Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
55
secrets-vault/scripts/90_verify.sh
Normal file
55
secrets-vault/scripts/90_verify.sh
Normal file
@@ -0,0 +1,55 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
|
||||
source "$SCRIPT_DIR/_common.sh"
|
||||
|
||||
: "${VAULT_ROOT:=~/infrastructure/vault}"
|
||||
: "${AGE_KEYS_FILE:=~/.config/sops/age/keys.txt}"
|
||||
: "${RECIPIENTS_FILE:=$SKILL_ROOT/outputs/recipients.txt}"
|
||||
|
||||
main() {
|
||||
vr="$(expand_path "$VAULT_ROOT")"
|
||||
kf="$(expand_path "$AGE_KEYS_FILE")"
|
||||
|
||||
status="$SKILL_ROOT/outputs/status_matrix.json"
|
||||
ok_keys=false; ok_perm=false; ok_policy=false; ok_cipher=false
|
||||
|
||||
[[ -f "$kf" ]] && ok_keys=true
|
||||
if [[ -f "$kf" ]]; then
|
||||
perm="$(stat -c '%a' "$kf" 2>/dev/null || echo "")"
|
||||
[[ "$perm" == "600" ]] && ok_perm=true
|
||||
fi
|
||||
|
||||
[[ -f "$vr/.sops.yaml" ]] && ok_policy=true
|
||||
if [[ -f "$vr/secrets/cloudflare.enc.yaml" && -f "$vr/secrets/gitea.enc.yaml" && -f "$vr/secrets/registry.enc.yaml" && -f "$vr/secrets/k8s.enc.yaml" ]]; then
|
||||
ok_cipher=true
|
||||
fi
|
||||
|
||||
blockers="[]"
|
||||
if [[ "$ok_keys" != "true" ]]; then blockers='["missing_age_identity"]'
|
||||
elif [[ "$ok_policy" != "true" ]]; then blockers='["missing_sops_policy"]'
|
||||
elif [[ "$ok_cipher" != "true" ]]; then blockers='["missing_encrypted_templates"]'
|
||||
fi
|
||||
|
||||
cat > "$status" <<EOF
|
||||
{
|
||||
"skill":"secrets-vault",
|
||||
"timestamp":"$(date -Iseconds)",
|
||||
"vault_root":"$(json_escape "$vr")",
|
||||
"checks":[
|
||||
{"name":"age_identity_present", "ok": $ok_keys, "path":"$(json_escape "$kf")"},
|
||||
{"name":"age_identity_perm_600", "ok": $ok_perm},
|
||||
{"name":"sops_policy_present", "ok": $ok_policy, "path":"$(json_escape "$vr/.sops.yaml")"},
|
||||
{"name":"encrypted_templates_present", "ok": $ok_cipher}
|
||||
],
|
||||
"blockers": $blockers,
|
||||
"warnings": [],
|
||||
"next_steps": ["commit vault ciphertext to git", "cloudflare-tunnel-manager", "container-registry"]
|
||||
}
|
||||
EOF
|
||||
|
||||
log_info "Wrote $status"
|
||||
cat "$status"
|
||||
}
|
||||
main "$@"
|
||||
Reference in New Issue
Block a user