Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/hetzner-bootstrap/scripts/20_wireguard_plan.sh
+++ b/hetzner-bootstrap/scripts/20_wireguard_plan.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+
+: "${WG_PORT:=51820}"
+: "${WG_CIDR:=10.200.0.1/24}"
+
+main() {
+  require_root
+  echo "[PLAN] $(date -Iseconds) WireGuard scaffold"
+  echo "[PLAN] Will generate keys in /etc/wireguard/{privatekey,publickey} (private is 0600 root:root)"
+  echo "[PLAN] Will write /etc/wireguard/wg0.conf with:"
+  echo "       Address=$WG_CIDR"
+  echo "       ListenPort=$WG_PORT"
+  echo "       PrivateKey=(read from /etc/wireguard/privatekey)"
+  echo "[PLAN] Will enable + start wg-quick@wg0"
+  echo
+  echo "[PLAN] Next: export DRY_RUN=0 && ./scripts/21_wireguard_apply.sh"
+}
+main "$@"