vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: VaultMesh Skills collection

Browse Source 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
operator-bootstrap/SKILL.md Normal file
View File

@@ -0,0 +1,154 @@
---
name: operator-bootstrap
description: >
Bootstrap Node A for sovereign EU infrastructure. Initializes operator identity
(GPG/SSH keys), configures secrets management (pass), establishes Cloudflare
tunnels for remote access, and creates GitOps repository structure. Use when
setting up the foundational node of self-hosted infrastructure. Triggers:
'bootstrap node A', 'initialize sovereign infrastructure', 'set up operator
identity', 'configure cloudflare tunnel', 'initialize gitops', 'first node
setup', 'foundation infrastructure setup'.
version: 1.0.0
---
# Operator Bootstrap
Foundation skill for establishing Node A in a sovereign EU infrastructure. All other infrastructure components depend on this skill completing successfully.
## Quick Start
```bash
# Set required parameters
export OPERATOR_NAME="Your Name"
export OPERATOR_EMAIL="you@domain.com"
export DOMAIN="yourdomain.com"
export CF_ACCOUNT_ID="your-cloudflare-account-id"
# Run in sequence
./scripts/00_preflight.sh
./scripts/01_identity_plan.sh
./scripts/02_identity_apply.sh
./scripts/10_secrets_guide.sh # Interactive
./scripts/20_tunnel_plan.sh
./scripts/21_tunnel_apply.sh
./scripts/30_gitops_plan.sh
./scripts/31_gitops_apply.sh
./scripts/40_editor_setup.sh
./scripts/90_verify.sh
./scripts/99_report.sh
```
## Workflow
### Phase 1: Preflight (00)
Check dependencies: gpg, ssh-keygen, pass, cloudflared, git.
Verify network connectivity and EU data residency requirements.
### Phase 2: Identity (01-02)
**Two-phase operation with rollback support.**
Plan phase shows:
- GPG key parameters (4096-bit RSA, operator identity)
- SSH key types (Ed25519 primary, RSA fallback)
- Proposed file locations
Apply phase executes:
- GPG master key generation (prompted passphrase)
- SSH keypair generation
- SSH config updates
Rollback: `./scripts/rollback/undo_identity.sh`
### Phase 3: Secrets (10)
**Guided interactive setup - never automated.**
Operator is guided through:
1. Initialize pass with GPG key
2. Create initial password structure
3. Store critical secrets (tunnel token, etc.)
4. Verify encryption/decryption
### Phase 4: Tunnel (20-21)
**Two-phase operation with rollback support.**
Plan phase shows:
- Proposed tunnel name and ingress rules
- DNS entries to be created
- Service mappings
Apply phase executes:
- Cloudflare tunnel creation
- Credential storage in pass
- systemd service installation
Rollback: `./scripts/rollback/undo_tunnel.sh`
### Phase 5: GitOps (30-31)
**Two-phase operation with rollback support.**
Plan phase shows:
- Bare repository locations
- Branch structure
- Hook scripts
Apply phase executes:
- Create bare repos for config, secrets-encrypted, manifests
- Initialize with sensible defaults
- Configure receive hooks
Rollback: `./scripts/rollback/undo_gitops.sh`
### Phase 6: Editor (40)
Configure Kate (if available) with:
- Project file for infrastructure
- Syntax highlighting for YAML/TOML
- Git integration
### Phase 7: Verification (90-99)
Generate JSON status matrix and human-readable audit report.
## Inputs
| Parameter | Required | Default | Description |
|-----------|----------|---------|-------------|
| OPERATOR_NAME | Yes | - | Full name for GPG key |
| OPERATOR_EMAIL | Yes | - | Email for GPG key |
| DOMAIN | Yes | - | Primary domain |
| CF_ACCOUNT_ID | Yes | - | Cloudflare account ID |
| NODE_NAME | No | node-a | Hostname for this node |
| GITOPS_ROOT | No | ~/infrastructure | Root for GitOps repos |
| SSH_KEY_COMMENT | No | node-a-operator | SSH key comment |
| GPG_KEY_SIZE | No | 4096 | GPG key size in bits |
| GPG_KEY_EXPIRE | No | 2y | GPG key expiration |
| TUNNEL_NAME | No | node-a-tunnel | Cloudflare tunnel name |
| ENABLE_KATE | No | true | Enable Kate editor setup |
## Outputs
| File | Description |
|------|-------------|
| `outputs/identity_manifest.json` | Record of created keys |
| `outputs/secrets_manifest.json` | Secrets structure record |
| `outputs/tunnel_config.json` | Tunnel configuration |
| `outputs/gitops_manifest.json` | Repository locations |
| `outputs/status_matrix.json` | Verification results |
| `outputs/audit_report.md` | Human-readable audit trail |
## Safety Guarantees
1. **All risky operations are two-phase** (plan/apply)
2. **Secrets are never automated** - guided enrollment only
3. **Rollback scripts provided** for identity, tunnel, SSH config, GitOps
4. **All scripts are idempotent** - safe to run multiple times
5. **Audit trail generated** for compliance
## EU Compliance
- Data Residency: EU (Ireland - Dublin)
- GDPR Applicable: Yes
- Jurisdiction: Irish law
## References
- [EU Data Sovereignty](references/eu_data_sovereignty.md)
- [Cloudflare Tunnel Setup](references/cloudflare_tunnel_setup.md)