security: redact credentials and remove corporate hostname/vault references

- README: replace zesticai-non-prod vault name and bigbox hostname with
  generic placeholders; replace hardcoded Tailscale IP with descriptive text
- deploy-to-bigbox.sh: make BIGBOX and TAILSCALE_IP configurable via env
  vars (auto-detect via tailscale ip -4); replace op_zesticai_non_prod.sh
  with op_credentials.sh
- Caddyfile: remove bigbox hostname from comment
- RESEARCH doc: remove hardcoded S3 access key and secret key values from
  the secrets table; replace with generic op:// reference format
- docker-compose_kitchen_sink.yml: replace hardcoded S3 credentials with
  CHANGE_ME placeholders

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-18 19:56:32 +01:00
parent dfaf019916
commit 961e54a902
5 changed files with 44 additions and 44 deletions
+6 -6
View File
@@ -231,12 +231,12 @@ Internet ──▶ Caddy (:443/:80)
### 1Password Secrets Required ### 1Password Secrets Required
Based on current configuration, the following secrets must exist in 1Password: Based on current configuration, the following secrets must exist in 1Password:
| Secret | Purpose | Current Hardcoded Value | | Secret | Purpose |
|--------|---------|------------------------| |--------|---------|
| `op://zesticai-non-prod/gitea-postgres/password` | PostgreSQL password | gitea | | `op://your-vault/gitea-postgres/password` | PostgreSQL password |
| `op://zesticai-non-prod/gitea-s3/access-key` | S3 access key | REDACTED_S3_ACCESS_KEY | | `op://your-vault/gitea-s3/access-key` | S3 access key |
| `op://zesticai-non-prod/gitea-s3/secret-key` | S3 secret key | REDACTED_S3_SECRET_KEY | | `op://your-vault/gitea-s3/secret-key` | S3 secret key |
| `op://zesticai-non-prod/gitea-jwt/secret` | Gitea JWT secret | (not currently set) | | `op://your-vault/gitea-jwt/secret` | Gitea JWT secret |
### Caddy Configuration Requirements ### Caddy Configuration Requirements
```caddyfile ```caddyfile
+2 -2
View File
@@ -1,5 +1,5 @@
# Caddyfile for gitea-stack on bigbox # Caddyfile for gitea-stack
# This adds Gitea to the existing Caddy instance on bigbox # This adds Gitea to the existing Caddy instance on your server
# Copy this snippet to the existing Caddy configuration at /etc/caddy/Caddyfile # Copy this snippet to the existing Caddy configuration at /etc/caddy/Caddyfile
# or use 'caddy reload' to add this route to the running Caddy instance # or use 'caddy reload' to add this route to the running Caddy instance
+10 -10
View File
@@ -15,21 +15,21 @@ Self-hosted Git infrastructure with S3-compatible storage, monitoring, and prope
### Prerequisites ### Prerequisites
1. **1Password Vault Items** - Create in `zesticai-non-prod` vault: 1. **1Password Vault Items** - Create in your 1Password vault:
```bash ```bash
op item create --vault="zesticai-non-prod" --category=login \ op item create --vault="your-vault" --category=login \
--title="gitea-postgres" --generate-password=20 username=gitea --title="gitea-postgres" --generate-password=20 username=gitea
op item create --vault="zesticai-non-prod" --category=custom \ op item create --vault="your-vault" --category=custom \
--title="gitea-s3" access-key="$(openssl rand -hex 20)" \ --title="gitea-s3" access-key="$(openssl rand -hex 20)" \
secret-key="$(openssl rand -hex 40)" secret-key="$(openssl rand -hex 40)"
``` ```
2. **SSH Access** - Ensure `ssh bigbox` works 2. **SSH Access** - Ensure `ssh your-server` works
3. **1Password Service Account** - `~/op_zesticai_non_prod.sh` on bigbox 3. **1Password Service Account** - `~/op_credentials.sh` on your server (sets `OP_SERVICE_ACCOUNT_TOKEN`)
### Deploy to Bigbox ### Deploy
```bash ```bash
./deploy-to-bigbox.sh ./deploy-to-bigbox.sh
@@ -41,11 +41,11 @@ After deployment:
**Public (via HTTPS on terraphim.cloud):** **Public (via HTTPS on terraphim.cloud):**
- **Gitea Web**: https://git.terraphim.cloud - **Gitea Web**: https://git.terraphim.cloud
- **Gitea SSH**: ssh://bigbox:222 - **Gitea SSH**: ssh://your-server:222
**Tailscale Network Only (100.106.66.7):** **Tailscale Network Only (your Tailscale node IP):**
- **Prometheus**: http://100.106.66.7:9000 - **Prometheus**: http://&lt;tailscale-ip&gt;:9000
- **S3 API**: http://100.106.66.7:8333 - **S3 API**: http://&lt;tailscale-ip&gt;:8333
*Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.* *Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.*
+22 -22
View File
@@ -1,21 +1,21 @@
#!/bin/bash #!/bin/bash
# #
# Deploy Gitea Stack to Bigbox with 1Password Secrets Management # Deploy Gitea Stack with 1Password Secrets Management
# #
# Prerequisites: # Prerequisites:
# - SSH access to bigbox configured # - SSH access to target server configured (BIGBOX env var or "your-server" alias)
# - 1Password CLI installed locally and on bigbox # - 1Password CLI installed locally and on the server
# - op_zesticai_non_prod.sh exists on bigbox with valid service account token # - op_credentials.sh exists on the server (sets OP_SERVICE_ACCOUNT_TOKEN)
# - 1Password vault items created (gitea-postgres, gitea-s3) # - 1Password vault items created (gitea-postgres, gitea-s3)
# - Caddy already running on bigbox # - Caddy already running on the server
# #
# Network Configuration: # Network Configuration:
# - Gitea: Public via Caddy (git.terraphim.cloud) -> localhost:3000 # - Gitea: Public via Caddy (git.terraphim.cloud) -> localhost:3000
# - Prometheus: Tailscale only (100.106.66.7:9000) # - Prometheus: Tailscale only (TAILSCALE_IP:9000)
# - S3: Tailscale only (100.106.66.7:8333) # - S3: Tailscale only (TAILSCALE_IP:8333)
# #
# Usage: # Usage:
# ./deploy-to-bigbox.sh # BIGBOX=your-server TAILSCALE_IP=$(tailscale ip -4) ./deploy-to-bigbox.sh
# #
set -euo pipefail set -euo pipefail
@@ -27,11 +27,11 @@ YELLOW='\033[1;33m'
NC='\033[0m' # No Color NC='\033[0m' # No Color
# Configuration # Configuration
BIGBOX="bigbox" BIGBOX="${BIGBOX:-your-server}"
REMOTE_DIR="~/gitea-stack" REMOTE_DIR="~/gitea-stack"
TAILSCALE_IP="100.106.66.7" TAILSCALE_IP="${TAILSCALE_IP:-$(tailscale ip -4 2>/dev/null || echo 'SET_TAILSCALE_IP')}"
echo -e "${GREEN}=== Gitea Stack Deployment to Bigbox ===${NC}" echo -e "${GREEN}=== Gitea Stack Deployment to ${BIGBOX} ===${NC}"
echo "" echo ""
# Step 1: Verify local prerequisites # Step 1: Verify local prerequisites
@@ -49,8 +49,8 @@ fi
echo -e "${GREEN}✓ Local prerequisites verified${NC}" echo -e "${GREEN}✓ Local prerequisites verified${NC}"
echo "" echo ""
# Step 2: Verify bigbox prerequisites # Step 2: Verify server prerequisites
echo -e "${YELLOW}Step 2: Verifying bigbox prerequisites...${NC}" echo -e "${YELLOW}Step 2: Verifying server prerequisites...${NC}"
ssh "$BIGBOX" << 'CHECKSCRIPT' ssh "$BIGBOX" << 'CHECKSCRIPT'
set -e set -e
@@ -73,13 +73,13 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
fi fi
# Check service account script # Check service account script
if [ ! -f "$HOME/op_zesticai_non_prod.sh" ]; then if [ ! -f "$HOME/op_credentials.sh" ]; then
echo "Error: op_zesticai_non_prod.sh not found in home directory" echo "Error: op_credentials.sh not found in home directory"
exit 1 exit 1
fi fi
# Test 1Password authentication # Test 1Password authentication
source "$HOME/op_zesticai_non_prod.sh" source "$HOME/op_credentials.sh"
if ! op vault list &> /dev/null; then if ! op vault list &> /dev/null; then
echo "Error: 1Password authentication failed" echo "Error: 1Password authentication failed"
exit 1 exit 1
@@ -100,11 +100,11 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
echo "All prerequisites verified" echo "All prerequisites verified"
CHECKSCRIPT CHECKSCRIPT
echo -e "${GREEN}Bigbox prerequisites verified${NC}" echo -e "${GREEN}Server prerequisites verified${NC}"
echo "" echo ""
# Step 3: Transfer files # Step 3: Transfer files
echo -e "${YELLOW}Step 3: Transferring files to bigbox...${NC}" echo -e "${YELLOW}Step 3: Transferring files to ${BIGBOX}...${NC}"
ssh "$BIGBOX" "mkdir -p $REMOTE_DIR" ssh "$BIGBOX" "mkdir -p $REMOTE_DIR"
rsync -avz --progress \ rsync -avz --progress \
@@ -130,7 +130,7 @@ ssh "$BIGBOX" << DEPLOYSCRIPT
cd $REMOTE_DIR cd $REMOTE_DIR
echo "Loading 1Password credentials..." echo "Loading 1Password credentials..."
source ~/op_zesticai_non_prod.sh source ~/op_credentials.sh
echo "Injecting secrets into docker-compose.yml..." echo "Injecting secrets into docker-compose.yml..."
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
@@ -260,14 +260,14 @@ echo " - Prometheus: http://${TAILSCALE_IP}:9000"
echo " - S3 API: http://${TAILSCALE_IP}:8333" echo " - S3 API: http://${TAILSCALE_IP}:8333"
echo "" echo ""
echo "SSH Access:" echo "SSH Access:"
echo " - Gitea SSH: ssh://bigbox:222" echo " - Gitea SSH: ssh://${BIGBOX}:222"
echo "" echo ""
echo "Note: Prometheus and S3 are NOT accessible from the public internet." echo "Note: Prometheus and S3 are NOT accessible from the public internet."
echo " Connect via Tailscale first: tailscale up" echo " Connect via Tailscale first: tailscale up"
echo "" echo ""
echo "Next steps:" echo "Next steps:"
echo " 1. Ensure DNS points git.terraphim.cloud to bigbox" echo " 1. Ensure DNS points git.terraphim.cloud to ${BIGBOX}"
echo " 2. Access Gitea at https://git.terraphim.cloud to complete setup" echo " 2. Access Gitea at https://git.terraphim.cloud to complete setup"
echo " 3. Change default admin password after first login" echo " 3. Change default admin password after first login"
echo " 4. Review Caddy logs: ssh bigbox 'sudo tail -f /var/log/caddy/gitea-access.log'" echo " 4. Review Caddy logs: ssh ${BIGBOX} 'sudo tail -f /var/log/caddy/gitea-access.log'"
echo "" echo ""
+4 -4
View File
@@ -20,8 +20,8 @@ services:
- GITEA__repository__LFS_START_SERVER=true - GITEA__repository__LFS_START_SERVER=true
- GITEA__repository__LFS_CONTENT_PATH=/data/lfs - GITEA__repository__LFS_CONTENT_PATH=/data/lfs
- GITEA__storage__type=minio - GITEA__storage__type=minio
- GITEA__storage__MINIO_ACCESS_KEY_ID=REDACTED_S3_ACCESS_KEY - GITEA__storage__MINIO_ACCESS_KEY_ID=CHANGE_ME_S3_ACCESS_KEY
- GITEA__storage__MINIO_SECRET_ACCESS_KEY=REDACTED_S3_SECRET_KEY - GITEA__storage__MINIO_SECRET_ACCESS_KEY=CHANGE_ME_S3_SECRET_KEY
- GITEA__storage__MINIO_BUCKET=gitea - GITEA__storage__MINIO_BUCKET=gitea
- GITEA__storage__MINIO_LOCATION=us-east-1 - GITEA__storage__MINIO_LOCATION=us-east-1
- GITEA__storage__MINIO_ENDPOINT=http://s3:8333 - GITEA__storage__MINIO_ENDPOINT=http://s3:8333
@@ -120,8 +120,8 @@ services:
restart: on-failure restart: on-failure
environment: environment:
S3_BUCKET_NAME: gitea S3_BUCKET_NAME: gitea
AWS_ACCESS_KEY_ID: "REDACTED_S3_ACCESS_KEY" AWS_ACCESS_KEY_ID: "CHANGE_ME_S3_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY: "REDACTED_S3_SECRET_KEY" AWS_SECRET_ACCESS_KEY: "CHANGE_ME_S3_SECRET_KEY"
AWS_SIGS_VERSION: 4 AWS_SIGS_VERSION: 4
S3_SERVER: s3 S3_SERVER: s3
S3_SERVER_PORT: 8333 S3_SERVER_PORT: 8333