# Research Questions: Consolidated homelab secrets and access management ## Phase Contract Allowed reads: - `tickets/active/2026-05-18-consolidated-homelab-secrets-management.md` - `tickets/artifacts/2026-05-18-consolidated-homelab-secrets-management/00-context.md` - existing repo docs/runbooks/systems files relevant to current access model Will write: - `tickets/artifacts/2026-05-18-consolidated-homelab-secrets-management/01-questions.md` - next phase: `02-research.md` ## Context for Research Investigate current access/secrets patterns in this Nimrod workspace and compare practical homelab approaches for centralized secrets, SSH/API access lifecycle, revocation, and assistant-safe operations. Focus on facts, constraints, and options rather than final tool choice. ## Questions 1. What current secrets/access mechanisms are already represented in this repo, including SSH targets, assistant users, Nextcloud app credentials, local config files, and documented runbooks? 2. What access-management needs recur across the known systems: Nextcloud VM, AMP/game server, future Proxmox/OPNsense/Home Assistant, and client machines? 3. What practical roles could Bitwarden/Vaultwarden, SOPS/age, OpenBao/Vault, SSH certificates, Tailscale ACLs, and per-service API tokens play in a homelab assistant access model? 4. What are the operational requirements for hosting a secrets manager in a Proxmox LXC or VM: backups, TLS, updates, storage, admin recovery, network exposure, and monitoring? 5. What grant/revoke/rotate workflows should exist for assistant SSH access, app passwords/API tokens, service credentials, and emergency break-glass access? 6. What risks and failure modes should the design address, including vault lockout, vault compromise, stale assistant keys, leaked repo config, public exposure, and loss of 2FA/admin access? 7. What is the smallest safe pilot that proves the model on one non-critical host without overbuilding the entire secrets platform? ## Approval Notes - User has approved starting QRSPI for this ticket. - User expects a Proxmox LXC/VM-hosted Bitwarden/Vaultwarden-like option may be relevant.