Replace inline credentials with Infisical pointers

CLAUDE.md

@@ -12,6 +12,34 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 - **Network infrastructure**: Ubiquiti Unifi switches
 - **Debugging scope**: VM-to-external-client connectivity issues across the ESXi virtual switch and physical Unifi switch layers
 
+## Credentials convention
+
+Plaintext passwords / API keys / tokens have been moved out of these files into [Infisical](infisical.md). Where a credential used to be inline, you'll now see a pointer in the form:
+
+```
+[Infisical: homelab/<env>/<folder>/<KEY>]
+```
+
+To fetch one (machine identity required — see `infisical.md`):
+
+```bash
+TOKEN=$(curl -s -X POST https://infisical.dohertylan.com/api/v1/auth/universal-auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"clientId":"<id>","clientSecret":"<secret>"}' \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['accessToken'])")
+PROJ=$(curl -s -H "Authorization: Bearer $TOKEN" \
+  https://infisical.dohertylan.com/api/v1/workspace \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['workspaces'][0]['id'])")
+curl -sG "https://infisical.dohertylan.com/api/v3/secrets/raw/<KEY>" \
+  -H "Authorization: Bearer $TOKEN" \
+  --data-urlencode "workspaceId=$PROJ" \
+  --data-urlencode "environment=<env>" \
+  --data-urlencode "secretPath=<folder>" \
+  | python3 -c "import json,sys;print(json.load(sys.stdin)['secret']['secretValue'])"
+```
+
+Or via the Infisical web UI at https://infisical.dohertylan.com.
+
 ## Components
 
 - [TrueNAS Server](truenas.md) — NAS at 10.100.0.25 (management) / 10.50.0.x (storage), serves SMB and NFS

desktop.md

@@ -4,7 +4,7 @@
 
 - **Hostname**: DESKTOP-1BEK7OR
 - **OS**: Windows 10 (PowerShell 5.1.19041.6456)
-- **Credentials**: dohertj2 / Sonamu89
+- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/DESKTOP_ADMIN_PWD]`
 - **Remote access**: SSH (passwordless), WinRM (fallback)
 
 ### Running Commands

esxi.md

@@ -4,10 +4,10 @@
 
 - **IP**: 10.2.0.12 (VLAN 0 / DEFAULT, management)
 - **Version**: VMware ESXi 8.0.3 build-24280767 (Update 3, Patch 35)
-- **Credentials**: govc / Tn9.xKw-m4Vp (Administrator role)
-- **API access via govc**:
+- **Credentials**: govc / `[Infisical: homelab/infrastructure/esxi/GOVC_PASSWORD]` (Administrator role)
+- **API access via govc** — fetch the password from Infisical first, then:
   ```bash
-  GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='Tn9.xKw-m4Vp' GOVC_INSECURE=true govc <command>
+  GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='<from-infisical>' GOVC_INSECURE=true govc <command>
   ```
 - **Do NOT use SSH** — ESXi keyboard-interactive auth is unreliable from this machine; use `govc` exclusively
 - **Hardware**: HP, 2x Intel Xeon E5-2697 v4 (36 logical CPUs @ 2.3GHz), 256GB RAM

infisical.md

@@ -29,7 +29,7 @@ Source of truth: `roles/infisical/defaults/main.yml` in the ansible repo. Re-dep
 | `infisical_image` | `infisical/infisical:latest-postgres` | Standalone all-in-one image (API + frontend) |
 | `infisical_subdomain` | `infisical` | Becomes `infisical.dohertylan.com` |
 | `infisical_db_user` / `_db_name` | `infisical` / `infisical` | Internal-only — not exposed past the compose network |
-| `infisical_db_password` | `Sonamu89_infisical_db` | dev convention; rotate via group_vars/vault if repo ever leaves the LAN |
+| `infisical_db_password` | `[Infisical: homelab/apps/infisical/DB_PWD]` | Plaintext also lives in `roles/infisical/defaults/main.yml` (chicken-and-egg: the playbook must hold the value to deploy Infisical from scratch) |
 | `infisical_encryption_key` | 32 hex chars | **Do not change after data exists** — used to envelope-encrypt secrets at rest. Changing it makes existing secrets unrecoverable; use Infisical's key-rotation flow if you need to rotate |
 | `infisical_auth_secret` | random base64 | JWT signing key |
 | `infisical_telemetry_enabled` | `false` | Anonymous telemetry opted out |
@@ -41,7 +41,7 @@ Three equivalent paths:
 ```bash
 # Via Semaphore UI (or API): http://10.100.0.35:3000  →  template "Deploy Full Stack"
 curl -s -c - http://localhost:3000/api/auth/login -X POST -H 'Content-Type: application/json' \
-  -d '{"auth":"dohertj2","password":"Sonamu89"}' | grep semaphore | awk '{print $NF}' \
+  -d '{"auth":"dohertj2","password":"<semaphore-admin-pwd>"}' | grep semaphore | awk '{print $NF}' \
   | xargs -I{} curl -s -b "semaphore={}" -X POST http://localhost:3000/api/project/1/tasks \
        -H 'Content-Type: application/json' -d '{"template_id":8,"project_id":1}'
 

veeam.md

@@ -5,7 +5,7 @@
 - **Hostname**: VEEAM
 - **IP**: 10.100.0.30 (LAN_100) / 10.50.0.32 (DATA_50)
 - **OS**: Windows Server 2025 Standard (Build 26100), 64-bit
-- **Credentials**: dohertj2 / Sonamu8901!
+- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/VEEAM_ADMIN_PWD]`
 - **SSH**: `ssh dohertj2@10.100.0.30` (passwordless, key in `C:\ProgramData\ssh\administrators_authorized_keys`)
 - **For PowerShell**: `ssh dohertj2@10.100.0.30 "powershell -Command '...'"`
 

ww.md

@@ -6,7 +6,7 @@
 - **IP**: 10.100.0.48 (VLAN 100 / LAN_100)
 - **OS**: Windows 10 Enterprise (10.0.19045)
 - **Shell**: PowerShell 7.6.1 (pwsh)
-- **Credentials**: dohertj2 / Sonamu89 (local Administrator)
+- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/WW_VM_ADMIN_PWD]` (local Administrator)
 - **Remote access**: SSH (passwordless, key in `C:\ProgramData\ssh\administrators_authorized_keys`)
 - **Platform**: ESXi VM (vmxnet3 vNIC)
 

ww_gpu.md

@@ -39,7 +39,7 @@ ssh dohertj2@10.100.0.48 'Get-WindowsOptionalFeature -Online -FeatureName Virtua
 ### 2. Shut down the VM (graceful)
 
 ```bash
-export GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='Tn9.xKw-m4Vp' GOVC_INSECURE=true
+export GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='<from Infisical: homelab/infrastructure/esxi/GOVC_PASSWORD>' GOVC_INSECURE=true
 govc vm.power -s=true WW_DEV_VM
 until govc vm.info WW_DEV_VM | grep -q "Power state:  poweredOff"; do sleep 5; done
 ```