--- name: secrets-vault description: > Establish a sovereign secrets vault using age + sops (GitOps-friendly). Generates/installs an age identity, writes .sops.yaml policy, scaffolds encrypted templates, and provides plan/apply/rollback/verify/report. Triggers: 'set up secrets vault', 'age sops vault', 'encrypt secrets', 'sops policy', 'rotate age key'. version: 1.0.0 --- # Secrets Vault (age + sops) This skill forges a **GitOps-native secrets vault**: - **age**: modern encryption keys (simple UX) - **sops**: encrypt YAML/JSON/ENV files for storage in git - `.sops.yaml`: repository policy for automatic encryption recipients It is designed to be safe on **Node A** and portable to future nodes. ## What it produces A standard layout (you can commit ciphertext to your infra repo): ``` vault/ .sops.yaml secrets/ cloudflare.enc.yaml gitea.enc.yaml registry.enc.yaml k8s.enc.yaml README.md ``` ## Quick Start ```bash cd ~/.claude/skills/secrets-vault # where the vault lives (repo dir recommended) export VAULT_ROOT="$HOME/infrastructure/vault" # safety (apply scripts require DRY_RUN=0 and confirmation) export DRY_RUN=1 export REQUIRE_CONFIRM=1 export CONFIRM_PHRASE="I UNDERSTAND THIS WILL CREATE A SECRETS VAULT" ./scripts/00_preflight.sh ./scripts/10_plan.sh export DRY_RUN=0 ./scripts/11_apply.sh ./scripts/90_verify.sh ./scripts/99_report.sh ``` ## Inputs | Parameter | Required | Default | Description | |---|---:|---|---| | VAULT_ROOT | No | ~/infrastructure/vault | Where to create the vault structure | | AGE_KEY_DIR | No | ~/.config/sops/age | Where age identities live | | AGE_KEYS_FILE | No | ~/.config/sops/age/keys.txt | age identity file (0600) | | RECIPIENTS_FILE | No | outputs/recipients.txt | Generated recipients list | | DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 | | REQUIRE_CONFIRM | No | 1 | Require confirmation phrase | | CONFIRM_PHRASE | No | I UNDERSTAND THIS WILL CREATE A SECRETS VAULT | Safety phrase | ## Outputs - `outputs/status_matrix.json` - `outputs/audit_report.md` - `outputs/recipients.txt` - `outputs/backups/*` (backups of changed files) ## EU Compliance EU (Ireland - Dublin), Irish jurisdiction. Secrets remain local-first; git stores ciphertext only.