security: redact credentials and remove corporate hostname/vault references

- README: replace zesticai-non-prod vault name and bigbox hostname with
  generic placeholders; replace hardcoded Tailscale IP with descriptive text
- deploy-to-bigbox.sh: make BIGBOX and TAILSCALE_IP configurable via env
  vars (auto-detect via tailscale ip -4); replace op_zesticai_non_prod.sh
  with op_credentials.sh
- Caddyfile: remove bigbox hostname from comment
- RESEARCH doc: remove hardcoded S3 access key and secret key values from
  the secrets table; replace with generic op:// reference format
- docker-compose_kitchen_sink.yml: replace hardcoded S3 credentials with
  CHANGE_ME placeholders

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-18 19:56:32 +01:00
parent dfaf019916
commit 961e54a902
5 changed files with 44 additions and 44 deletions
+6 -6
View File
@@ -231,12 +231,12 @@ Internet ──▶ Caddy (:443/:80)
### 1Password Secrets Required
Based on current configuration, the following secrets must exist in 1Password:
| Secret | Purpose | Current Hardcoded Value |
|--------|---------|------------------------|
| `op://zesticai-non-prod/gitea-postgres/password` | PostgreSQL password | gitea |
| `op://zesticai-non-prod/gitea-s3/access-key` | S3 access key | REDACTED_S3_ACCESS_KEY |
| `op://zesticai-non-prod/gitea-s3/secret-key` | S3 secret key | REDACTED_S3_SECRET_KEY |
| `op://zesticai-non-prod/gitea-jwt/secret` | Gitea JWT secret | (not currently set) |
| Secret | Purpose |
|--------|---------|
| `op://your-vault/gitea-postgres/password` | PostgreSQL password |
| `op://your-vault/gitea-s3/access-key` | S3 access key |
| `op://your-vault/gitea-s3/secret-key` | S3 secret key |
| `op://your-vault/gitea-jwt/secret` | Gitea JWT secret |
### Caddy Configuration Requirements
```caddyfile
+2 -2
View File
@@ -1,5 +1,5 @@
# Caddyfile for gitea-stack on bigbox
# This adds Gitea to the existing Caddy instance on bigbox
# Caddyfile for gitea-stack
# This adds Gitea to the existing Caddy instance on your server
# Copy this snippet to the existing Caddy configuration at /etc/caddy/Caddyfile
# or use 'caddy reload' to add this route to the running Caddy instance
+10 -10
View File
@@ -15,21 +15,21 @@ Self-hosted Git infrastructure with S3-compatible storage, monitoring, and prope
### Prerequisites
1. **1Password Vault Items** - Create in `zesticai-non-prod` vault:
1. **1Password Vault Items** - Create in your 1Password vault:
```bash
op item create --vault="zesticai-non-prod" --category=login \
op item create --vault="your-vault" --category=login \
--title="gitea-postgres" --generate-password=20 username=gitea
op item create --vault="zesticai-non-prod" --category=custom \
op item create --vault="your-vault" --category=custom \
--title="gitea-s3" access-key="$(openssl rand -hex 20)" \
secret-key="$(openssl rand -hex 40)"
```
2. **SSH Access** - Ensure `ssh bigbox` works
2. **SSH Access** - Ensure `ssh your-server` works
3. **1Password Service Account** - `~/op_zesticai_non_prod.sh` on bigbox
3. **1Password Service Account** - `~/op_credentials.sh` on your server (sets `OP_SERVICE_ACCOUNT_TOKEN`)
### Deploy to Bigbox
### Deploy
```bash
./deploy-to-bigbox.sh
@@ -41,11 +41,11 @@ After deployment:
**Public (via HTTPS on terraphim.cloud):**
- **Gitea Web**: https://git.terraphim.cloud
- **Gitea SSH**: ssh://bigbox:222
- **Gitea SSH**: ssh://your-server:222
**Tailscale Network Only (100.106.66.7):**
- **Prometheus**: http://100.106.66.7:9000
- **S3 API**: http://100.106.66.7:8333
**Tailscale Network Only (your Tailscale node IP):**
- **Prometheus**: http://&lt;tailscale-ip&gt;:9000
- **S3 API**: http://&lt;tailscale-ip&gt;:8333
*Note: Prometheus and S3 are only accessible within the Tailscale VPN network, not from the public internet.*
+22 -22
View File
@@ -1,21 +1,21 @@
#!/bin/bash
#
# Deploy Gitea Stack to Bigbox with 1Password Secrets Management
# Deploy Gitea Stack with 1Password Secrets Management
#
# Prerequisites:
# - SSH access to bigbox configured
# - 1Password CLI installed locally and on bigbox
# - op_zesticai_non_prod.sh exists on bigbox with valid service account token
# - SSH access to target server configured (BIGBOX env var or "your-server" alias)
# - 1Password CLI installed locally and on the server
# - op_credentials.sh exists on the server (sets OP_SERVICE_ACCOUNT_TOKEN)
# - 1Password vault items created (gitea-postgres, gitea-s3)
# - Caddy already running on bigbox
# - Caddy already running on the server
#
# Network Configuration:
# - Gitea: Public via Caddy (git.terraphim.cloud) -> localhost:3000
# - Prometheus: Tailscale only (100.106.66.7:9000)
# - S3: Tailscale only (100.106.66.7:8333)
# - Prometheus: Tailscale only (TAILSCALE_IP:9000)
# - S3: Tailscale only (TAILSCALE_IP:8333)
#
# Usage:
# ./deploy-to-bigbox.sh
# BIGBOX=your-server TAILSCALE_IP=$(tailscale ip -4) ./deploy-to-bigbox.sh
#
set -euo pipefail
@@ -27,11 +27,11 @@ YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
BIGBOX="bigbox"
BIGBOX="${BIGBOX:-your-server}"
REMOTE_DIR="~/gitea-stack"
TAILSCALE_IP="100.106.66.7"
TAILSCALE_IP="${TAILSCALE_IP:-$(tailscale ip -4 2>/dev/null || echo 'SET_TAILSCALE_IP')}"
echo -e "${GREEN}=== Gitea Stack Deployment to Bigbox ===${NC}"
echo -e "${GREEN}=== Gitea Stack Deployment to ${BIGBOX} ===${NC}"
echo ""
# Step 1: Verify local prerequisites
@@ -49,8 +49,8 @@ fi
echo -e "${GREEN}✓ Local prerequisites verified${NC}"
echo ""
# Step 2: Verify bigbox prerequisites
echo -e "${YELLOW}Step 2: Verifying bigbox prerequisites...${NC}"
# Step 2: Verify server prerequisites
echo -e "${YELLOW}Step 2: Verifying server prerequisites...${NC}"
ssh "$BIGBOX" << 'CHECKSCRIPT'
set -e
@@ -73,13 +73,13 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
fi
# Check service account script
if [ ! -f "$HOME/op_zesticai_non_prod.sh" ]; then
echo "Error: op_zesticai_non_prod.sh not found in home directory"
if [ ! -f "$HOME/op_credentials.sh" ]; then
echo "Error: op_credentials.sh not found in home directory"
exit 1
fi
# Test 1Password authentication
source "$HOME/op_zesticai_non_prod.sh"
source "$HOME/op_credentials.sh"
if ! op vault list &> /dev/null; then
echo "Error: 1Password authentication failed"
exit 1
@@ -100,11 +100,11 @@ ssh "$BIGBOX" << 'CHECKSCRIPT'
echo "All prerequisites verified"
CHECKSCRIPT
echo -e "${GREEN}Bigbox prerequisites verified${NC}"
echo -e "${GREEN}Server prerequisites verified${NC}"
echo ""
# Step 3: Transfer files
echo -e "${YELLOW}Step 3: Transferring files to bigbox...${NC}"
echo -e "${YELLOW}Step 3: Transferring files to ${BIGBOX}...${NC}"
ssh "$BIGBOX" "mkdir -p $REMOTE_DIR"
rsync -avz --progress \
@@ -130,7 +130,7 @@ ssh "$BIGBOX" << DEPLOYSCRIPT
cd $REMOTE_DIR
echo "Loading 1Password credentials..."
source ~/op_zesticai_non_prod.sh
source ~/op_credentials.sh
echo "Injecting secrets into docker-compose.yml..."
op inject --in-file docker-compose.yml.template --out-file docker-compose.yml
@@ -260,14 +260,14 @@ echo " - Prometheus: http://${TAILSCALE_IP}:9000"
echo " - S3 API: http://${TAILSCALE_IP}:8333"
echo ""
echo "SSH Access:"
echo " - Gitea SSH: ssh://bigbox:222"
echo " - Gitea SSH: ssh://${BIGBOX}:222"
echo ""
echo "Note: Prometheus and S3 are NOT accessible from the public internet."
echo " Connect via Tailscale first: tailscale up"
echo ""
echo "Next steps:"
echo " 1. Ensure DNS points git.terraphim.cloud to bigbox"
echo " 1. Ensure DNS points git.terraphim.cloud to ${BIGBOX}"
echo " 2. Access Gitea at https://git.terraphim.cloud to complete setup"
echo " 3. Change default admin password after first login"
echo " 4. Review Caddy logs: ssh bigbox 'sudo tail -f /var/log/caddy/gitea-access.log'"
echo " 4. Review Caddy logs: ssh ${BIGBOX} 'sudo tail -f /var/log/caddy/gitea-access.log'"
echo ""
+4 -4
View File
@@ -20,8 +20,8 @@ services:
- GITEA__repository__LFS_START_SERVER=true
- GITEA__repository__LFS_CONTENT_PATH=/data/lfs
- GITEA__storage__type=minio
- GITEA__storage__MINIO_ACCESS_KEY_ID=REDACTED_S3_ACCESS_KEY
- GITEA__storage__MINIO_SECRET_ACCESS_KEY=REDACTED_S3_SECRET_KEY
- GITEA__storage__MINIO_ACCESS_KEY_ID=CHANGE_ME_S3_ACCESS_KEY
- GITEA__storage__MINIO_SECRET_ACCESS_KEY=CHANGE_ME_S3_SECRET_KEY
- GITEA__storage__MINIO_BUCKET=gitea
- GITEA__storage__MINIO_LOCATION=us-east-1
- GITEA__storage__MINIO_ENDPOINT=http://s3:8333
@@ -120,8 +120,8 @@ services:
restart: on-failure
environment:
S3_BUCKET_NAME: gitea
AWS_ACCESS_KEY_ID: "REDACTED_S3_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY: "REDACTED_S3_SECRET_KEY"
AWS_ACCESS_KEY_ID: "CHANGE_ME_S3_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY: "CHANGE_ME_S3_SECRET_KEY"
AWS_SIGS_VERSION: 4
S3_SERVER: s3
S3_SERVER_PORT: 8333