Files
2026-06-13 17:26:49 +02:00

41 lines
2.6 KiB
Markdown

# Secrets
```mermaid
flowchart LR
StackRepo[Stack repo secrets/] --> SOPS[SOPS ciphertext]
SOPS -->|age recipient| HostKey["/etc/charlie/age.key"]
HostKey --> Deploy[Deploy on target host]
Deploy --> Plaintext["Plaintext env/config"]
Plaintext --> Compose[docker compose]
```
| Area | Current state |
| -------------- | -------------------------------------------------------- |
| Stack secrets | SOPS-encrypted files under each stack repo's `secrets/`. |
| Decryption | Target host decrypts with `/etc/charlie/age.key`. |
| Admin recovery | Admin age key listed in every relevant `.sops.yaml`. |
| Human vault | Vaultwarden stores human-facing secrets and PAT notes. |
| Plaintext | Deploy-time only; ignored by Git. |
## Key material
| Secret/key | Owner | Location |
| -------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------ |
| Host age private key | each host | `/etc/charlie/age.key` |
| Host age public key | docs | [hosts](https://gitea.alexandru.macocian.me/Charlie/project-charlie/src/branch/main/docs/hosts.md#sops-recipients) |
| Admin age private key | operator | vaultwarden Secure Note `Charlie SOPS admin age key` |
| Registry RO PAT ciphertext | project-charlie | inline in `deploy-stack.yml` |
## PATs
| Identity | Scope | Used for |
| ------------------ | ----------------- | ------------------------------------------ |
| `sys-gitea-runner` | `read:repository` | workflow/action fetches and host Git sync. |
| `sys-gitea-runner` | `read:package` | registry pulls during deploy. |
| `sys-host-<host>` | `read:repository` | host-local root Git operations. |
| `sys-host-<host>` | `read:package` | host-local root registry pulls. |
| caller user/org | `read:repository` | source-repo build workflow fetch/clone. |
| caller user/org | `write:package` | source-repo image push. |
Registry and repo credentials are separate on purpose.