Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

operator-bootstrap/scripts/20_tunnel_plan.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# === METADATA ===
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+
+# === CONFIGURATION ===
+: "${DOMAIN:?DOMAIN required}"
+: "${CF_ACCOUNT_ID:?CF_ACCOUNT_ID required}"
+: "${NODE_NAME:=node-a}"
+: "${TUNNEL_NAME:=$NODE_NAME-tunnel}"
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+# === FUNCTIONS ===
+log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
+
+main() {
+    log_info "Starting $SCRIPT_NAME (PLAN ONLY - no changes made)..."
+
+    echo ""
+    echo "============================================"
+    echo "  CLOUDFLARE TUNNEL PLAN"
+    echo "  Node: $NODE_NAME"
+    echo "============================================"
+    echo ""
+
+    echo "=== Tunnel Configuration ==="
+    echo "  Tunnel Name:    $TUNNEL_NAME"
+    echo "  Account ID:     $CF_ACCOUNT_ID"
+    echo "  Credentials:    ~/.cloudflared/$TUNNEL_NAME.json"
+    echo "  Config:         ~/.cloudflared/config-$TUNNEL_NAME.yml"
+    echo ""
+
+    echo "=== Proposed Ingress Rules ==="
+    echo "  1. ssh.$DOMAIN   -> ssh://localhost:22"
+    echo "  2. *.$DOMAIN     -> http://localhost:8080 (catch-all)"
+    echo "  3. (fallback)    -> http_status:404"
+    echo ""
+
+    echo "=== DNS Records to Create ==="
+    echo "  ssh.$DOMAIN    CNAME -> $TUNNEL_NAME.cfargotunnel.com"
+    echo ""
+
+    echo "=== systemd Service ==="
+    echo "  Unit:    cloudflared@$TUNNEL_NAME.service (or user service)"
+    echo "  Status:  Will be enabled and started"
+    echo ""
+
+    echo "=== Security Notes ==="
+    echo "  - Tunnel credentials will be stored locally"
+    echo "  - Tunnel ID will be stored in pass (if available)"
+    echo "  - No API token stored in config files"
+    echo ""
+
+    # Check for existing tunnel
+    if [[ -f "$HOME/.cloudflared/$TUNNEL_NAME.json" ]]; then
+        log_warn "Tunnel credentials already exist at ~/.cloudflared/$TUNNEL_NAME.json"
+        log_warn "Apply will reuse existing tunnel (idempotent)"
+    fi
+
+    # Check cloudflared login status
+    if [[ -f "$HOME/.cloudflared/cert.pem" ]]; then
+        log_info "Cloudflared certificate found - already authenticated"
+    else
+        log_warn "No cloudflared certificate found"
+        log_warn "You may need to run: cloudflared tunnel login"
+    fi
+
+    echo "============================================"
+    echo "  To apply: ./scripts/21_tunnel_apply.sh"
+    echo "  To abort: Do nothing"
+    echo "  To rollback: ./scripts/rollback/undo_tunnel.sh"
+    echo "============================================"
+
+    log_info "Completed $SCRIPT_NAME"
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"