GitCaddy/GitCaddy Vault
Limited
2
0
Fork 0
Code Issues Releases 9
43 Commits 1 Branch 9 Tags
7ea93091f58c7f70bc9cc6e5da8983d0ff55c3c4
Code
logikonline 7ea93091f5 feat: add build-time version injection via ldflags 
- Remove hardcoded PluginVersion constant
- Add Version variable settable via ldflags
- Update routes.go to use Version for UI display
- Version now injected by server build process
2026-01-18 20:30:47 -05:00
crypto
refactor: update imports to use server/v3 module path
2026-01-17 17:59:28 -05:00
license
refactor: update imports to use server/v3 module path
2026-01-17 17:59:28 -05:00
locale
feat(i18n): add license tier information to vault locales
2026-01-18 15:13:17 -05:00
models
refactor: update imports to use server/v3 module path
2026-01-17 17:59:28 -05:00
routes
feat: add build-time version injection via ldflags
2026-01-18 20:30:47 -05:00
services
fix: rename module path to match repo name
2026-01-17 22:50:21 -05:00
templates/repo/vault
build(ci): add server rebuild trigger and fix vault templates
2026-01-18 17:53:43 -05:00
COMMERICAL_LICENSE.md
refactor: compile vault into server instead of dynamic plugin
2026-01-17 22:12:41 -05:00
COMPATIBILITY.md
feat: add automated rebuild on server release
2026-01-17 12:36:36 -05:00
go.mod
fix: rename module path to match repo name
2026-01-17 22:50:21 -05:00
go.mod.backup
checked
2026-01-17 08:42:53 -05:00
go.sum
code caddy rename
2026-01-17 09:03:34 -05:00
LICENSE.md
refactor: compile vault into server instead of dynamic plugin
2026-01-17 22:12:41 -05:00
plugin_service.go
feat: implement vault.Plugin service interface
2026-01-18 01:01:03 -05:00
plugin.go
feat: add build-time version injection via ldflags
2026-01-18 20:30:47 -05:00
public.key
Licensing
2026-01-16 23:05:55 -05:00
README.md
docs: Add architecture documentation for vault-server sync
2026-01-18 17:11:06 -05:00

README.md

GitCaddy Vault

Encrypted Secrets Management for GitCaddy

GitCaddy Vault is a commercial module compiled directly into GitCaddy Server that provides enterprise-grade secrets management within your GitCaddy repositories. Store, version, and securely access credentials, API keys, certificates, and other sensitive data without leaving your Git workflow.

Features

Core Capabilities

  • Encrypted Storage - All secrets encrypted at rest using AES-256-GCM with per-repository encryption keys
  • Version History - Full version tracking with rollback capability for all secrets
  • Audit Logging - Complete audit trail of all secret access and modifications
  • CI/CD Tokens - Scoped tokens for secure automated access during builds and deployments

Secret Types

Type Description
key-value Simple key-value pairs
env-file Environment file format (KEY=value)
file Arbitrary file content
certificate TLS/SSL certificates
ssh-key SSH private keys

Security Architecture

┌─────────────────────────────────────────────────────────┐
│                    GitCaddy Server                       │
├─────────────────────────────────────────────────────────┤
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐  │
│  │   Web UI    │    │   REST API  │    │  CI/CD API  │  │
│  └──────┬──────┘    └──────┬──────┘    └──────┬──────┘  │
│         │                  │                  │          │
│         └──────────────────┼──────────────────┘          │
│                            │                             │
│                   ┌────────▼────────┐                    │
│                   │  Vault Service  │                    │
│                   └────────┬────────┘                    │
│                            │                             │
│         ┌──────────────────┼──────────────────┐          │
│   ┌─────▼─────┐     ┌──────▼──────┐    ┌──────▼──────┐  │
│   │  Crypto   │     │   Models    │    │  License    │  │
│   │  Engine   │     │   (XORM)    │    │  Manager    │  │
│   └───────────┘     └─────────────┘    └─────────────┘  │
│                                                          │
│               (Compiled into GitCaddy Server)            │
└─────────────────────────────────────────────────────────┘

Encryption Hierarchy:

  1. Master Key (KEK) - Server-level key encryption key
  2. Repository DEK - Per-repository data encryption key, encrypted by KEK
  3. Secret Values - Encrypted using repository DEK with AES-256-GCM

Installation

Requirements

  • GitCaddy Server v1.0.0 or later (Vault is included automatically)
  • Valid GitCaddy Vault license

Setup

GitCaddy Vault is compiled directly into GitCaddy Server - no separate installation required.

  1. Add your license key via environment variable or file:

    # Option 1: Environment variable
export GITCADDY_LICENSE_KEY="<your-base64-license>"

# Option 2: License file
cp license.key /etc/gitcaddy/license.key

  2. Restart GitCaddy Server to activate the license

Configuration

Environment Variables

Variable Description Default
GITCADDY_LICENSE_KEY Base64-encoded license key -
GITCADDY_LICENSE_FILE Path to license file /etc/gitcaddy/license.key
GITCADDY_VAULT_KEK Master key encryption key (32 bytes, hex) Auto-generated
GITCADDY_DEV_MODE Skip license validation (dev only) 0

License File Locations

GitCaddy Server searches for license files in this order:

  1. Path specified by GITCADDY_LICENSE_FILE
  2. /etc/gitcaddy/license.key
  3. ./custom/license.key
  4. ./license.key

Usage

Web Interface

Access the Vault tab in any repository where you have admin permissions:

https://your-gitcaddy-instance/owner/repo/vault

Managing Secrets:

  1. Navigate to Repository > Vault > Secrets
  2. Click "New Secret" to create a secret
  3. Use dot notation for organization: prod.database.password, staging.api.key

Creating CI/CD Tokens:

  1. Navigate to Repository > Vault > CI/CD Tokens
  2. Click "New Token"
  3. Define the scope (e.g., read:*, read:prod.*, write:db.credentials)
  4. Set expiration time
  5. Copy the token immediately (shown only once)

REST API

All API endpoints require a valid vault token in the Authorization header.

Authentication:

# Bearer token format
Authorization: Bearer gvt_abc123...

# Or token format
Authorization: token gvt_abc123...

List Secrets:

curl -H "Authorization: Bearer $VAULT_TOKEN" \
  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets

Get Secret Value:

curl -H "Authorization: Bearer $VAULT_TOKEN" \
  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets/prod.database.password

Create Secret:

curl -X POST \
  -H "Authorization: Bearer $VAULT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "prod.database.password",
    "description": "Production database credentials",
    "type": "key-value",
    "value": "secret-password-here"
  }' \
  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets

Update Secret:

curl -X PUT \
  -H "Authorization: Bearer $VAULT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "key-value",
    "value": "new-secret-value",
    "comment": "Rotated credentials"
  }' \
  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets/prod.database.password

Delete Secret:

curl -X DELETE \
  -H "Authorization: Bearer $VAULT_TOKEN" \
  https://gitcaddy.example.com/api/v1/repos/owner/repo/vault/secrets/prod.database.password

CI/CD Integration

GitHub Actions / Gitea Actions:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Fetch secrets
        run: |
          DB_PASSWORD=$(curl -s -H "Authorization: Bearer ${{ secrets.VAULT_TOKEN }}" \
            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/vault/secrets/prod.database.password" \
            | jq -r '.value')
          echo "::add-mask::$DB_PASSWORD"
          echo "DB_PASSWORD=$DB_PASSWORD" >> $GITHUB_ENV

GitLab CI:

deploy:
  script:
    - |
      export DB_PASSWORD=$(curl -s -H "Authorization: Bearer $VAULT_TOKEN" \
        "$CI_SERVER_URL/api/v1/repos/$CI_PROJECT_PATH/vault/secrets/prod.database.password" \
        | jq -r '.value')

Token Scopes

Token scopes control access to secrets using a simple grammar:

Scope Description
read:* Read access to all secrets
write:* Read and write access to all secrets
read:prod.* Read access to secrets starting with prod.
write:db.credentials Write access to specific secret db.credentials
admin Full administrative access

Multiple scopes: Separate with commas: read:prod.*,write:staging.*

License Tiers

Feature Solo Pro Team Enterprise
Users 1 5 25 Unlimited
Secrets per repo 5 Unlimited Unlimited Unlimited
Audit retention 7 days 90 days 1 year Custom
Version history No Yes Yes Yes
CI/CD tokens No Yes Yes Yes
SSO integration No No Yes Yes
Priority support No No No Yes

Database Schema

GitCaddy Vault uses the following tables:

  • vault_secret - Secret metadata
  • vault_secret_version - Versioned secret values (encrypted)
  • vault_repo_key - Per-repository encryption keys
  • vault_token - CI/CD access tokens
  • vault_audit_entry - Audit log entries

Development

Architecture: Vault ↔ Server Sync

Important for contributors and AI assistants:

GitCaddy Vault is the source of truth for vault-related templates and locales. Due to Go plugin compilation limitations, vault code is compiled directly into GitCaddy Server rather than loaded as a dynamic plugin.

┌─────────────────────────────────────────────────────────────────┐
│                     gitcaddy-vault (this repo)                   │
│  SOURCE OF TRUTH for:                                           │
│  • templates/repo/vault/*.tmpl  → UI templates                  │
│  • locale/*.json                → Translation strings           │
│  • models/, services/, crypto/  → Business logic                │
│  • license/                     → License validation            │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                    BUILD TIME SYNC
                    (scripts/sync-vault.sh)
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│                     gitcaddy-server                              │
│  RECEIVES from vault:                                           │
│  • templates/repo/vault/*.tmpl  ← Copied from vault             │
│  • options/locale/*.json        ← vault.* keys merged           │
│                                                                  │
│  SERVER-ONLY (not in vault):                                    │
│  • templates/repo/vault/feature_upgrade.tmpl                    │
│  • templates/repo/vault/not_installed.tmpl                      │
│  • templates/repo/vault/upgrade.tmpl                            │
│  • routers/web/repo/vault/vault.go  ← Router glue code          │
│  • services/vault/vault.go          ← Service wrappers          │
└─────────────────────────────────────────────────────────────────┘

When making changes:

  • Edit templates/locales in gitcaddy-vault (this repo)
  • The CI build automatically syncs to gitcaddy-server
  • Server-specific templates (upgrade prompts) stay in server repo
  • Go router code stays in server repo (thin integration layer)

Why not Go plugins? Go plugins require exact compiler version and dependency matches between plugin and host. This is fragile in practice, so we compile vault directly into the server binary.

Building

The Vault module is compiled directly into GitCaddy Server. To build the server with Vault:

# Clone GitCaddy Server (includes Vault)
git clone https://git.marketally.com/gitcaddy/server.git
cd server

# Build the server (Vault is included automatically)
make build

# Run tests
go test ./...

Keygen Utility

The license key generation tool is built separately:

# Clone the vault repository
git clone https://git.marketally.com/gitcaddy/vault.git
cd vault

# Build the keygen utility
go build -o keygen ./cmd/keygen

Generating License Keys

# Generate a new keypair (do this once, keep private key secure!)
go run ./cmd/keygen -generate-keys

# Sign a license
go run ./cmd/keygen -sign \
  -email customer@example.com \
  -tier pro \
  -duration 365d \
  -private-key /secure/path/private.key

Local Development

Set GITCADDY_DEV_MODE=1 to skip license validation during development:

export GITCADDY_DEV_MODE=1

Security Considerations

  1. Key Management - The master KEK should be stored securely (HSM, KMS, or secure environment variable)
  2. Token Storage - Vault tokens are hashed with SHA-256 before storage
  3. Audit Trail - All access is logged with IP address and user information
  4. Soft Delete - Deleted secrets are retained for recovery before permanent deletion
  5. TLS Required - Always use HTTPS in production

Support

License

Business Source License 1.1 - See LICENSE file for details.

Copyright 2026 MarketAlly. All rights reserved.

Reference in New Issue View Git Blame Copy Permalink
LICENSE.md
View File Raw
# Business Source License 1.1 License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved. “Business Source License” is a trademark of MariaDB Corporation Ab. --- ## Parameters **Licensor:** \ MarketAlly **Licensed Work:** \ GitCaddy Vault The Licensed Work is (c) 2026 MarketAlly **Additional Use Grant:** \ You may use the Licensed Work for non-production purposes, including development, testing, personal projects, educational use, and internal evaluation. You may also use the Licensed Work for production use with **up to five (5) users** at no cost (the “Solo Tier”). Production use beyond five (5) users, or use that exceeds Solo Tier limits, requires a valid commercial license obtained from the Licensor. **Change Date:** \ January 17, 2030 **Change License:** \ Apache License, Version 2.0 --- ## Terms The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor makes an Additional Use Grant, above, permitting limited production use. Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you the rights described in the Change License. The rights granted under this License will terminate automatically if you violate any of the restrictions of this License. Upon termination, you must cease all use of the Licensed Work and destroy all copies. This License does not grant you any right in any trademark or logo of the Licensor or its affiliates. TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. MariaDB hereby grants you permission to use this License’s text to license your works, and to refer to it using the trademark “Business Source License”, as long as you comply with the Covenants of Licensor below. --- ## Covenants of Licensor In consideration of the right to use this License’s text and the “Business Source License” name and trademark, Licensor covenants to MariaDB, and to all other recipients of the Licensed Work, that Licensor will: 1. Specify as the Change License a license that is compatible with version 2.0 of the Apache License, GPL version 2.0 or later, or a license that is OSI-approved. 2. Specify as the Change Date a date no later than four years after the first publicly available distribution of a specific version of the Licensed Work. 3. Not modify this License in any other way.
Description
Encrypted Secrets Management for GitCaddy
http://www.gitcaddy.com
Readme BSL-1.1 1.1 MiB
Releases 9
v1.0.60 - Bug Fix Release Latest
2026-02-08 16:16:48 +00:00
Languages
Go 100%