vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/secrets-vault/SKILL.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

2.2 KiB
Raw Blame History

name, description, version
name description version
secrets-vault Establish a sovereign secrets vault using age + sops (GitOps-friendly). Generates/installs an age identity, writes .sops.yaml policy, scaffolds encrypted templates, and provides plan/apply/rollback/verify/report. Triggers: 'set up secrets vault', 'age sops vault', 'encrypt secrets', 'sops policy', 'rotate age key'. 1.0.0

Secrets Vault (age + sops)

This skill forges a GitOps-native secrets vault:

  • age: modern encryption keys (simple UX)
  • sops: encrypt YAML/JSON/ENV files for storage in git
  • .sops.yaml: repository policy for automatic encryption recipients

It is designed to be safe on Node A and portable to future nodes.

What it produces

A standard layout (you can commit ciphertext to your infra repo):

vault/
  .sops.yaml
  secrets/
    cloudflare.enc.yaml
    gitea.enc.yaml
    registry.enc.yaml
    k8s.enc.yaml
  README.md

Quick Start

cd ~/.claude/skills/secrets-vault

# where the vault lives (repo dir recommended)
export VAULT_ROOT="$HOME/infrastructure/vault"

# safety (apply scripts require DRY_RUN=0 and confirmation)
export DRY_RUN=1
export REQUIRE_CONFIRM=1
export CONFIRM_PHRASE="I UNDERSTAND THIS WILL CREATE A SECRETS VAULT"

./scripts/00_preflight.sh
./scripts/10_plan.sh

export DRY_RUN=0
./scripts/11_apply.sh

./scripts/90_verify.sh
./scripts/99_report.sh

Inputs

Parameter Required Default Description
VAULT_ROOT No ~/infrastructure/vault Where to create the vault structure
AGE_KEY_DIR No ~/.config/sops/age Where age identities live
AGE_KEYS_FILE No ~/.config/sops/age/keys.txt age identity file (0600)
RECIPIENTS_FILE No outputs/recipients.txt Generated recipients list
DRY_RUN No 1 Apply refuses unless DRY_RUN=0
REQUIRE_CONFIRM No 1 Require confirmation phrase
CONFIRM_PHRASE No I UNDERSTAND THIS WILL CREATE A SECRETS VAULT Safety phrase

Outputs

  • outputs/status_matrix.json
  • outputs/audit_report.md
  • outputs/recipients.txt
  • outputs/backups/* (backups of changed files)

EU Compliance

EU (Ireland - Dublin), Irish jurisdiction. Secrets remain local-first; git stores ciphertext only.

Reference in New Issue View Git Blame Copy Permalink