3.6 KiB
Incident: UniFi Baseline Secret Leak (2026-05-22)
Summary
A raw UniFi baseline export was committed to the main truenas-stacks repo during the May 22, 2026 network-cutover documentation pass. GitGuardian later flagged three secret leaks in the latest commits.
The leaked material came from a controller export artifact, not from a normal .env file.
What leaked
The committed file contained three WireGuard secrets in home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json:
- an embedded
wireguard_client_configuration_filecontaining aPrivateKey = ... - one
x_wireguard_private_key - another
x_wireguard_private_key
How it happened
The failure mode was:
- a read-only UniFi object baseline was captured to support cautious cutover work
- the export was saved as a raw JSON artifact under
home/doris-dashboard/docs/baselines/ - that raw export was treated like a harmless recon artifact and committed alongside other network redesign docs
- the export included VPN/WireGuard fields that are safe for controller runtime but unsafe for a git-tracked documentation repo
- GitGuardian detected the leaked keys after push
Root cause
This was a process failure, not a git-crypt failure.
The repo already had rules for .env secrets, but not a strong enough rule for controller exports / diagnostic baselines / machine snapshots that may embed secrets even when they are not named .env.
In short:
- we protected the usual secret files
- we did not treat raw infrastructure exports as secret-bearing by default
Remediation completed
The following remediation was performed:
- the leaked values were removed from the working tree
- git history was rewritten to purge the exact leaked values
- cleaned history was force-pushed to both
originandgithub - raw JSON baseline exports under
home/doris-dashboard/docs/baselines/were moved out of the main repo policy - the repo now documents that only sanitized summaries or explicitly redacted artifacts belong in the main repo
New permanent rules
- Raw controller/API exports do not belong in the main repo.
- Examples: UniFi
networkconf,portconf, full appliance JSON dumps, diagnostic snapshots, vendor backups, tunnel/client config exports.
- Examples: UniFi
- Assume machine exports are secret-bearing until proven otherwise.
- If it came from a controller or appliance, inspect it like a secret file.
- Only commit one of these:
- a markdown summary
- a purpose-built redacted JSON artifact
- a generated diff with secret-bearing keys removed
- Before committing infra artifacts, scan them explicitly.
- Look for terms like
private_key,wireguard,token,secret,password,Authorization,cookie,client_secret.
- Look for terms like
- If raw export retention is required, store it outside the main repo.
- Prefer the encrypted secrets repo or another non-public operator-only location.
- If a secret-bearing export is committed, treat it as an incident.
- redact/remove from current tree
- rewrite history
- force-push
- rotate live credentials/keys as appropriate
Operator follow-up still recommended
History cleanup fixed the repo exposure. If any leaked WireGuard keys were active in production at the time of exposure, rotate them deliberately and update affected clients.
Prevent-recurrence checklist
- raw exports ignored by default in the repo path where they are commonly captured
- incident documented in
SECRETS_MANAGEMENT.md - dashboard baseline directory has a README explaining what may and may not be committed
- future cutover notes point to sanitized summaries rather than raw exports