--- name: operator-bootstrap description: > Bootstrap Node A for sovereign EU infrastructure. Initializes operator identity (GPG/SSH keys), configures secrets management (pass), establishes Cloudflare tunnels for remote access, and creates GitOps repository structure. Use when setting up the foundational node of self-hosted infrastructure. Triggers: 'bootstrap node A', 'initialize sovereign infrastructure', 'set up operator identity', 'configure cloudflare tunnel', 'initialize gitops', 'first node setup', 'foundation infrastructure setup'. version: 1.0.0 --- # Operator Bootstrap Foundation skill for establishing Node A in a sovereign EU infrastructure. All other infrastructure components depend on this skill completing successfully. ## Quick Start ```bash # Set required parameters export OPERATOR_NAME="Your Name" export OPERATOR_EMAIL="you@domain.com" export DOMAIN="yourdomain.com" export CF_ACCOUNT_ID="your-cloudflare-account-id" # Run in sequence ./scripts/00_preflight.sh ./scripts/01_identity_plan.sh ./scripts/02_identity_apply.sh ./scripts/10_secrets_guide.sh # Interactive ./scripts/20_tunnel_plan.sh ./scripts/21_tunnel_apply.sh ./scripts/30_gitops_plan.sh ./scripts/31_gitops_apply.sh ./scripts/40_editor_setup.sh ./scripts/90_verify.sh ./scripts/99_report.sh ``` ## Workflow ### Phase 1: Preflight (00) Check dependencies: gpg, ssh-keygen, pass, cloudflared, git. Verify network connectivity and EU data residency requirements. ### Phase 2: Identity (01-02) **Two-phase operation with rollback support.** Plan phase shows: - GPG key parameters (4096-bit RSA, operator identity) - SSH key types (Ed25519 primary, RSA fallback) - Proposed file locations Apply phase executes: - GPG master key generation (prompted passphrase) - SSH keypair generation - SSH config updates Rollback: `./scripts/rollback/undo_identity.sh` ### Phase 3: Secrets (10) **Guided interactive setup - never automated.** Operator is guided through: 1. Initialize pass with GPG key 2. Create initial password structure 3. Store critical secrets (tunnel token, etc.) 4. Verify encryption/decryption ### Phase 4: Tunnel (20-21) **Two-phase operation with rollback support.** Plan phase shows: - Proposed tunnel name and ingress rules - DNS entries to be created - Service mappings Apply phase executes: - Cloudflare tunnel creation - Credential storage in pass - systemd service installation Rollback: `./scripts/rollback/undo_tunnel.sh` ### Phase 5: GitOps (30-31) **Two-phase operation with rollback support.** Plan phase shows: - Bare repository locations - Branch structure - Hook scripts Apply phase executes: - Create bare repos for config, secrets-encrypted, manifests - Initialize with sensible defaults - Configure receive hooks Rollback: `./scripts/rollback/undo_gitops.sh` ### Phase 6: Editor (40) Configure Kate (if available) with: - Project file for infrastructure - Syntax highlighting for YAML/TOML - Git integration ### Phase 7: Verification (90-99) Generate JSON status matrix and human-readable audit report. ## Inputs | Parameter | Required | Default | Description | |-----------|----------|---------|-------------| | OPERATOR_NAME | Yes | - | Full name for GPG key | | OPERATOR_EMAIL | Yes | - | Email for GPG key | | DOMAIN | Yes | - | Primary domain | | CF_ACCOUNT_ID | Yes | - | Cloudflare account ID | | NODE_NAME | No | node-a | Hostname for this node | | GITOPS_ROOT | No | ~/infrastructure | Root for GitOps repos | | SSH_KEY_COMMENT | No | node-a-operator | SSH key comment | | GPG_KEY_SIZE | No | 4096 | GPG key size in bits | | GPG_KEY_EXPIRE | No | 2y | GPG key expiration | | TUNNEL_NAME | No | node-a-tunnel | Cloudflare tunnel name | | ENABLE_KATE | No | true | Enable Kate editor setup | ## Outputs | File | Description | |------|-------------| | `outputs/identity_manifest.json` | Record of created keys | | `outputs/secrets_manifest.json` | Secrets structure record | | `outputs/tunnel_config.json` | Tunnel configuration | | `outputs/gitops_manifest.json` | Repository locations | | `outputs/status_matrix.json` | Verification results | | `outputs/audit_report.md` | Human-readable audit trail | ## Safety Guarantees 1. **All risky operations are two-phase** (plan/apply) 2. **Secrets are never automated** - guided enrollment only 3. **Rollback scripts provided** for identity, tunnel, SSH config, GitOps 4. **All scripts are idempotent** - safe to run multiple times 5. **Audit trail generated** for compliance ## EU Compliance - Data Residency: EU (Ireland - Dublin) - GDPR Applicable: Yes - Jurisdiction: Irish law ## References - [EU Data Sovereignty](references/eu_data_sovereignty.md) - [Cloudflare Tunnel Setup](references/cloudflare_tunnel_setup.md)