I. Prime Directive
 I do not optimize for convenience. I optimize for **clarity, recoverability, and sovereignty**.
 If a system cannot be understood, rebuilt, or revoked, it does not belong.
 ## II. The Core
 There is **one core of authority**.
 - `op-core-vm` is the origin of action.
 - It is disposable, but authoritative.
 - No critical action occurs outside it.
 The host is a console. The phone is a witness.
 ## III. Identity Law
 Identity is finite.
 - Roles over personalities.
 - Least privilege, always.
 - Devices receive leases, never permanence.
 Anything that cannot be revoked cleanly is a liability.
 ## IV. Naming Is Reality
 If it cannot be named correctly, it is not understood.
 Format:
 ```
 <role>-<scope>-<id>
 ```
 No myth names. No ambiguity. Renaming precedes deletion.
 ## V. Infrastructure Doctrine
 Infrastructure is **cattle, not pets**.
 - Nodes are replaceable.
 - Loss is expected.
 - Rebuilds are boring.
 Sentiment is reserved for people, not machines.
 ## VI. Separation of Meaning
 Meaning and infrastructure never mix.
 - Knowledge, media, philosophy → cold storage.
 - Keys, infra, authority → clean core.
 What matters must be portable. What operates must be disposable.
 ## VII. Backup Rule
 Backups exist for **calm recovery**, not comfort.
 - Encrypt before upload.
 - Cloud storage is a vault, never a brain.
 - No live sync for the core.
 If losing a backup causes panic, it is wrongly scoped.
 ## VIII. The Nuke Test
 Every system must answer:
 > “If this disappears today, can I rebuild without panic?”
 If not: reduce scope, split responsibility, document recovery, or remove it.
 ## IX. Tool Discipline
 Every tool must earn its place.
 - Fewer tools, deeper mastery.
 - No duplicates without reason.
 - No installs without intent.
 Bloat is deferred failure.
 ## X. Drift Control
 Entropy is natural. Drift is optional.
 Regularly: audit identities, review devices, correct names, delete without regret.
 Maintenance is freedom.
 ## XI. Authority Boundary
 Critical actions occur only:
 - from the core
 - with intent
 - with traceability
 No shortcuts. No “just this once”.
 ## XII. Final Law
 I build systems I am **not afraid to touch**.
 If fear appears, I stop — not to hesitate, but to **restore clarity**.
--- a/00-doctrine/personal-operating-doctrine.md
+++ b/00-doctrine/personal-operating-doctrine.md
@@ -0,0 +1,111 @@
 # Personal Operating Doctrine — Operator Edition
 *(v1.0)*
 ## 1. Prime Directive
 I do not optimize for convenience. I optimize for **clarity, recoverability, and sovereignty**.
 If a system cannot be understood, rebuilt, or revoked, it does not belong.
 ## 2. The Core
 There exists **one core** from which all authority flows:
 - `op-core-vm` is the origin of action.
 - It is disposable, but authoritative.
 - Nothing touches critical infrastructure unless it originates here.
 The host machine is a **console**, not a source of trust. The phone is a **witness**, not a workstation.
 ## 3. Identity Law
 Identity is finite.
 - I operate through **roles**, not personalities.
 - Each role has minimal scope and clear purpose.
 - Devices hold **leases**, never permanent identity.
 Anything that cannot be cleanly revoked is a liability.
 ## 4. Naming Is Reality
 If I cannot name it correctly, I do not understand it.
 All systems are named by:
 ```
 <role>-<scope>-<id>
 ```
 No myth names. No vibes. No ambiguity.
 Renaming precedes deletion. Deletion follows clarity.
 ## 5. Infrastructure Is Cattle
 No machine is sacred.
 - All nodes are replaceable.
 - Rebuilds are expected.
 - Loss is boring, not catastrophic.
 Sentiment is reserved for people and meaning — never machines.
 ## 6. Separation of Concerns
 Meaning and infrastructure do not mix.
 - Knowledge, media, philosophy → cold storage.
 - Keys, infra, authority → clean core.
 What matters must be portable. What operates must be disposable.
 ## 7. Backup Doctrine
 Backups exist to enable **calm recovery**, not comfort.
 - All backups are encrypted **before** leaving the system.
 - Cloud storage is a **vault**, never a brain.
 - No live sync for core systems.
 If a backup cannot be lost safely, it is incorrectly scoped.
 ## 8. The Nuke Test
 Any system must pass this test:
 > “If this disappears today, can I rebuild without panic?”
 If the answer is no: reduce scope, split responsibility, document recovery, or remove it entirely.
 ## 9. Tool Minimalism
 Every tool must earn its place.
 - Fewer tools, deeper mastery.
 - No duplicates without reason.
 - No installs without intent.
 Bloat is deferred failure.
 ## 10. Drift Control
 Entropy is inevitable. Drift is optional.
 I perform regular identity audits, device reviews, naming corrections, and deletion passes.
 Maintenance is a form of freedom.
 ## 11. Authority Boundary
 Critical actions happen only from `op-core-vm`, with intent, awareness, and traceability.
 No “just this once”. No shortcuts.
 ## 12. Final Rule
 I build systems I am **not afraid to touch**.
 If fear appears, I stop — not to hesitate, but to **restore clarity**.
--- a/10-inventory/README.md
+++ b/10-inventory/README.md
@@ -0,0 +1,9 @@
 # Inventory
 Inventory is the map of reality.
 - Hosts live under `10-inventory/hosts/<role>-<scope>-<id>/`.
 - Networks and services are recorded under `10-inventory/networks/` and `10-inventory/services/`.
 If it exists and matters operationally, it is inventoried and named.
--- a/10-inventory/hosts/.gitkeep
+++ b/10-inventory/hosts/.gitkeep
@@ -0,0 +1 @@
--- a/10-inventory/networks/.gitkeep
+++ b/10-inventory/networks/.gitkeep
@@ -0,0 +1 @@
--- a/10-inventory/services/.gitkeep
+++ b/10-inventory/services/.gitkeep
@@ -0,0 +1 @@
--- a/20-identity/README.md
+++ b/20-identity/README.md
@@ -0,0 +1,13 @@
 # Identity
 Identity is operated as roles + leases.
 In this repo:
 - roles: `20-identity/roles/`
 - policies: `20-identity/policies/`
 - leases (time-bound grants): `20-identity/leases/`
 - public keys only: `20-identity/keys/public/`
 Private keys and plaintext secrets do not belong here.
--- a/20-identity/keys/public/.gitkeep
+++ b/20-identity/keys/public/.gitkeep
@@ -0,0 +1 @@
--- a/20-identity/keys/public/README.md
+++ b/20-identity/keys/public/README.md
@@ -0,0 +1,7 @@
 # Public keys only
 Store public keys here (e.g., `*.pub`).
 - Name keys to match the role/device: `<role>-<scope>-<id>`.
 - Never commit private keys.
--- a/20-identity/leases/.gitkeep
+++ b/20-identity/leases/.gitkeep
@@ -0,0 +1 @@
--- a/20-identity/policies/.gitkeep
+++ b/20-identity/policies/.gitkeep
@@ -0,0 +1 @@
--- a/20-identity/roles/.gitkeep
+++ b/20-identity/roles/.gitkeep
@@ -0,0 +1 @@
--- a/20-identity/templates/.gitkeep
+++ b/20-identity/templates/.gitkeep
@@ -0,0 +1 @@
--- a/30-infra/README.md
+++ b/30-infra/README.md
@@ -0,0 +1,8 @@
 # Infrastructure
 Infrastructure is cattle.
 Store infrastructure-as-code and configuration management here.
 Guardrail: keep state and generated artifacts out of Git (e.g., Terraform state).
--- a/30-infra/config/.gitkeep
+++ b/30-infra/config/.gitkeep
@@ -0,0 +1 @@
--- a/30-infra/k8s/.gitkeep
+++ b/30-infra/k8s/.gitkeep
@@ -0,0 +1 @@
--- a/30-infra/terraform/.gitkeep
+++ b/30-infra/terraform/.gitkeep
@@ -0,0 +1 @@
--- a/40-apps/.gitkeep
+++ b/40-apps/.gitkeep
@@ -0,0 +1 @@
--- a/40-apps/README.md
+++ b/40-apps/README.md
@@ -0,0 +1,4 @@
 # Apps
 Application-specific operational material (deploy, config, lifecycle) lives here.
--- a/50-runbooks/00-panic-day/.gitkeep
+++ b/50-runbooks/00-panic-day/.gitkeep
@@ -0,0 +1 @@
--- a/50-runbooks/00-panic-day/README.md
+++ b/50-runbooks/00-panic-day/README.md
@@ -0,0 +1,13 @@
 # Panic Day
 This folder contains rebuild-from-zero drills.
 Rule: each drill must be runnable with only this repo, cold storage, and the vault keys.
 Suggested drills:
 - Rebuild `op-core-vm` from a clean base image.
 - Restore this repo, validate integrity, and re-establish authority boundary.
 - Rotate critical credentials and invalidate all prior device leases.
 - Restore one representative backup set end-to-end and record proof.
--- a/50-runbooks/10-provision/.gitkeep
+++ b/50-runbooks/10-provision/.gitkeep
@@ -0,0 +1 @@
--- a/50-runbooks/10-provision/README.md
+++ b/50-runbooks/10-provision/README.md
@@ -0,0 +1,4 @@
 # Provision
 Create and bootstrap new nodes/services in a repeatable way.
--- a/50-runbooks/20-incident/.gitkeep
+++ b/50-runbooks/20-incident/.gitkeep
@@ -0,0 +1 @@
--- a/50-runbooks/20-incident/README.md
+++ b/50-runbooks/20-incident/README.md
@@ -0,0 +1,4 @@
 # Incident
 Containment, diagnosis, recovery, and postmortem procedures.
--- a/50-runbooks/90-decom/.gitkeep
+++ b/50-runbooks/90-decom/.gitkeep
@@ -0,0 +1 @@
--- a/50-runbooks/90-decom/README.md
+++ b/50-runbooks/90-decom/README.md
@@ -0,0 +1,4 @@
 # Decommission
 Safe teardown, revocation, and evidence capture for retired systems.
--- a/50-runbooks/README.md
+++ b/50-runbooks/README.md
@@ -0,0 +1,15 @@
 # Runbooks
 Runbooks are executable documents: written to be followed under pressure.
 Minimum required sections:
 - Purpose
 - Preconditions
 - Steps (exact commands)
 - Validation (how you know it worked)
 - Rollback / abort criteria
 - Evidence (what to record)
 Use `ops/50-runbooks/_template.md` for new runbooks.
--- a/50-runbooks/_template.md
+++ b/50-runbooks/_template.md
@@ -0,0 +1,35 @@
 # Runbook: <title>
 ## Purpose
 What this runbook does and when to use it.
 ## Preconditions
 - Access/role required:
 - Systems required:
 - Expected safe state:
 - Time estimate:
 ## Steps
 1.
 2.
 3.
 ## Validation
 How to prove the procedure succeeded (commands + expected output).
 ## Rollback / Abort
 What to do if validation fails, and when to stop.
 ## Evidence
 What you record (timestamps, change IDs, logs, screenshots).
 ## Notes
 Gotchas, dependencies, links.
--- a/60-backups/README.md
+++ b/60-backups/README.md
@@ -0,0 +1,7 @@
 # Backups
 - Backup manifests live in `60-backups/manifests/`.
 - Restore proofs live in `60-backups/restore-tests/`.
 Backups are only real when restores are verified.
--- a/60-backups/manifests/.gitkeep
+++ b/60-backups/manifests/.gitkeep
@@ -0,0 +1 @@
--- a/60-backups/restore-tests/.gitkeep
+++ b/60-backups/restore-tests/.gitkeep
@@ -0,0 +1 @@
--- a/70-audits/README.md
+++ b/70-audits/README.md
@@ -0,0 +1,9 @@
 # Audits
 Audits are how drift is prevented.
 - Checklists live in `70-audits/checklists/`.
 - Evidence and outcomes live in `70-audits/reports/`.
 If a checklist item cannot be verified, treat it as failed until proven otherwise.
--- a/70-audits/checklists/.gitkeep
+++ b/70-audits/checklists/.gitkeep
@@ -0,0 +1 @@
--- a/70-audits/checklists/README.md
+++ b/70-audits/checklists/README.md
@@ -0,0 +1,12 @@
 # Checklists
 Use these to perform regular drift control.
 When you run a checklist, file the result under `70-audits/reports/` with:
 - date/time
 - operator role used
 - what changed
 - what was revoked/rotated
 - any failures and follow-ups
--- a/70-audits/checklists/quarterly.md
+++ b/70-audits/checklists/quarterly.md
@@ -0,0 +1,17 @@
 # Quarterly Drift Control
 ## Identity
 - Rotate high-value credentials and invalidate old material.
 - Re-evaluate role scopes; remove privileges that became “default”.
 ## Backup reality check
 - Perform a full restore drill of at least one critical system.
 - Verify restore validation steps still match reality.
 ## Infra sanity
 - Identify and remove orphaned resources (accounts, hosts, services).
 - Confirm all critical infrastructure is reproducible from `ops/`.
--- a/70-audits/checklists/weekly.md
+++ b/70-audits/checklists/weekly.md
@@ -0,0 +1,22 @@
 # Weekly Drift Control
 ## Identity
 - Review active leases; revoke anything unused or unclear.
 - Confirm least-privilege matches reality (roles/policies still correct).
 - Confirm no new long-lived credentials exist without rotation plan.
 ## Backups
 - Verify latest backups completed for all critical sets.
 - Confirm at least one restore proof is recent (per backup cadence).
 ## Inventory / Naming
 - Confirm new systems/services are inventoried and named `<role>-<scope>-<id>`.
 - Rename unclear entries before deleting anything.
 ## Core boundary
 - Confirm critical changes still originate only from `op-core-vm`.
--- a/70-audits/reports/.gitkeep
+++ b/70-audits/reports/.gitkeep
@@ -0,0 +1 @@
--- a/70-audits/reports/README.md
+++ b/70-audits/reports/README.md
@@ -0,0 +1,9 @@
 # Reports
 Store audit outcomes and evidence here.
 Suggested format:
 - `YYYY-MM-DD-weekly.md`
 - `YYYY-Q#-quarterly.md`
--- a/80-automation/README.md
+++ b/80-automation/README.md
@@ -0,0 +1,4 @@
 # Automation
 Scripts and containers that make operations repeatable live here.
--- a/80-automation/containers/.gitkeep
+++ b/80-automation/containers/.gitkeep
@@ -0,0 +1 @@
--- a/80-automation/scripts/.gitkeep
+++ b/80-automation/scripts/.gitkeep
@@ -0,0 +1 @@
--- a/90-scratch/.gitignore
+++ b/90-scratch/.gitignore
@@ -0,0 +1,3 @@
 *
 !.gitignore
 !README.md
--- a/90-scratch/README.md
+++ b/90-scratch/README.md
@@ -0,0 +1,6 @@
 # Scratch
 Disposable working area.
 Nothing here is source of truth. Everything here is safe to delete.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,34 @@
 # ops
 Single source of operational truth: everything here must be understandable, rebuildable, and revocable.
 ## Non-negotiables
 - **Authority boundary:** critical actions originate from `op-core-vm`.
 - **No plaintext secrets in Git:** `vault/` contains encrypted artifacts only; `20-identity/keys/public/` is public keys only.
 - **Naming is reality:** everything is named `<role>-<scope>-<id>`.
 - **Nuke test:** if losing it causes panic, reduce scope or remove it.
 ## Read first
 - `00-doctrine/operator-charter.md`
 - `00-doctrine/personal-operating-doctrine.md`
 ## Layout
 - `00-doctrine/` – the law (stable, rarely changed)
 - `10-inventory/` – what exists (hosts, networks, services)
 - `20-identity/` – roles, policies, leases, public keys
 - `30-infra/` – infrastructure as code + config management
 - `40-apps/` – application-specific ops (deploy, config, lifecycle)
 - `50-runbooks/` – executable procedures (panic day, provision, incident, decom)
 - `60-backups/` – backup manifests + restore proofs
 - `70-audits/` – checklists + reports
 - `80-automation/` – scripts and containers that make the above repeatable
 - `90-scratch/` – disposable working area (not source of truth)
 - `vault/` – encrypted-only artifacts (safe to leak without keys)
 ## What does not belong here
 Meaning-bearing material (books, media, personal archives) stays in cold storage, not `ops/`.
--- a/vault/README.md
+++ b/vault/README.md
@@ -0,0 +1,12 @@
 # Vault (encrypted-only)
 This directory contains **encrypted artifacts only**.
 Rules:
 - Never commit plaintext secrets (even temporarily).
 - Never commit private keys.
 - Treat `vault/` as safe-to-leak ciphertext: if leaking it would break you, it is mis-scoped.
 Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use.
		`@@ -0,0 +1,4 @@`
							`# Apps`

							`Application-specific operational material (deploy, config, lifecycle) lives here.`
		`@@ -0,0 +1,4 @@`
							`# Provision`

							`Create and bootstrap new nodes/services in a repeatable way.`
		`@@ -0,0 +1,4 @@`
							`# Incident`

							`Containment, diagnosis, recovery, and postmortem procedures.`
		`@@ -0,0 +1,4 @@`
							`# Decommission`

							`Safe teardown, revocation, and evidence capture for retired systems.`
		`@@ -0,0 +1,4 @@`
							`# Automation`

							`Scripts and containers that make operations repeatable live here.`