vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: VaultMesh Skills collection

Browse Source 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
secrets-vault/SKILL.md Normal file
View File

@@ -0,0 +1,79 @@
---
name: secrets-vault
description: >
Establish a sovereign secrets vault using age + sops (GitOps-friendly).
Generates/installs an age identity, writes .sops.yaml policy, scaffolds encrypted templates,
and provides plan/apply/rollback/verify/report. Triggers: 'set up secrets vault',
'age sops vault', 'encrypt secrets', 'sops policy', 'rotate age key'.
version: 1.0.0
---
# Secrets Vault (age + sops)
This skill forges a **GitOps-native secrets vault**:
- **age**: modern encryption keys (simple UX)
- **sops**: encrypt YAML/JSON/ENV files for storage in git
- `.sops.yaml`: repository policy for automatic encryption recipients
It is designed to be safe on **Node A** and portable to future nodes.
## What it produces
A standard layout (you can commit ciphertext to your infra repo):
```
vault/
.sops.yaml
secrets/
cloudflare.enc.yaml
gitea.enc.yaml
registry.enc.yaml
k8s.enc.yaml
README.md
```
## Quick Start
```bash
cd ~/.claude/skills/secrets-vault
# where the vault lives (repo dir recommended)
export VAULT_ROOT="$HOME/infrastructure/vault"
# safety (apply scripts require DRY_RUN=0 and confirmation)
export DRY_RUN=1
export REQUIRE_CONFIRM=1
export CONFIRM_PHRASE="I UNDERSTAND THIS WILL CREATE A SECRETS VAULT"
./scripts/00_preflight.sh
./scripts/10_plan.sh
export DRY_RUN=0
./scripts/11_apply.sh
./scripts/90_verify.sh
./scripts/99_report.sh
```
## Inputs
| Parameter | Required | Default | Description |
|---|---:|---|---|
| VAULT_ROOT | No | ~/infrastructure/vault | Where to create the vault structure |
| AGE_KEY_DIR | No | ~/.config/sops/age | Where age identities live |
| AGE_KEYS_FILE | No | ~/.config/sops/age/keys.txt | age identity file (0600) |
| RECIPIENTS_FILE | No | outputs/recipients.txt | Generated recipients list |
| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS WILL CREATE A SECRETS VAULT | Safety phrase |
## Outputs
- `outputs/status_matrix.json`
- `outputs/audit_report.md`
- `outputs/recipients.txt`
- `outputs/backups/*` (backups of changed files)
## EU Compliance
EU (Ireland - Dublin), Irish jurisdiction. Secrets remain local-first; git stores ciphertext only.