vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/operator-bootstrap/SKILL.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

4.6 KiB
Raw Blame History

name, description, version
name description version
operator-bootstrap Bootstrap Node A for sovereign EU infrastructure. Initializes operator identity (GPG/SSH keys), configures secrets management (pass), establishes Cloudflare tunnels for remote access, and creates GitOps repository structure. Use when setting up the foundational node of self-hosted infrastructure. Triggers: 'bootstrap node A', 'initialize sovereign infrastructure', 'set up operator identity', 'configure cloudflare tunnel', 'initialize gitops', 'first node setup', 'foundation infrastructure setup'. 1.0.0

Operator Bootstrap

Foundation skill for establishing Node A in a sovereign EU infrastructure. All other infrastructure components depend on this skill completing successfully.

Quick Start

# Set required parameters
export OPERATOR_NAME="Your Name"
export OPERATOR_EMAIL="you@domain.com"
export DOMAIN="yourdomain.com"
export CF_ACCOUNT_ID="your-cloudflare-account-id"

# Run in sequence
./scripts/00_preflight.sh
./scripts/01_identity_plan.sh
./scripts/02_identity_apply.sh
./scripts/10_secrets_guide.sh  # Interactive
./scripts/20_tunnel_plan.sh
./scripts/21_tunnel_apply.sh
./scripts/30_gitops_plan.sh
./scripts/31_gitops_apply.sh
./scripts/40_editor_setup.sh
./scripts/90_verify.sh
./scripts/99_report.sh

Workflow

Phase 1: Preflight (00)

Check dependencies: gpg, ssh-keygen, pass, cloudflared, git. Verify network connectivity and EU data residency requirements.

Phase 2: Identity (01-02)

Two-phase operation with rollback support.

Plan phase shows:

  • GPG key parameters (4096-bit RSA, operator identity)
  • SSH key types (Ed25519 primary, RSA fallback)
  • Proposed file locations

Apply phase executes:

  • GPG master key generation (prompted passphrase)
  • SSH keypair generation
  • SSH config updates

Rollback: ./scripts/rollback/undo_identity.sh

Phase 3: Secrets (10)

Guided interactive setup - never automated.

Operator is guided through:

  1. Initialize pass with GPG key
  2. Create initial password structure
  3. Store critical secrets (tunnel token, etc.)
  4. Verify encryption/decryption

Phase 4: Tunnel (20-21)

Two-phase operation with rollback support.

Plan phase shows:

  • Proposed tunnel name and ingress rules
  • DNS entries to be created
  • Service mappings

Apply phase executes:

  • Cloudflare tunnel creation
  • Credential storage in pass
  • systemd service installation

Rollback: ./scripts/rollback/undo_tunnel.sh

Phase 5: GitOps (30-31)

Two-phase operation with rollback support.

Plan phase shows:

  • Bare repository locations
  • Branch structure
  • Hook scripts

Apply phase executes:

  • Create bare repos for config, secrets-encrypted, manifests
  • Initialize with sensible defaults
  • Configure receive hooks

Rollback: ./scripts/rollback/undo_gitops.sh

Phase 6: Editor (40)

Configure Kate (if available) with:

  • Project file for infrastructure
  • Syntax highlighting for YAML/TOML
  • Git integration

Phase 7: Verification (90-99)

Generate JSON status matrix and human-readable audit report.

Inputs

Parameter Required Default Description
OPERATOR_NAME Yes - Full name for GPG key
OPERATOR_EMAIL Yes - Email for GPG key
DOMAIN Yes - Primary domain
CF_ACCOUNT_ID Yes - Cloudflare account ID
NODE_NAME No node-a Hostname for this node
GITOPS_ROOT No ~/infrastructure Root for GitOps repos
SSH_KEY_COMMENT No node-a-operator SSH key comment
GPG_KEY_SIZE No 4096 GPG key size in bits
GPG_KEY_EXPIRE No 2y GPG key expiration
TUNNEL_NAME No node-a-tunnel Cloudflare tunnel name
ENABLE_KATE No true Enable Kate editor setup

Outputs

File Description
outputs/identity_manifest.json Record of created keys
outputs/secrets_manifest.json Secrets structure record
outputs/tunnel_config.json Tunnel configuration
outputs/gitops_manifest.json Repository locations
outputs/status_matrix.json Verification results
outputs/audit_report.md Human-readable audit trail

Safety Guarantees

  1. All risky operations are two-phase (plan/apply)
  2. Secrets are never automated - guided enrollment only
  3. Rollback scripts provided for identity, tunnel, SSH config, GitOps
  4. All scripts are idempotent - safe to run multiple times
  5. Audit trail generated for compliance

EU Compliance

  • Data Residency: EU (Ireland - Dublin)
  • GDPR Applicable: Yes
  • Jurisdiction: Irish law

References

Reference in New Issue View Git Blame Copy Permalink