Secrets Infrastructure

Overview

Centralized secrets management infrastructure for home enterprise and personal use. Combines multiple tools for different use cases.

Primary Documentation: domus-secrets-ops (secrets-infrastructure)

Architecture

Tools

Tool	Purpose	Storage
gopass	Password manager (CLI)	Git-encrypted (age)
HashiCorp Vault	PKI, dynamic secrets, API-driven	Local storage on vault-01
dsec / dsource	Wrapper scripts for credential loading	Sources from gopass

Tool

Purpose

Storage

gopass

Password manager (CLI)

Git-encrypted (age)

HashiCorp Vault

PKI, dynamic secrets, API-driven

Local storage on vault-01

dsec / dsource

Wrapper scripts for credential loading

Sources from gopass

Credential Flow

gopass (encrypted git repo)
    │
    ├── ADMINISTRATIO/     # Server credentials
    ├── D000/DEV/          # Development secrets
    │   ├── NETWORK        # netapi credentials
    │   └── VAULT          # Vault unseal keys + token
    └── PERSONAL/          # Personal accounts
    │
    ▼
dsource d000 dev/network   # Load into environment
    │
    ▼
$ISE_HOST, $ISE_USER, $ISE_PASS, etc.
    │
    ▼
netapi ise ...             # Use credentials

Components

gopass

Password manager with Git backend and age encryption.

Repository: ~/.local/share/gopass/stores/root

Key Structure:

gopass/
├── ADMINISTRATIO/
│   └── servers/
│       └── home-dc01/
│           ├── Administrator
│           ├── dsrm
│           └── meta
├── D000/
│   └── DEV/
│       ├── NETWORK          # ISE, WLC, pfSense creds
│       └── VAULT            # Vault unseal keys
└── PERSONAL/
    └── ...

Common Commands:

# List all entries
gopass ls

# Show password
gopass show ADMINISTRATIO/servers/home-dc01/Administrator

# Copy to clipboard
gopass show -c ADMINISTRATIO/servers/home-dc01/Administrator

# Generate new password
gopass generate ADMINISTRATIO/servers/home-dc01/Administrator 32

# Insert with heredoc
gopass insert ADMINISTRATIO/servers/home-dc01/meta << 'EOF'
hostname: home-dc01
ip: 10.50.1.50
EOF

HashiCorp Vault

PKI infrastructure and dynamic secrets.

Host: vault-01 (10.50.1.x)

PKI Mounts:

pki/ - DOMUS-ROOT-CA (offline root)
pki_int/ - DOMUS-ISSUING-CA (issues certificates)

Roles:

domus-client - Workstation certificates (1 year TTL)
domus-server - Server certificates

dsec / dsource

Shell wrapper scripts for loading credentials from gopass.

dsource - Load credentials into current shell:

# Load network credentials
dsource d000 dev/network

# Now these are available:
echo $ISE_HOST
echo $PFSENSE_HOST

Location: Documented in domus-secrets-ops

Security Model

Encryption

Layer	Method
gopass at rest	age encryption (modern, audited)
gopass in transit	Git over SSH
Vault at rest	AES-256-GCM (seal key)
Vault in transit	TLS (when configured)

Layer

Method

gopass at rest

age encryption (modern, audited)

gopass in transit

Git over SSH

Vault at rest

AES-256-GCM (seal key)

Vault in transit

TLS (when configured)

Access Control

Secret Type	Access Method
gopass	SSH key + GPG/age key
Vault unseal	Requires 2 of N unseal keys (stored in gopass)
Vault token	Root token in gopass (for admin), AppRole for automation

Secret Type

Access Method

gopass

SSH key + GPG/age key

Vault unseal

Requires 2 of N unseal keys (stored in gopass)

Vault token

Root token in gopass (for admin), AppRole for automation

Backup Strategy

gopass

Git repo synced to GitHub (encrypted)
Included in Tier 1 HOT backups (Borg)
age key backed up separately

Vault

Included in vault-01 Borg backup
Unseal keys in gopass (separate backup path)
PKI CA certificates exported to offline storage

Runbooks

Related Projects

DC & Vault PKI Migration - Uses Vault for PKI
Linux EAP-TLS - Uses dsource for credential loading