Document UniFi baseline secret leak guardrails

This commit is contained in:
Doris
2026-05-22 20:58:41 +00:00
parent 5f56fe75d8
commit c2c71cfe57
6 changed files with 145 additions and 609 deletions

View File

@@ -206,6 +206,39 @@ On a fresh PD after reinstalling TrueNAS:
---
## Controller Export / Baseline Artifact Rules
Raw infrastructure exports must be treated as potentially secret-bearing even when they are not `.env` files.
Examples:
- UniFi `networkconf` / `portconf` dumps
- firewall/router/controller JSON exports
- VPN client or server config exports
- diagnostic snapshots taken from appliances or operator APIs
### Permanent rules
- Do **not** commit raw controller or appliance exports to the main repo.
- Commit only sanitized markdown summaries or explicitly redacted artifacts.
- If raw retention is needed, store the export in the encrypted secrets repo or another operator-only location outside the main repo.
- Before committing infra artifacts, scan for obvious secret-bearing keys such as:
- `private_key`
- `wireguard`
- `token`
- `secret`
- `password`
- `Authorization`
- `cookie`
- `client_secret`
### Incident reference
A real leak occurred on 2026-05-22 when a raw UniFi baseline export under `home/doris-dashboard/docs/baselines/` was committed with embedded WireGuard secrets.
See:
- `docs/operations/INCIDENT_2026-05-22_UNIFI_BASELINE_SECRET_LEAK.md`
- `home/doris-dashboard/docs/baselines/README.md`
## Security Reminders
- **Key backup**: `C:\Users\Fizzlepoof\Downloads\.git-crypt-secrets.key` — also store in password manager