90 lines
2.4 KiB
Markdown
90 lines
2.4 KiB
Markdown
# Secret Rotation Checklist (Production)
|
|
|
|
Target: `my.votcloud.com`
|
|
Host: `102.69.243.167`
|
|
|
|
## Scope
|
|
|
|
Rotate the following regularly (monthly/quarterly or after any incident):
|
|
|
|
1. `JWT_SECRET`
|
|
2. `JWT_REFRESH_SECRET`
|
|
3. `POSTGRES_PASSWORD`
|
|
4. `ADMIN_PASSWORD`
|
|
|
|
Recommended:
|
|
|
|
1. `BACKUP_ENCRYPTION_KEY` (with controlled key migration plan)
|
|
2. Proxmox API token secret
|
|
3. Payment/webhook secrets
|
|
|
|
Enterprise hardening:
|
|
|
|
1. Keep one grace window for webhook secret rotation (`*_previous`) to avoid dropped payment events during provider cutover.
|
|
2. Validate new Proxmox token directly against `/api2/json/version` before applying it in panel settings.
|
|
|
|
## Runbook (Safe Order)
|
|
|
|
1. Create timestamped app/env/db backup.
|
|
2. Rotate env secrets in `.env.production`.
|
|
3. Apply DB password rotation (`ALTER USER ... WITH PASSWORD ...`).
|
|
4. Restart app stack with new env.
|
|
5. Re-seed admin (`npm run prisma:seed`) to sync rotated admin password.
|
|
6. Revoke all active sessions (`AuthSession`) to invalidate old sessions.
|
|
7. Verify:
|
|
- `GET /api/health`
|
|
- Admin login
|
|
- Core pages (`/rbac`, `/profile`, `/system`, `/audit-logs`)
|
|
8. Save secure summary with new admin credentials under `/root/`.
|
|
|
|
## Automation Script
|
|
|
|
Use:
|
|
|
|
```bash
|
|
sudo bash /opt/proxpanel/infra/deploy/rotate-production-secrets.sh
|
|
```
|
|
|
|
Script guarantees:
|
|
|
|
1. Backup directory created in `/opt/proxpanel-backups/<timestamp>-secret-rotation/`
|
|
2. DB pre-rotation dump created
|
|
3. Post-rotation health + login verified
|
|
4. Summary written to `/root/proxpanel-secret-rotation-<timestamp>.txt`
|
|
|
|
For integration secrets (Proxmox + payment/webhook + alerting endpoints), use:
|
|
|
|
```bash
|
|
sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
|
|
--proxmox-token-secret 'new_token_secret' \
|
|
--paystack-secret 'new_paystack_secret' \
|
|
--flutterwave-webhook-hash 'new_hash'
|
|
```
|
|
|
|
After external provider cutover is confirmed, clear grace secrets:
|
|
|
|
```bash
|
|
sudo bash /opt/proxpanel/infra/deploy/rotate-integration-secrets.sh \
|
|
--finalize-payment-webhook-grace
|
|
```
|
|
|
|
## Rollback Plan
|
|
|
|
If post-rotation checks fail:
|
|
|
|
1. Restore `.env.production` from backup.
|
|
2. Restore previous app files if needed.
|
|
3. Restore DB dump if schema/state corruption occurred.
|
|
4. Recreate containers:
|
|
- `docker compose --env-file .env.production -f infra/deploy/docker-compose.production.yml up -d --build`
|
|
|
|
## Audit Trail
|
|
|
|
Store:
|
|
|
|
1. Rotation timestamp
|
|
2. Operator identity
|
|
3. Backup directory used
|
|
4. Health verification evidence
|
|
5. Any rollback events
|