From 45ab6ced01953bb4288cba407ec453f4ece4e202 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 30 May 2026 19:17:25 +0200 Subject: [PATCH] Purge residual .vault_pass references (review R1-R5) Point ADR-005, the new-host runbook, CONTRIBUTING, and AGENTS at the rbw/Vaultwarden flow instead of a .vault_pass file. Also record the cron-section idea in docs/TODO.md. Co-Authored-By: Claude Opus 4.8 (1M context) --- AGENTS.md | 4 ++-- CONTRIBUTING.md | 5 +++-- docs/TODO.md | 6 ++++++ docs/decisions/005-bootstrapping.md | 4 +++- docs/runbooks/new-host.md | 6 +++--- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 3789d72..66eacac 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -12,8 +12,8 @@ only designed — much of the ADR-described design is not built yet. - **Never edit generated files** (e.g. `inventories/*/hosts.yml`). Edit the source (`terraform/environments//main.tf`) and regenerate with `make tf-inventory`. Generated files carry a header saying so. -- **Secrets only in `vault.yml`** files — never plaintext elsewhere. Never read, - print, or commit `.vault_pass`. +- **Secrets only in `vault.yml`** files — never plaintext elsewhere. The master + vault password comes from Vaultwarden via `rbw`; never print or commit it. - **No `make deploy` / `make tf-apply`** without running `make check` / `make tf-plan` first and showing the output. - **Before deleting or overwriting a file you did not create, read it first** and diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5f83f64..9da3480 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,8 +29,9 @@ Always use `make new-role NAME=` to scaffold — never create structure by ## Secrets -Vault password is shared via a secure channel (password manager). -Never commit `.vault_pass`. Never put secrets in non-`vault.yml` files. +The master vault password lives in Vaultwarden; `rbw` fetches it on demand via +`scripts/vault-pass-client.sh` (run `rbw unlock` once per session). Never put +secrets in any file other than `vault.yml`. See `docs/runbooks/rotate-secrets.md` for rotation procedures. diff --git a/docs/TODO.md b/docs/TODO.md index b6cf6c0..8782b51 100644 --- a/docs/TODO.md +++ b/docs/TODO.md @@ -42,3 +42,9 @@ - [ ] Scheduled work - /review-repo maybe as claude -p via cron every two weeks? - Sanity checks: does a photoprism have its pictures? are email services recieving and sending? +- Cron "section": a declarative way for the repo to own which cronjobs are active on a + host, enforced by Ansible. Sketch (deferred until we have hosts): a `scheduled_jobs` + role reading a `scheduled_jobs__jobs` list from group_vars/host_vars, rendered via a + managed /etc/cron.d file. Open Qs: general role vs control-node-only; prune + undeclared jobs (repo authoritative) vs additive; validate headless email + that + cron's env has the `claude` CLI. The /review-repo fortnightly job is the first entry. diff --git a/docs/decisions/005-bootstrapping.md b/docs/decisions/005-bootstrapping.md index 06e1eff..646c709 100644 --- a/docs/decisions/005-bootstrapping.md +++ b/docs/decisions/005-bootstrapping.md @@ -62,7 +62,9 @@ exception to Terraform-owned VM existence (see ADR-009). The control node requir cd ~/ansible make setup # creates venv, installs deps make collections # installs Ansible collections - cp /secure/location/.vault_pass ~/ansible/.vault_pass + # set up rbw + unlock so the vault password resolves from Vaultwarden + # (one-time, per docs/runbooks/rotate-secrets.md) + rbw login && rbw unlock ``` 3. After that, the control node can manage all other hosts normally diff --git a/docs/runbooks/new-host.md b/docs/runbooks/new-host.md index 411c8d5..1e23c33 100644 --- a/docs/runbooks/new-host.md +++ b/docs/runbooks/new-host.md @@ -3,7 +3,7 @@ ## Prerequisites - Proxmox VM template exists (Debian 13 cloud-init image — see below if not) -- You have the vault password (`.vault_pass`) +- `rbw` is installed and unlocked (`rbw unlock`) so the vault password resolves from Vaultwarden - The host's intended hostname and IP are decided --- @@ -126,8 +126,8 @@ qm set --memory 2048 --cores 2 \ qm start ``` -Then set up the Ansible environment on it (`make setup`, `make collections`, place -`.vault_pass`) per ADR-005, and add it to `inventories//hosts.yml` under the +Then set up the Ansible environment on it (`make setup`, `make collections`, set up +`rbw` and `rbw unlock`) per ADR-005, and add it to `inventories//hosts.yml` under the `control` group. Because the control node is not in `local.vms`, this is the only case where editing `hosts.yml` by hand is expected — every other host comes from `make tf-inventory`.