# Context: Consolidated homelab secrets and access management

## Source Ticket

- `tickets/active/2026-05-18-consolidated-homelab-secrets-management.md`

## Goal

Design and deploy a consolidated secrets and access management system for the homelab so the user can grant, revoke, and temporarily grant access to servers and clients in a controlled, auditable way.

## Why

Assistant access is expanding across Nextcloud, AMP/game servers, SSH targets, and future Proxmox/OPNsense/Home Assistant/client systems. Current access is ad hoc across SSH keys, local config files, app passwords, and per-host setup.

## Initial User Hypothesis

The user expects this may involve hosting Bitwarden/Vaultwarden or a similar secrets manager, likely in a Proxmox LXC or VM.

## Scope

Included:
- Compare practical homelab secrets/access options.
- Define safe architecture for human and assistant access.
- Decide whether to use a Proxmox LXC/VM and what should run there.
- Define grant/revoke/rotation runbooks.
- Avoid storing secret values in git.

Not included yet:
- Deploying the secrets system before design approval.
- Migrating every credential immediately.
- Publicly exposing vault or management interfaces without separate security review.

## Known Constraints

- Prefer least privilege and auditable access.
- Prefer dedicated VMs/LXCs for major services.
- Prefer SSH key-based authentication and restricted assistant users.
- Avoid exposing management interfaces to public internet.
- Use git workflow and server change log for operational changes.
- Recommend backups/snapshots before risky changes.

## Acceptance Criteria

- A secrets/access architecture is documented.
- A primary tool/system is selected and justified.
- A bootstrap deployment plan exists.
- Revocation model exists for assistant and user access.
- At least one representative host can be granted/revoked using the new process.
- Runbooks exist for grant/revoke/rotate.