Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/hetzner-bootstrap/scripts/10_plan.sh
+++ b/hetzner-bootstrap/scripts/10_plan.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${SERVER_IP:=}"
+: "${NODE_NAME:=}"
+: "${SOVEREIGN_USER:=sovereign}"
+: "${SSH_PUBLIC_KEY:=}"
+: "${SSH_PORT:=}"                 # optional: if unset, apply auto-detects current sshd port (fallback 22)
+: "${ALLOW_SSH_FALLBACK_22:=true}"# safety: keep 22 open if SSH_PORT != 22
+: "${WG_PORT:=51820}"
+: "${INSTALL_CLOUDFLARED:=true}"
+: "${INSTALL_WIREGUARD:=true}"
+
+main() {
+  require_root
+  [[ -n "$NODE_NAME" ]] || die "NODE_NAME required"
+  [[ -n "$SSH_PUBLIC_KEY" ]] || die "SSH_PUBLIC_KEY required"
+
+  echo "[PLAN] $(date -Iseconds) hetzner-bootstrap"
+  echo "[PLAN] Server IP: ${SERVER_IP:-<unknown>}"
+  echo "[PLAN] Hostname: $NODE_NAME"
+  echo "[PLAN] Sovereign user: $SOVEREIGN_USER"
+  echo "[PLAN] SSH port allowance:"
+  if [[ -n "$SSH_PORT" ]]; then
+    echo "       - Will allow SSH_PORT=${SSH_PORT}/tcp"
+    if [[ "$ALLOW_SSH_FALLBACK_22" == "true" && "$SSH_PORT" != "22" ]]; then
+      echo "       - Safety fallback: also allow 22/tcp"
+    fi
+  else
+    echo "       - SSH_PORT not set: apply will auto-detect current sshd port (fallback 22) and allow it"
+  fi
+  echo "[PLAN] UFW: allow SSH port(s) + allow ${WG_PORT}/udp BEFORE enable; default deny incoming"
+  echo "[PLAN] SSH hardening: PermitRootLogin no, PasswordAuthentication no, validate with sshd -t, reload ssh service"
+  echo "[PLAN] cloudflared install: $INSTALL_CLOUDFLARED"
+  echo "[PLAN] wireguard package install: $INSTALL_WIREGUARD"
+  echo
+  echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/11_apply.sh"
+}
+main "$@"