proxpanel/infra/deploy/SECRET_ROTATION_CHECKLIST.md

Secret Rotation Checklist (Production)

Target: my.votcloud.com
Host: 102.69.243.167

Scope

Rotate the following regularly (monthly/quarterly or after any incident):

1. JWT_SECRET
2. JWT_REFRESH_SECRET
3. POSTGRES_PASSWORD
4. ADMIN_PASSWORD

Recommended:

1. BACKUP_ENCRYPTION_KEY (with controlled key migration plan)
2. Proxmox API token secret
3. Payment/webhook secrets

Runbook (Safe Order)

1. Create timestamped app/env/db backup.
2. Rotate env secrets in .env.production.
3. Apply DB password rotation (ALTER USER ... WITH PASSWORD ...).
4. Restart app stack with new env.
5. Re-seed admin (npm run prisma:seed) to sync rotated admin password.
6. Revoke all active sessions (AuthSession) to invalidate old sessions.
7. Verify:
   • GET /api/health
   • Admin login
   • Core pages (/rbac, /profile, /system, /audit-logs)
8. Save secure summary with new admin credentials under /root/.

Automation Script

Use:

sudo bash /opt/proxpanel/infra/deploy/rotate-production-secrets.sh

Script guarantees:

1. Backup directory created in /opt/proxpanel-backups/<timestamp>-secret-rotation/
2. DB pre-rotation dump created
3. Post-rotation health + login verified
4. Summary written to /root/proxpanel-secret-rotation-<timestamp>.txt

Rollback Plan

If post-rotation checks fail:

1. Restore .env.production from backup.
2. Restore previous app files if needed.
3. Restore DB dump if schema/state corruption occurred.
4. Recreate containers:
   • docker compose --env-file .env.production -f infra/deploy/docker-compose.production.yml up -d --build

Audit Trail

Store:

1. Rotation timestamp
2. Operator identity
3. Backup directory used
4. Health verification evidence
5. Any rollback events