Document UniFi baseline secret leak guardrails
This commit is contained in:
@@ -206,6 +206,39 @@ On a fresh PD after reinstalling TrueNAS:
|
||||
|
||||
---
|
||||
|
||||
## Controller Export / Baseline Artifact Rules
|
||||
|
||||
Raw infrastructure exports must be treated as potentially secret-bearing even when they are not `.env` files.
|
||||
|
||||
Examples:
|
||||
- UniFi `networkconf` / `portconf` dumps
|
||||
- firewall/router/controller JSON exports
|
||||
- VPN client or server config exports
|
||||
- diagnostic snapshots taken from appliances or operator APIs
|
||||
|
||||
### Permanent rules
|
||||
|
||||
- Do **not** commit raw controller or appliance exports to the main repo.
|
||||
- Commit only sanitized markdown summaries or explicitly redacted artifacts.
|
||||
- If raw retention is needed, store the export in the encrypted secrets repo or another operator-only location outside the main repo.
|
||||
- Before committing infra artifacts, scan for obvious secret-bearing keys such as:
|
||||
- `private_key`
|
||||
- `wireguard`
|
||||
- `token`
|
||||
- `secret`
|
||||
- `password`
|
||||
- `Authorization`
|
||||
- `cookie`
|
||||
- `client_secret`
|
||||
|
||||
### Incident reference
|
||||
|
||||
A real leak occurred on 2026-05-22 when a raw UniFi baseline export under `home/doris-dashboard/docs/baselines/` was committed with embedded WireGuard secrets.
|
||||
|
||||
See:
|
||||
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
|
||||
- `home/doris-dashboard/docs/baselines/README.md`
|
||||
|
||||
## Security Reminders
|
||||
|
||||
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager
|
||||
|
||||
Reference in New Issue
Block a user