dsec: Architecture

Architecture

~/.secrets/
├── dsec/                    # CLI tool
│   └── dsec.py
├── dsource/                 # Environment loader
│   └── dsource.sh
├── vaults/                  # gocryptfs encrypted dirs
│   ├── sensitive/
│   └── certificates/
└── config/                  # Tool configs
    └── domains.yml

~/.password-store/           # gopass v3 store
└── v3/
    ├── domains/
    │   └── d000/            # Domain-specific secrets
    │       ├── ise/
    │       ├── pfsense/
    │       └── vault/
    ├── servers/
    └── services/

Core Components

dsource - Environment Loader

Load credentials into shell environment:

# Load domain credentials
dsource d000

# What happens:
# 1. Reads ~/.secrets/config/domains.yml
# 2. Fetches secrets from gopass v3/domains/d000/
# 3. Exports as environment variables:
#    NETAPI_ISE_HOST, NETAPI_ISE_USER, NETAPI_ISE_PASS
#    NETAPI_PFSENSE_HOST, NETAPI_PFSENSE_USER, ...
#    VAULT_ADDR, VAULT_TOKEN, ...

gopass v3 Taxonomy

Hierarchical secret organization:

v3/
├── domains/
│   └── d000/                # Home enterprise
│       ├── ise/
│       │   ├── admin        # ISE admin creds
│       │   └── ers          # ERS API creds
│       ├── pfsense/
│       │   └── admin
│       ├── vault/
│       │   └── token
│       └── cloudflare/
│           └── api-token
├── servers/
│   ├── vault-01/
│   ├── home-dc01/
│   └── nas-01/
├── services/
│   ├── github/
│   └── gitlab/
└── personal/
    └── email/

gocryptfs Vaults

Encrypted directories for sensitive files:

# Mount encrypted vault
dsec mount sensitive

# Now available at ~/.secrets/mounts/sensitive/
# Contains: certificates, keys, backups

# Unmount when done
dsec umount sensitive