Daily Operations

Daily Workflows

Load Credentials for Automation

# Load ISE lab credentials
eval "$(dsec source d000 dev/network)"

# Verify loaded
env | grep ISE

# Run automation
python3 query_ise.py

# Clear when done
eval "$(dsec unsource)"

Access Warm Storage

# Mount vault
vault-manager mount credentials

# Work with files
ls ~/mnt/credentials/

# Unmount when done
vault-manager unmount credentials

Edit Encrypted Secrets

# Edit Age-encrypted file
dsec edit d000 dev/network

# Opens in $EDITOR, re-encrypts on save

SSH Operations

Connect to Host

# Connect (YubiKey touch required)
ssh nas-01

# Run single command
ssh certmgr-01 "systemctl status certbot"

Copy Files

# Copy to remote
scp file.txt nas-01:/path/to/dest/

# Copy from remote
scp nas-01:/path/to/file.txt ./

Password Management

Get Password

# Copy to clipboard (30 second timeout)
pass -c services/github

# Display password
pass show services/github

Generate New Password

# 32 character password
pass generate services/newservice 32

# Without symbols
pass generate -n services/newservice 32

Vault Operations

Check Vault Status

vault-manager status

# Or manually
mount | grep gocryptfs

Emergency Unmount All

# Unmount all vaults
vault-manager unmount-all

# Or manually
for mnt in ~/mnt/*; do
    fusermount -u "$mnt" 2>/dev/null
done

Backup Operations

Monthly Cold Backup

# 1. Connect USB drive
# 2. Mount LUKS container
luks-mount

# 3. Run backup
luks-backup

# 4. Verify backup
ls -la /mnt/backup/secrets/

# 5. Unmount and disconnect
luks-umount

Verify Backup Integrity

# Mount backup
luks-mount

# Compare Age keys
diff ~/.secrets/.age/key.txt /mnt/backup/secrets/age/key.txt

# Check backup date
cat /mnt/backup/secrets/last-backup.txt

# Unmount
luks-umount

Troubleshooting

YubiKey Not Responding

# Check YubiKey status
ykman info

# Restart pcscd service
sudo systemctl restart pcscd

Vault Won’t Mount

# Check for stale mount
mount | grep gocryptfs

# Force unmount if needed
fusermount -uz ~/mnt/credentials

# Retry mount
vault-manager mount credentials

SSH Connection Refused

# Test connectivity
ping -c 3 hostname

# Verbose SSH
ssh -vvv hostname

# Check key
ssh-keygen -lf ~/.ssh/id_ed25519_sk_rk_d000.pub

CI/CD Operations

Load CI/CD Credentials

# Load CI/CD credentials (Gitea token, etc.)
dsource d000 dev/cicd

# Verify loaded
env | grep GITEA

# Clear when done
dsunsource

Gitea API Access

The Gitea API requires port 3000 for write operations. The nginx reverse proxy on the standard HTTPS port returns 405 Method Not Allowed for POST/PUT/DELETE requests.
Endpoint Usage

gitea-01.inside.domusdigitalis.dev

Web UI only (GET requests work)

gitea-01.inside.domusdigitalis.dev:3000/api/v1/

Full API access (all HTTP methods)

Create Repository via API

# Load credentials
dsource d000 dev/cicd

# Create private repo
curl -X POST "https://gitea-01.inside.domusdigitalis.dev:3000/api/v1/user/repos" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-repo",
    "private": true,
    "description": "Repository description"
  }'

Create Template Repository

curl -X POST "https://gitea-01.inside.domusdigitalis.dev:3000/api/v1/user/repos" \
  -H "Authorization: token ${GITEA_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my-template",
    "private": true,
    "template": true,
    "description": "Template repository"
  }'

Troubleshooting: 405 Method Not Allowed

If you receive 405 Method Not Allowed on POST requests:

# Wrong - nginx proxy blocks POST
curl -X POST "https://gitea-01.inside.domusdigitalis.dev/api/v1/user/repos" ...

# Correct - use port 3000
curl -X POST "https://gitea-01.inside.domusdigitalis.dev:3000/api/v1/user/repos" ...
Update GITEA_URL in ~/.secrets/environments/domains/d000/dev/cicd.env.age to include :3000 for API operations.

Related Pages