Newer
Older
openstack-caracal-dc-dc / docs / changelog-20260715-creds-consolidation.md

2026-07-15 -- credential/env consolidation into ~/vr1-office1-creds/ (SEC-009)

Operator-approved. Closes a credential SPRAWL + world-readable exposure on vcloud, and establishes the standing per-site consolidation convention.

The finding

Three env files sat loose in ~, outside the consolidated ~/vr1-office1-creds/ folder:

~/.vr1-netbox.env    0600   upstream/v1-draft NetBox token (NETBOX_URL + NETBOX_TOKEN)
~/vr1-office1.env    0600   OPNsense edge config (WAN/LAN/DHCP/root-hash/SSH-key vars)
~/vr1-stage1.env     0664   OpenTofu TF_VAR_* -- INCLUDING TF_VAR_maas_api_key (a MAAS secret)

vr1-stage1.env at 0664 (group/world-readable) held a MAAS API key -- a real exposure, not just untidiness. ~/vr1-office1-creds/tailscale-authkey.txt was also 0664. None were created this session (mtimes 2026-07-10..12); a prior session in this continuity scattered them.

What was done (files OUTSIDE the repo; not committed, recorded here)

  • Moved all three into ~/vr1-office1-creds/ (vr1-netbox.env, vr1-office1.env, vr1-stage1.env).
  • chmod 600 on every sensitive file in the folder -- fixed the two 0664 files.
  • No file CONTENTS were read; key NAMES only were listed to identify each file's purpose.
  • Fixed a D-119 follow-up the sweep could not reach (it is outside the repo): vr1-stage1.env had TF_VAR_dc1_pool_path / TF_VAR_dc2_pool_path -> renamed to TF_VAR_vr1_dc0_pool_path / TF_VAR_vr1_dc1_pool_path to match the renamed OpenTofu variables.

Repo changes (committed)

  • Active path references updated old ~/.vr1-netbox.env -> ~/vr1-office1-creds/vr1-netbox.env: netbox/prod-draft-dump.py (docstring + usage + error message), runbooks/dc-dc-phase1-office1- standup.md (Step 10b table), docs/vr1-office1-as-built.md, docs/session-ledger.md. Dated changelog/incident records that reference the OLD paths are left as historical snapshots.
  • docs/vr1-office1-as-built.md secrets table: added the three env files + the consolidation note. Corrected a wrong assumption recorded mid-session -- the SANDBOX NetBox token is NOT on vcloud; it is on office1-netbox (/root/netbox-secrets/). vr1-netbox.env is the UPSTREAM token only.
  • docs/security-ledger.md: SEC-009 (this finding, REMEDIATED) + the STANDING CONVENTION.

Standing convention (SEC-009)

Per-site: ALL sensitive + env/config files live in one ~/<site>-creds/ folder (0700; files 0600; public keys 0644). No loose env files in ~. ~/vr1-dc0-creds/ and ~/vr1-dc1-creds/ follow the same pattern FROM DAY ONE when DC deployment starts. This is a DATA-LOSS / continuity control first: scattered creds get lost between sessions and after compaction. Real credential hardening (rotation, revocation) stays deferred to post-teardown redeploy cycles -- this is a closed in-house test.

Also seeded agent memory (was empty): the creds convention and the closed-test posture, so neither is re-lost at the next compaction.

Revert

Repo edits: git revert <this commit>. The file moves are outside the repo -- to reverse, move the three env files back to ~ (not recommended: it re-opens the sprawl and the 0664 exposure).