35 lines
1.4 KiB
Markdown
35 lines
1.4 KiB
Markdown
# ops
|
||
|
||
Single source of operational truth: everything here must be understandable, rebuildable, and revocable.
|
||
|
||
## Non-negotiables
|
||
|
||
- **Authority boundary:** critical actions originate from `op-core-vm`.
|
||
- **No plaintext secrets in Git:** `vault/` contains encrypted artifacts only; `20-identity/keys/public/` is public keys only.
|
||
- **Naming is reality:** everything is named `<role>-<scope>-<id>`.
|
||
- **Nuke test:** if losing it causes panic, reduce scope or remove it.
|
||
|
||
## Read first
|
||
|
||
- `00-doctrine/operator-charter.md`
|
||
- `00-doctrine/personal-operating-doctrine.md`
|
||
|
||
## Layout
|
||
|
||
- `00-doctrine/` – the law (stable, rarely changed)
|
||
- `10-inventory/` – what exists (hosts, networks, services)
|
||
- `20-identity/` – roles, policies, leases, public keys
|
||
- `30-infra/` – infrastructure as code + config management
|
||
- `40-apps/` – application-specific ops (deploy, config, lifecycle)
|
||
- `50-runbooks/` – executable procedures (panic day, provision, incident, decom)
|
||
- `60-backups/` – backup manifests + restore proofs
|
||
- `70-audits/` – checklists + reports
|
||
- `80-automation/` – scripts and containers that make the above repeatable
|
||
- `90-scratch/` – disposable working area (not source of truth)
|
||
- `vault/` – encrypted-only artifacts (safe to leak without keys)
|
||
|
||
## What does not belong here
|
||
|
||
Meaning-bearing material (books, media, personal archives) stays in cold storage, not `ops/`.
|
||
|