ops: add HashiCorp Vault for secrets management

Replaces .env files across all KiteStacks apps. Vault runs as a Docker container bound to 127.0.0.1:8200 with file storage backend. - apps/vault/: compose file + vault.hcl config (TLS disabled, localhost only) - scripts/vault-env.sh: fetches secret from Vault KV and injects as env vars before running docker compose (drops the .env pattern entirely) - scripts/vault-init.sh: one-time init — GPG-encrypts unseal keys to ~/.vault-keys.gpg, creates kitestacks policy + limited app token - scripts/vault-unseal.sh: post-restart unseal via GPG-decrypted key - docs/vault-setup.md: full setup guide including secret migration steps Usage: vault-env.sh kitestacks/authentik -- docker compose up -d Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 03:01:12 -05:00 · 2026-06-19 03:01:12 -05:00 · dbcf51993d
commit dbcf51993d
parent 5b3698191e
6 changed files with 321 additions and 0 deletions
--- a/scripts/vault-unseal.sh
+++ b/scripts/vault-unseal.sh
@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# vault-unseal.sh — unseal Vault after a container restart
+# Decrypts the GPG-encrypted keys file and unseals automatically.
+# Add to startup: after `docker compose up`, call this script.
+
+set -euo pipefail
+
+VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+KEYS_FILE="${HOME}/.vault-keys.gpg"
+
+export VAULT_ADDR
+
+if vault status 2>/dev/null | grep -q "Sealed.*false"; then
+  echo "Vault is already unsealed."
+  exit 0
+fi
+
+if [[ ! -f "${KEYS_FILE}" ]]; then
+  echo "ERROR: ${KEYS_FILE} not found — run vault-init.sh first"
+  exit 1
+fi
+
+echo "Decrypting unseal key ..."
+UNSEAL_KEY=$(gpg --decrypt "${KEYS_FILE}" 2>/dev/null \
+  | python3 -c "import json,sys; d=json.load(sys.stdin); print(d['unseal_keys_b64'][0])")
+
+echo "Unsealing Vault at ${VAULT_ADDR} ..."
+vault operator unseal "${UNSEAL_KEY}"
+echo "Vault unsealed."