dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
22692c1ed20ef9b40cb6dd4bbab50adf56343d94
fn_registry/dev/issues/0169-matrix-livekit-secret-rotate.md
T
egutierrez 22692c1ed2 feat(matrix): 4 synapse quick wins applied + 6 follow-up issues 
Server-side homeserver.yaml on organic-machine VPS:
- encryption_enabled_by_default_for_room_type: invite -> all
- presence.enabled: false (block EDU metadata leak)
- url_preview_enabled: false (block SSRF + IP leak)
- msc4108 rendezvous endpoint uncommented (QR login)

Synapse restarted, /versions shows e2ee_forced.* + msc4108 unstable
features active. Backup at synapse_data/homeserver.yaml.bak.1779659423.

Issues opened for remaining gaps:
- 0165 LUKS for media_store (at-rest encryption)
- 0166 LiveKit TURN deploy (NAT traversal gap)
- 0167 STUN leak to Google (hardcode external_ip)
- 0168 UDP range expand 200 -> 500
- 0169 LIVEKIT_SECRET rotation (audit exposure)
- 0170 livekit.example.yaml rename hygiene

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 23:53:37 +02:00

2.1 KiB
Raw Blame History

id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
id title status type domain scope priority depends blocks related created updated tags
0169 Rotar LIVEKIT_SECRET (expuesto en sesion auditoria) pendiente bugfix
matrix
app:element_matrix_chat alta
2026-05-24 2026-05-24
matrix
livekit
security
secret-rotation

0169 — Rotar LIVEKIT_SECRET (expuesto en sesion auditoria)

Status: pendiente Created: 2026-05-24 Type: bugfix Priority: alta Domain: matrix Scope: app:element_matrix_chat Depends:Blocks:

Problema

Durante auditoria 2026-05-24 (sesion Claude), docker inspect element_matrix_chat-livekit-jwt-1 volco LIVEKIT_SECRET=b00e98f70722bc... cleartext en stdout de la sesion. Aunque la sesion es del operador, el secret quedo en log de conversacion + potencialmente en backups del log + transcripts. Rotacion necesaria por higiene.

Objetivo

Nuevo secret 32 bytes hex, mismo api_key (o regenerar ambos), stack restart sin perdida sesion.

Plan

  1. Generar nuevo secret: openssl rand -hex 32.
  2. Editar configs/livekit/livekit.yaml → bloque keys: con nuevo valor.
  3. Editar .env de docker-compose (var LIVEKIT_SECRET consumida por livekit-jwt).
  4. Restart element_matrix_chat-livekit-1 y element_matrix_chat-livekit-jwt-1 en orden.
  5. Test call Element Call → handshake JWT OK.
  6. Guardar secret antiguo + nuevo en pass con timestamp rotacion.

Acceptance

  • docker inspect ... --format "{{.Config.Env}}" muestra secret nuevo.
  • Element Call inicia call sin error "invalid token".
  • Entry pass matrix/livekit-secret actualizada.

Definition of Done

  • Repetibilidad: rotacion documentada como funcion del registry (candidato livekit_secret_rotate_bash_infra).
  • Observabilidad: rotation log con timestamp.

Notas

Considerar promover el procedimiento a funcion del registry: livekit_secret_rotate_bash_infra(ssh_host, compose_dir) que automatiza pasos 1-5 y guarda en pass via gpg_pass_write.

Patron similar para otros secrets del stack (Synapse macaroon, MAS encryption key, postgres passwords) → capability group nuevo secret-rotation.

Reference in New Issue View Git Blame Copy Permalink