From 5b2162372c617a0ba6d3740ddc134cd11c78bc98 Mon Sep 17 00:00:00 2001 From: dohertj2 Date: Wed, 29 Apr 2026 09:53:38 -0400 Subject: [PATCH] Replace inline credentials with Infisical pointers --- CLAUDE.md | 28 ++++++++++++++++++++++++++++ desktop.md | 2 +- esxi.md | 6 +++--- infisical.md | 4 ++-- veeam.md | 2 +- ww.md | 2 +- ww_gpu.md | 2 +- 7 files changed, 37 insertions(+), 9 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index cb10f13..68c8cd0 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -12,6 +12,34 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co - **Network infrastructure**: Ubiquiti Unifi switches - **Debugging scope**: VM-to-external-client connectivity issues across the ESXi virtual switch and physical Unifi switch layers +## Credentials convention + +Plaintext passwords / API keys / tokens have been moved out of these files into [Infisical](infisical.md). Where a credential used to be inline, you'll now see a pointer in the form: + +``` +[Infisical: homelab///] +``` + +To fetch one (machine identity required — see `infisical.md`): + +```bash +TOKEN=$(curl -s -X POST https://infisical.dohertylan.com/api/v1/auth/universal-auth/login \ + -H 'Content-Type: application/json' \ + -d '{"clientId":"","clientSecret":""}' \ + | python3 -c "import json,sys;print(json.load(sys.stdin)['accessToken'])") +PROJ=$(curl -s -H "Authorization: Bearer $TOKEN" \ + https://infisical.dohertylan.com/api/v1/workspace \ + | python3 -c "import json,sys;print(json.load(sys.stdin)['workspaces'][0]['id'])") +curl -sG "https://infisical.dohertylan.com/api/v3/secrets/raw/" \ + -H "Authorization: Bearer $TOKEN" \ + --data-urlencode "workspaceId=$PROJ" \ + --data-urlencode "environment=" \ + --data-urlencode "secretPath=" \ + | python3 -c "import json,sys;print(json.load(sys.stdin)['secret']['secretValue'])" +``` + +Or via the Infisical web UI at https://infisical.dohertylan.com. + ## Components - [TrueNAS Server](truenas.md) — NAS at 10.100.0.25 (management) / 10.50.0.x (storage), serves SMB and NFS diff --git a/desktop.md b/desktop.md index 89d9483..22724b1 100644 --- a/desktop.md +++ b/desktop.md @@ -4,7 +4,7 @@ - **Hostname**: DESKTOP-1BEK7OR - **OS**: Windows 10 (PowerShell 5.1.19041.6456) -- **Credentials**: dohertj2 / Sonamu89 +- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/DESKTOP_ADMIN_PWD]` - **Remote access**: SSH (passwordless), WinRM (fallback) ### Running Commands diff --git a/esxi.md b/esxi.md index ce23692..f8789de 100644 --- a/esxi.md +++ b/esxi.md @@ -4,10 +4,10 @@ - **IP**: 10.2.0.12 (VLAN 0 / DEFAULT, management) - **Version**: VMware ESXi 8.0.3 build-24280767 (Update 3, Patch 35) -- **Credentials**: govc / Tn9.xKw-m4Vp (Administrator role) -- **API access via govc**: +- **Credentials**: govc / `[Infisical: homelab/infrastructure/esxi/GOVC_PASSWORD]` (Administrator role) +- **API access via govc** — fetch the password from Infisical first, then: ```bash - GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='Tn9.xKw-m4Vp' GOVC_INSECURE=true govc + GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='' GOVC_INSECURE=true govc ``` - **Do NOT use SSH** — ESXi keyboard-interactive auth is unreliable from this machine; use `govc` exclusively - **Hardware**: HP, 2x Intel Xeon E5-2697 v4 (36 logical CPUs @ 2.3GHz), 256GB RAM diff --git a/infisical.md b/infisical.md index 4dc239f..4b71ea8 100644 --- a/infisical.md +++ b/infisical.md @@ -29,7 +29,7 @@ Source of truth: `roles/infisical/defaults/main.yml` in the ansible repo. Re-dep | `infisical_image` | `infisical/infisical:latest-postgres` | Standalone all-in-one image (API + frontend) | | `infisical_subdomain` | `infisical` | Becomes `infisical.dohertylan.com` | | `infisical_db_user` / `_db_name` | `infisical` / `infisical` | Internal-only — not exposed past the compose network | -| `infisical_db_password` | `Sonamu89_infisical_db` | dev convention; rotate via group_vars/vault if repo ever leaves the LAN | +| `infisical_db_password` | `[Infisical: homelab/apps/infisical/DB_PWD]` | Plaintext also lives in `roles/infisical/defaults/main.yml` (chicken-and-egg: the playbook must hold the value to deploy Infisical from scratch) | | `infisical_encryption_key` | 32 hex chars | **Do not change after data exists** — used to envelope-encrypt secrets at rest. Changing it makes existing secrets unrecoverable; use Infisical's key-rotation flow if you need to rotate | | `infisical_auth_secret` | random base64 | JWT signing key | | `infisical_telemetry_enabled` | `false` | Anonymous telemetry opted out | @@ -41,7 +41,7 @@ Three equivalent paths: ```bash # Via Semaphore UI (or API): http://10.100.0.35:3000 → template "Deploy Full Stack" curl -s -c - http://localhost:3000/api/auth/login -X POST -H 'Content-Type: application/json' \ - -d '{"auth":"dohertj2","password":"Sonamu89"}' | grep semaphore | awk '{print $NF}' \ + -d '{"auth":"dohertj2","password":""}' | grep semaphore | awk '{print $NF}' \ | xargs -I{} curl -s -b "semaphore={}" -X POST http://localhost:3000/api/project/1/tasks \ -H 'Content-Type: application/json' -d '{"template_id":8,"project_id":1}' diff --git a/veeam.md b/veeam.md index d89580b..6ac9949 100644 --- a/veeam.md +++ b/veeam.md @@ -5,7 +5,7 @@ - **Hostname**: VEEAM - **IP**: 10.100.0.30 (LAN_100) / 10.50.0.32 (DATA_50) - **OS**: Windows Server 2025 Standard (Build 26100), 64-bit -- **Credentials**: dohertj2 / Sonamu8901! +- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/VEEAM_ADMIN_PWD]` - **SSH**: `ssh dohertj2@10.100.0.30` (passwordless, key in `C:\ProgramData\ssh\administrators_authorized_keys`) - **For PowerShell**: `ssh dohertj2@10.100.0.30 "powershell -Command '...'"` diff --git a/ww.md b/ww.md index 9fe28d0..7561f06 100644 --- a/ww.md +++ b/ww.md @@ -6,7 +6,7 @@ - **IP**: 10.100.0.48 (VLAN 100 / LAN_100) - **OS**: Windows 10 Enterprise (10.0.19045) - **Shell**: PowerShell 7.6.1 (pwsh) -- **Credentials**: dohertj2 / Sonamu89 (local Administrator) +- **Credentials**: dohertj2 / `[Infisical: homelab/infrastructure/windows-hosts/WW_VM_ADMIN_PWD]` (local Administrator) - **Remote access**: SSH (passwordless, key in `C:\ProgramData\ssh\administrators_authorized_keys`) - **Platform**: ESXi VM (vmxnet3 vNIC) diff --git a/ww_gpu.md b/ww_gpu.md index 17bdd92..fdddf05 100644 --- a/ww_gpu.md +++ b/ww_gpu.md @@ -39,7 +39,7 @@ ssh dohertj2@10.100.0.48 'Get-WindowsOptionalFeature -Online -FeatureName Virtua ### 2. Shut down the VM (graceful) ```bash -export GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='Tn9.xKw-m4Vp' GOVC_INSECURE=true +export GOVC_URL=https://10.2.0.12/sdk GOVC_USERNAME=govc GOVC_PASSWORD='' GOVC_INSECURE=true govc vm.power -s=true WW_DEV_VM until govc vm.info WW_DEV_VM | grep -q "Power state: poweredOff"; do sleep 5; done ```