dsec Vault Migration: Architecture

Current Architecture

┌─────────────────┐     ┌──────────────────────┐     ┌─────────────────┐
│  dsource/dsec   │────▶│  age-encrypted files │────▶│  Environment    │
│  CLI commands   │     │  ~/.secrets/env/     │     │  Variables      │
└─────────────────┘     └──────────────────────┘     └─────────────────┘
                               │
                               ▼
                        ┌──────────────────┐
                        │  ~/.config/age/  │
                        │  key.txt         │
                        └──────────────────┘

Components:

Component Current Location

Component	Current	Location
Secret Storage	age-encrypted `.env` files	`~/.secrets/env/d000/dev/*.env`
Encryption Keys	age identity key	`~/.config/age/key.txt`
CLI Interface	dsource/dsec shell functions	`~/.zshrc` or separate script
Backup	Manual rsync to NAS	Unstructured

Secret Storage

age-encrypted .env files

~/.secrets/env/d000/dev/*.env

Encryption Keys

age identity key

~/.config/age/key.txt

CLI Interface

dsource/dsec shell functions

~/.zshrc or separate script

Backup

Manual rsync to NAS

Unstructured

Target Architecture

┌─────────────────┐     ┌──────────────────────┐     ┌─────────────────┐
│  dsource/dsec   │────▶│  HashiCorp Vault     │────▶│  Environment    │
│  CLI commands   │     │  KV Secrets Engine   │     │  Variables      │
└─────────────────┘     └──────────────────────┘     └─────────────────┘
                               │
                        ┌──────┴──────┐
                        ▼             ▼
                 ┌───────────┐ ┌───────────┐
                 │ vault-01│ │ vault-02  │
                 │ (Primary) │ │ (Standby) │
                 └───────────┘ └───────────┘

Components:

Component Target Location

Component	Target	Location
Secret Storage	Vault KV v2 secrets engine	`kv/data/domus/<domain>/<secret>`
Encryption	Vault auto-unseal or Shamir	Vault server (vault-01)
CLI Interface	dsec with Vault backend	Python CLI with `hvac` library
Auth	Token, AppRole, or OIDC	Vault auth methods
Backup	Vault snapshots to NAS	Automated via systemd timer
HA (Future)	Raft integrated storage	vault-01 + vault-02

Secret Storage

Vault KV v2 secrets engine

kv/data/domus/<domain>/<secret>

Encryption

Vault auto-unseal or Shamir

Vault server (vault-01)

CLI Interface

dsec with Vault backend

Python CLI with hvac library

Auth

Token, AppRole, or OIDC

Vault auth methods

Backup

Vault snapshots to NAS

Automated via systemd timer

HA (Future)

Raft integrated storage

vault-01 + vault-02

Vault KV Path Structure

Proposed path hierarchy mirroring current dsec structure:

kv/
├── domus/
│   ├── network/
│   │   ├── ise                    # ISE API credentials
│   │   ├── wlc                    # WLC credentials
│   │   ├── pfsense                # pfSense credentials
│   │   └── switch                 # Switch credentials
│   ├── servers/
│   │   ├── ise-01/
│   │   │   ├── admin              # ISE admin password
│   │   │   ├── cli                # ISE CLI password
│   │   │   ├── ers                # ERS API credentials
│   │   │   └── dataconnect        # DataConnect credentials
│   │   ├── keycloak-01            # Keycloak admin
│   │   └── vault-01             # Certmgr credentials
│   ├── ad/
│   │   ├── administrator          # Domain admin
│   │   └── svc-ise-adjoin         # ISE AD join service account
│   ├── vault/
│   │   ├── unseal-keys            # Vault unseal keys (encrypted)
│   │   └── root-token             # Root token (encrypted)
│   ├── storage/
│   │   └── nas-01                 # NAS credentials
│   └── radius/
│       ├── pfsense                # RADIUS shared secret
│       ├── wlc                    # WLC RADIUS secret
│       └── switch                 # Switch RADIUS secret