chore(issues): close 0167+0168+0169+0170 livekit hardening bundle
VPS commit: 8eef89b (egutierrez/element_matrix_chat) - 0167: STUN leak fixed (use_external_ip:false + node_ip hardcoded) - 0168: UDP range expanded 50000-50200 -> 50000-50500 - 0169: API secret rotated (old key LK44e009c6e92b -> new LK5f6b38bb) - 0170: livekit.example.yaml refreshed + header comments cleaned Verification: - 0 STUN packets to Google during restart (tcpdump 60s window) - Endpoint /livekit/sfu/ HTTP 200 - LiveKit logs: nodeIP=135.125.201.30, portICERange=[50000,50500] - Containers livekit + livekit-jwt healthy New secret stored in pass: matrix/livekit-secret-rotation-2026-05-25
This commit is contained in:
@@ -0,0 +1,60 @@
|
||||
---
|
||||
id: "0169"
|
||||
title: "Rotar LIVEKIT_SECRET (expuesto en sesion auditoria)"
|
||||
status: pendiente
|
||||
type: bugfix
|
||||
domain:
|
||||
- matrix
|
||||
scope: app:element_matrix_chat
|
||||
priority: alta
|
||||
depends: []
|
||||
blocks: []
|
||||
related: []
|
||||
created: 2026-05-24
|
||||
updated: 2026-05-24
|
||||
tags: [matrix, livekit, security, secret-rotation]
|
||||
---
|
||||
# 0169 — Rotar LIVEKIT_SECRET (expuesto en sesion auditoria)
|
||||
|
||||
**Status:** pendiente
|
||||
**Created:** 2026-05-24
|
||||
**Type:** bugfix
|
||||
**Priority:** alta
|
||||
**Domain:** matrix
|
||||
**Scope:** app:element_matrix_chat
|
||||
**Depends:** —
|
||||
**Blocks:** —
|
||||
|
||||
## Problema
|
||||
|
||||
Durante auditoria 2026-05-24 (sesion Claude), `docker inspect element_matrix_chat-livekit-jwt-1` volco `LIVEKIT_SECRET=b00e98f70722bc...` cleartext en stdout de la sesion. Aunque la sesion es del operador, el secret quedo en log de conversacion + potencialmente en backups del log + transcripts. Rotacion necesaria por higiene.
|
||||
|
||||
## Objetivo
|
||||
|
||||
Nuevo secret 32 bytes hex, mismo `api_key` (o regenerar ambos), stack restart sin perdida sesion.
|
||||
|
||||
## Plan
|
||||
|
||||
1. Generar nuevo secret: `openssl rand -hex 32`.
|
||||
2. Editar `configs/livekit/livekit.yaml` → bloque `keys:` con nuevo valor.
|
||||
3. Editar `.env` de docker-compose (var `LIVEKIT_SECRET` consumida por `livekit-jwt`).
|
||||
4. Restart `element_matrix_chat-livekit-1` y `element_matrix_chat-livekit-jwt-1` en orden.
|
||||
5. Test call Element Call → handshake JWT OK.
|
||||
6. Guardar secret antiguo + nuevo en `pass` con timestamp rotacion.
|
||||
|
||||
## Acceptance
|
||||
|
||||
- [ ] `docker inspect ... --format "{{.Config.Env}}"` muestra secret nuevo.
|
||||
- [ ] Element Call inicia call sin error "invalid token".
|
||||
- [ ] Entry `pass matrix/livekit-secret` actualizada.
|
||||
|
||||
## Definition of Done
|
||||
|
||||
- [ ] Repetibilidad: rotacion documentada como funcion del registry (candidato `livekit_secret_rotate_bash_infra`).
|
||||
- [ ] Observabilidad: rotation log con timestamp.
|
||||
|
||||
## Notas
|
||||
|
||||
Considerar promover el procedimiento a funcion del registry: `livekit_secret_rotate_bash_infra(ssh_host, compose_dir)` que automatiza pasos 1-5 y guarda en pass via `gpg_pass_write`.
|
||||
|
||||
Patron similar para otros secrets del stack (Synapse macaroon, MAS encryption key, postgres passwords) → capability group nuevo `secret-rotation`.
|
||||
Reference in New Issue
Block a user