# vr1-dc0 creds manifest -- what MUST be consolidated in ~/vr1-dc0-creds/ (SEC-009 + D-126). # scripts/creds-audit.sh verifies this list against the live folder: presence, mode, # non-empty. No secret VALUES are read -- only existence, mode, and declared provenance. # # fields: # source = "local" -- generated/held on the jumphost (vcloud) # = ":" -- MINTED ON A SITE VM; a working copy MUST be pulled into # the folder at mint time. # # STATUS: the access keypair below is MINTED (2026-07-16, on vcloud) -- generated EARLY (not at # deploy) because vvr1-dc0's cloud-init reads the pubkey with file() at plan time (D-126 per-env-key # option a: a DEDICATED dc0 key, NOT office1's). `creds-audit vr1-dc0` -> CLEAN. # vr1-dc0*.env files (e.g. TF_VAR_* / MAAS) are ADDED to this manifest as the dc0 deploy # design determines them -- not invented here (hard rule 2). vr1-dc0_svc_ed25519 600 local vr1-dc0_svc_ed25519.pub 644 local