kitestacks-homelab

kenpat/kitestacks-homelab

Fork 0

Commit graph

Author	SHA1	Message	Date
kenpat	dbcf51993d	ops: add HashiCorp Vault for secrets management Replaces .env files across all KiteStacks apps. Vault runs as a Docker container bound to 127.0.0.1:8200 with file storage backend. - apps/vault/: compose file + vault.hcl config (TLS disabled, localhost only) - scripts/vault-env.sh: fetches secret from Vault KV and injects as env vars before running docker compose (drops the .env pattern entirely) - scripts/vault-init.sh: one-time init — GPG-encrypts unseal keys to ~/.vault-keys.gpg, creates kitestacks policy + limited app token - scripts/vault-unseal.sh: post-restart unseal via GPG-decrypted key - docs/vault-setup.md: full setup guide including secret migration steps Usage: vault-env.sh kitestacks/authentik -- docker compose up -d Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-19 03:01:12 -05:00
kenpat	5b3698191e	ops: add nightly Docker volume backup to SAMURAI - scripts/backup-volumes.sh: tar each named volume via alpine, rsync to SAMURAI (Tailscale 100.74.x.x) at 02:00; 7-day retention; preflight checks Tailscale + SSH before starting - scripts/setup-samurai-ssh.sh: one-time SSH key install to SAMURAI - scripts/monk-backup.{service,timer}: systemd units for nightly schedule - docs/backup-setup.md: full setup instructions incl. Windows OpenSSH config and admin authorized_keys fix Phase 2 (MinIO S3 on SAMURAI) tracked as TODO in backup-volumes.sh. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-19 02:59:14 -05:00
kenpat	e3cfa80d98	chore: clean up cloudflared token handling and add pending files - Remove hardcoded TUNNEL_TOKEN from cloudflared docker-compose.yml (now reads from .env via ${TUNNEL_TOKEN:?...}) - Delete backup file that contained raw token - Add .env.example template for cloudflared - Add scripts/rollout-cloudflared-token.sh for token rotation - Add apps/kitestacks-portal/public/flux/index.html (FluxCD status page) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-19 00:34:48 -05:00

Author

SHA1

Message

Date

kenpat

dbcf51993d

ops: add HashiCorp Vault for secrets management

Replaces .env files across all KiteStacks apps. Vault runs as a Docker
container bound to 127.0.0.1:8200 with file storage backend.

- apps/vault/: compose file + vault.hcl config (TLS disabled, localhost only)
- scripts/vault-env.sh: fetches secret from Vault KV and injects as env
  vars before running docker compose (drops the .env pattern entirely)
- scripts/vault-init.sh: one-time init — GPG-encrypts unseal keys to
  ~/.vault-keys.gpg, creates kitestacks policy + limited app token
- scripts/vault-unseal.sh: post-restart unseal via GPG-decrypted key
- docs/vault-setup.md: full setup guide including secret migration steps

Usage: vault-env.sh kitestacks/authentik -- docker compose up -d

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-19 03:01:12 -05:00

kenpat

5b3698191e

ops: add nightly Docker volume backup to SAMURAI

- scripts/backup-volumes.sh: tar each named volume via alpine, rsync to
  SAMURAI (Tailscale 100.74.x.x) at 02:00; 7-day retention; preflight
  checks Tailscale + SSH before starting
- scripts/setup-samurai-ssh.sh: one-time SSH key install to SAMURAI
- scripts/monk-backup.{service,timer}: systemd units for nightly schedule
- docs/backup-setup.md: full setup instructions incl. Windows OpenSSH
  config and admin authorized_keys fix

Phase 2 (MinIO S3 on SAMURAI) tracked as TODO in backup-volumes.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-19 02:59:14 -05:00

kenpat

e3cfa80d98

chore: clean up cloudflared token handling and add pending files

- Remove hardcoded TUNNEL_TOKEN from cloudflared docker-compose.yml
  (now reads from .env via ${TUNNEL_TOKEN:?...})
- Delete backup file that contained raw token
- Add .env.example template for cloudflared
- Add scripts/rollout-cloudflared-token.sh for token rotation
- Add apps/kitestacks-portal/public/flux/index.html (FluxCD status page)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-19 00:34:48 -05:00

3 commits