Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

operator-bootstrap/references/cloudflare_tunnel_setup.md

@@ -0,0 +1,192 @@
+# Cloudflare Tunnel Setup Guide
+
+## Overview
+
+Cloudflare Tunnels (formerly Argo Tunnels) provide secure, outbound-only connections from your infrastructure to Cloudflare's edge, eliminating the need for public IP addresses or open firewall ports.
+
+## Prerequisites
+
+### Required
+
+- Cloudflare account (free tier works)
+- Domain added to Cloudflare DNS
+- `cloudflared` CLI installed
+
+### Installation (Linux)
+
+```bash
+# Debian/Ubuntu
+curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
+sudo dpkg -i cloudflared.deb
+
+# Or via package manager (if available)
+sudo apt install cloudflared
+```
+
+### Installation (Termux/Android)
+
+```bash
+pkg install cloudflared
+```
+
+## Authentication
+
+Before creating tunnels, authenticate with Cloudflare:
+
+```bash
+cloudflared tunnel login
+```
+
+This opens a browser for authentication and stores a certificate at `~/.cloudflared/cert.pem`.
+
+## Tunnel Lifecycle
+
+### Create Tunnel
+
+```bash
+cloudflared tunnel create my-tunnel
+```
+
+Creates credentials at `~/.cloudflared/<tunnel-id>.json`.
+
+### Configure Tunnel
+
+Create `~/.cloudflared/config.yml`:
+
+```yaml
+tunnel: my-tunnel
+credentials-file: /path/to/credentials.json
+
+ingress:
+  - hostname: ssh.example.com
+    service: ssh://localhost:22
+  - hostname: web.example.com
+    service: http://localhost:8080
+  - service: http_status:404
+```
+
+### Route DNS
+
+```bash
+cloudflared tunnel route dns my-tunnel ssh.example.com
+```
+
+### Run Tunnel
+
+```bash
+cloudflared tunnel run my-tunnel
+```
+
+Or with explicit config:
+
+```bash
+cloudflared tunnel --config ~/.cloudflared/config.yml run
+```
+
+## SSH Access via Tunnel
+
+### Server Side
+
+Tunnel config includes SSH service:
+
+```yaml
+ingress:
+  - hostname: ssh.example.com
+    service: ssh://localhost:22
+```
+
+### Client Side
+
+Option 1: Using ProxyCommand:
+
+```
+Host my-server
+    HostName ssh.example.com
+    ProxyCommand cloudflared access ssh --hostname %h
+```
+
+Option 2: Using `cloudflared access`:
+
+```bash
+cloudflared access ssh --hostname ssh.example.com
+```
+
+## Cloudflare Access (Optional)
+
+For additional authentication:
+
+1. Go to Cloudflare Zero Trust dashboard
+2. Create an Access Application
+3. Define authentication policies (email, SSO, etc.)
+4. Apply to SSH hostname
+
+## systemd Service
+
+### User Service
+
+```ini
+[Unit]
+Description=Cloudflare Tunnel
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/cloudflared tunnel --config /path/to/config.yml run
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=default.target
+```
+
+Enable:
+
+```bash
+systemctl --user enable cloudflared-tunnel
+systemctl --user start cloudflared-tunnel
+```
+
+### System Service
+
+```bash
+sudo cloudflared service install
+```
+
+## Troubleshooting
+
+### Check Tunnel Status
+
+```bash
+cloudflared tunnel info my-tunnel
+```
+
+### View Logs
+
+```bash
+journalctl --user -u cloudflared-tunnel -f
+```
+
+### Test Connectivity
+
+```bash
+curl -v https://ssh.example.com
+```
+
+### Common Issues
+
+1. **Certificate expired**: Re-run `cloudflared tunnel login`
+2. **DNS not resolving**: Check Cloudflare DNS for CNAME record
+3. **Connection refused**: Verify local service is running
+
+## Security Considerations
+
+- Tunnel credentials (`*.json`) are sensitive - protect like SSH keys
+- Use Cloudflare Access for authentication on sensitive services
+- Regularly rotate tunnel credentials
+- Monitor tunnel connections in Cloudflare dashboard
+
+## References
+
+- [Cloudflare Tunnel Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/)
+- [cloudflared GitHub](https://github.com/cloudflare/cloudflared)
+- [Zero Trust Dashboard](https://one.dash.cloudflare.com/)

operator-bootstrap/references/eu_data_sovereignty.md

@@ -0,0 +1,69 @@
+# EU Data Sovereignty Requirements
+
+## Overview
+
+This skill operates under EU data sovereignty principles, ensuring all data remains within EU jurisdiction and complies with applicable regulations.
+
+## Regulatory Framework
+
+### GDPR (General Data Protection Regulation)
+
+Key requirements for infrastructure operators:
+
+1. **Data Residency** - Personal data of EU residents must be processed in compliance with GDPR, regardless of where processing occurs
+2. **Legal Basis** - All data processing must have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
+3. **Data Subject Rights** - Infrastructure must support right to access, rectification, erasure, portability, and objection
+4. **Security** - Appropriate technical and organizational measures required
+
+### Schrems II Implications
+
+Following the Court of Justice ruling (C-311/18):
+
+- Standard Contractual Clauses alone may not be sufficient for US transfers
+- Supplementary measures may be required
+- Self-hosted EU infrastructure avoids many transfer concerns
+
+## Implementation in This Skill
+
+### Encryption
+
+- **GPG Keys**: Generated and stored locally on EU infrastructure
+- **No Cloud KMS**: Keys never leave the operator's control
+- **Pass Store**: Encrypted at rest with local GPG keys
+
+### Network Access
+
+- **Cloudflare Tunnels**: Traffic routed through EU Cloudflare PoPs when possible
+- **No Direct US Routing**: Configure Cloudflare region preferences
+- **SSH Keys**: Ed25519 primary (modern, efficient)
+
+### Data Storage
+
+- **GitOps Repositories**: Stored on local EU infrastructure
+- **Secrets**: Encrypted before storage, never in plaintext
+- **Audit Logs**: Retained locally, not exported to non-EU services
+
+## Jurisdiction
+
+This skill is designed for operators in **Ireland (Dublin)** and assumes:
+
+- Irish law applies as the primary jurisdiction
+- Data Protection Commission (DPC) is the supervisory authority
+- Irish implementation of GDPR applies
+
+## Compliance Checklist
+
+Before deploying infrastructure bootstrapped with this skill:
+
+- [ ] Identify lawful basis for any personal data processing
+- [ ] Document data flows and storage locations
+- [ ] Implement appropriate access controls
+- [ ] Establish incident response procedures
+- [ ] Configure data retention policies
+- [ ] Prepare for data subject requests
+
+## References
+
+- [GDPR Official Text](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
+- [DPC Guidance](https://www.dataprotection.ie/en/organisations)
+- [EDPB Guidelines](https://edpb.europa.eu/our-work-tools/general-guidance_en)