1.6 KiB
1.6 KiB
| id | title | status | assignee | created_date | labels | dependencies | priority | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| task-2 | Rotate leaked credentials and scrub git history | Done |
|
2026-02-10 01:09 |
|
high |
Description
Security hardening after GitGuardian detected exposed SMTP credentials in GitHub. Rotated all leaked secrets, rewrote git history with git-filter-repo, and moved all configuration to server-side .env files.
Changes made:
- Switched n8n email from Resend API to Mailcow SMTP (self-hosted)
- Created hello@cosmolocal.world mailbox in Mailcow
- Created SMTP credential in n8n via API
- Updated workflows 02 (Lead Nurturing) and 04 (Follow-up Reminders) via n8n API
- Removed all hardcoded secrets from docker-compose.yml (DB password, SMTP host/port/sender)
- Rotated: Resend API key (deprecated), Listmonk API password, n8n DB password, SMTP password
- Ran git-filter-repo 3x to scrub secrets from all commits and commit messages
- Force-pushed cleaned history to both Gitea and GitHub
- All credentials now in /opt/websites/cosmolocal-website/.env (gitignored)
Remaining: Revoke old Resend API key in Resend dashboard (manual).
Acceptance Criteria
- #1 Resend API key removed from codebase and history
- #2 Listmonk password rotated
- #3 n8n DB password rotated and moved to .env
- #4 SMTP password rotated
- #5 SMTP host/port/sender moved to env vars
- #6 Git history clean - zero secret matches
- #7 All services healthy after redeployment
- #8 GitGuardian alert resolved