reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[MEDIUM] No documented secret rotation procedure #24

New issue
Open
opened 2026-05-05 15:44:47 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 15:44:47 -05:00
Owner
Copy link

Labels: area:security, priority:medium, type:enhancement

Description

There is no documentation or automation for rotating secrets across the infrastructure:

  • API tokens (Authentik, ACME, Forgejo)
  • Database passwords
  • TLS certificates (automated via ACME, but no manual fallback)
  • WireGuard keys
  • Container service credentials

Impact

Compromised credentials remain valid indefinitely. No way to respond to security incidents involving credential theft.

Recommended Fix

  1. Create a secret rotation runbook at docs/runbooks/secret-rotation.md
  2. Document rotation procedures for each credential type
  3. Implement automated rotation where possible
  4. Add expiry dates to API tokens
  5. Schedule quarterly rotation reviews
**Labels:** area:security, priority:medium, type:enhancement ## Description There is no documentation or automation for rotating secrets across the infrastructure: - API tokens (Authentik, ACME, Forgejo) - Database passwords - TLS certificates (automated via ACME, but no manual fallback) - WireGuard keys - Container service credentials ## Impact Compromised credentials remain valid indefinitely. No way to respond to security incidents involving credential theft. ## Recommended Fix 1. Create a secret rotation runbook at docs/runbooks/secret-rotation.md 2. Document rotation procedures for each credential type 3. Implement automated rotation where possible 4. Add expiry dates to API tokens 5. Schedule quarterly rotation reviews
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#24
No description provided.