46 lines
1.6 KiB
Markdown
46 lines
1.6 KiB
Markdown
---
|
|
id: task-2
|
|
title: Rotate leaked credentials and scrub git history
|
|
status: Done
|
|
assignee:
|
|
- '@claude'
|
|
created_date: '2026-02-10 01:09'
|
|
labels:
|
|
- security
|
|
- infrastructure
|
|
- n8n
|
|
dependencies: []
|
|
priority: high
|
|
---
|
|
|
|
## Description
|
|
|
|
<!-- SECTION:DESCRIPTION:BEGIN -->
|
|
Security hardening after GitGuardian detected exposed SMTP credentials in GitHub. Rotated all leaked secrets, rewrote git history with git-filter-repo, and moved all configuration to server-side .env files.
|
|
|
|
Changes made:
|
|
- Switched n8n email from Resend API to Mailcow SMTP (self-hosted)
|
|
- Created hello@cosmolocal.world mailbox in Mailcow
|
|
- Created SMTP credential in n8n via API
|
|
- Updated workflows 02 (Lead Nurturing) and 04 (Follow-up Reminders) via n8n API
|
|
- Removed all hardcoded secrets from docker-compose.yml (DB password, SMTP host/port/sender)
|
|
- Rotated: Resend API key (deprecated), Listmonk API password, n8n DB password, SMTP password
|
|
- Ran git-filter-repo 3x to scrub secrets from all commits and commit messages
|
|
- Force-pushed cleaned history to both Gitea and GitHub
|
|
- All credentials now in /opt/websites/cosmolocal-website/.env (gitignored)
|
|
|
|
Remaining: Revoke old Resend API key in Resend dashboard (manual).
|
|
<!-- SECTION:DESCRIPTION:END -->
|
|
|
|
## Acceptance Criteria
|
|
<!-- AC:BEGIN -->
|
|
- [ ] #1 Resend API key removed from codebase and history
|
|
- [ ] #2 Listmonk password rotated
|
|
- [ ] #3 n8n DB password rotated and moved to .env
|
|
- [ ] #4 SMTP password rotated
|
|
- [ ] #5 SMTP host/port/sender moved to env vars
|
|
- [ ] #6 Git history clean - zero secret matches
|
|
- [ ] #7 All services healthy after redeployment
|
|
- [ ] #8 GitGuardian alert resolved
|
|
<!-- AC:END -->
|