96ba77a606
vault: - Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys) - Add gitea-ci-read policy scoped to secret/data/gitea/* - Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL) - Add AppRole gitea-ci as alternative auth method for the same policy - Add gitea-access-into-vault.md documenting the setup end-to-end - Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources) kanidm: - Add run.sh with docker run command (pinned to v1.9.1) - Add gitea-action-kubernetes-access.md documenting how to set up a Kanidm service account and OAuth2 client for Gitea CI k8s access - readme: add upgrade procedure, recover-account command, and service account + API token setup for gitea-ci-token maru-hleda-byt: - Add --restart=always to docker run command fuj-management: - Add run.sh (new service config) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
deployment notes
There was a problem with "production" deployment of Vault through docker container, because default docker-entrypoint.sh adds argument saying where dev instance is supposed to listen and then vault crashes because it tries to listen on same port twice.
Solution: override default entrypoint
# vault helpers
alias set-vault="export VAULT_ADDR=https://docker-30:8200"
alias set-vault-ignore-tls="export VAULT_ADDR=https://docker-30:8200; export VAULT_SKIP_VERIFY=true"
export VAULT_ADDR="https://vault.hrajfrisbee.cz"
export VAULT_SKIP_VERIFY=true
backup
Simple file copy initiated by cron, backend storage is minio (s3) running on synology
echo '30 2 * * * root /root/bin/vault-backup.sh >> /var/log/vault-backup.log 2>&1' > /etc/cron.d/vault-backup
# output role info
tofu output -raw role_id
tofu output -raw secret_id
vault initialization
vault operator init -key-shares=1 -key-threshold=1