Secrets Management
Project Summary
| Field | Value |
|---|---|
PRJ ID |
PRJ-SPOKE-007 |
Owner |
Evan Rosado |
Priority |
P1 (High) |
Status |
Active |
Repository |
|
Antora Component |
|
Antora Title |
Secrets Infrastructure |
Category |
Identity |
2026 Commits |
46 |
Site URL |
Purpose
The Secrets Infrastructure component documents the credential management architecture: gopass password stores, age encryption, dsec/dsource tooling, HashiCorp Vault integration, and secret rotation workflows.
It defines the security-first approach to credential handling across all domus-* repos and infrastructure, ensuring no plaintext secrets appear in documentation or code.
Scope
In Scope
-
gopass password store architecture and multi-vault design
-
age encryption for file-level secrets (SSH config, credentials)
-
dsec CLI wrapper for secrets operations
-
dsource environment variable loading from encrypted stores
-
HashiCorp Vault KV, PKI, and SSH CA integration
-
Secret rotation procedures
-
Workstation credential bootstrap (new machine setup)
-
Cross-repo credential reference patterns
Out of Scope
-
Vault cluster deployment (covered by
infra-ops) -
Certificate enrollment procedures (covered by
ise-linux,ise-windows) -
Identity provider configuration (covered by
identity-ops)
Status
| Indicator | Detail |
|---|---|
Activity Level |
Active — 46 commits, security-critical content |
Maturity |
Production — gopass + age + Vault architecture documented |
Last Activity |
2026 |
Key Milestone |
VyOS HA firewall secrets integration (March 2026) |
Deployment Status |
Secrets architecture operational, dsec/dsource in daily use |
Metadata
| Field | Value |
|---|---|
PRJ ID |
PRJ-SPOKE-007 |
Author |
Evan Rosado |
Date Created |
2026-03-30 |
Last Updated |
2026-03-30 |
Status |
Active |
Next Review |
2026-04-15 |