Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../keys
History
Pieter b6c9fa666d chore: Post-workshop state - January 23rd, 2026 
This commit captures the infrastructure state immediately following
the "Post-Tyranny Tech" workshop on January 23rd, 2026.

Infrastructure Status:
- 13 client servers deployed (white, valk, zwaan, specht, das, uil, vos,
  haas, wolf, ree, mees, mus, mol, kikker)
- Services: Authentik SSO, Nextcloud, Collabora Office, Traefik
- Private network architecture with edge NAT gateway
- OIDC integration between Authentik and Nextcloud
- Automated recovery flows and invitation system
- Container update monitoring with Diun
- Uptime monitoring with Uptime Kuma

Changes include:
- Multiple new client host configurations
- Network architecture improvements (private IPs + NAT)
- DNS management automation
- Container update notifications
- Email configuration via Mailgun
- SSH key generation for all clients
- Encrypted secrets for all deployments
- Health check and diagnostic scripts

Known Issues to Address:
- Nextcloud version pinned to v30 (should use 'latest' or v32)
- Zitadel references in templates (migrated to Authentik but templates not updated)
- Traefik dynamic config has obsolete static routes

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-23 20:36:31 +01:00
..
ssh chore: Post-workshop state - January 23rd, 2026 2026-01-23 20:36:31 +01:00
.gitignore Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
README.md Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00

README.md

Age Encryption Keys

⚠️ CRITICAL: This directory contains encryption keys that are NOT committed to Git.

Key Files

  • age-key.txt - Age private key for SOPS encryption (GITIGNORED)

Backup Checklist

Before proceeding with any infrastructure work, ensure you have:

  • Copied age-key.txt to password manager
  • Created offline backup (printed or encrypted USB)
  • Verified backup can decrypt secrets successfully

Key Recovery

If you lose access to age-key.txt:

  1. Check password manager for backup
  2. Check offline backups (printed copy, USB drive)
  3. If no backup exists: Secrets are PERMANENTLY LOST
    • You will need to regenerate all secrets
    • Re-encrypt all .sops.yaml files
    • Update all services with new credentials

Generating a New Key

Only do this if you've lost the original key or need to rotate for security:

# Generate new Age key
age-keygen -o age-key.txt

# Extract public key
grep "public key:" age-key.txt

# Update .sops.yaml in repository root with new public key

# Re-encrypt all secrets
cd ..
for file in secrets/**/*.sops.yaml; do
  SOPS_AGE_KEY_FILE=keys/age-key.txt sops updatekeys -y "$file"
done

Security Notes

  • This directory is in .gitignore
  • Keys should never be shared via email, Slack, or unencrypted channels
  • Always use secure methods for key distribution (password manager, encrypted channels)