dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
a2efdcf0032bbc44575fa9b24f20fbe64ddc9a81
fn_registry/dev/issues/completed/0169-matrix-livekit-secret-rotate.md
T
egutierrez 00c7fc728e chore(issues): close 0167+0168+0169+0170 livekit hardening bundle 
VPS commit: 8eef89b (egutierrez/element_matrix_chat)

- 0167: STUN leak fixed (use_external_ip:false + node_ip hardcoded)
- 0168: UDP range expanded 50000-50200 -> 50000-50500
- 0169: API secret rotated (old key LK44e009c6e92b -> new LK5f6b38bb)
- 0170: livekit.example.yaml refreshed + header comments cleaned

Verification:
- 0 STUN packets to Google during restart (tcpdump 60s window)
- Endpoint /livekit/sfu/ HTTP 200
- LiveKit logs: nodeIP=135.125.201.30, portICERange=[50000,50500]
- Containers livekit + livekit-jwt healthy

New secret stored in pass: matrix/livekit-secret-rotation-2026-05-25
2026-05-25 00:44:15 +02:00

2.1 KiB
Raw Blame History

id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
id title status type domain scope priority depends blocks related created updated tags
0169 Rotar LIVEKIT_SECRET (expuesto en sesion auditoria) pendiente bugfix
matrix
app:element_matrix_chat alta
2026-05-24 2026-05-24
matrix
livekit
security
secret-rotation

0169 — Rotar LIVEKIT_SECRET (expuesto en sesion auditoria)

Status: pendiente Created: 2026-05-24 Type: bugfix Priority: alta Domain: matrix Scope: app:element_matrix_chat Depends:Blocks:

Problema

Durante auditoria 2026-05-24 (sesion Claude), docker inspect element_matrix_chat-livekit-jwt-1 volco LIVEKIT_SECRET=b00e98f70722bc... cleartext en stdout de la sesion. Aunque la sesion es del operador, el secret quedo en log de conversacion + potencialmente en backups del log + transcripts. Rotacion necesaria por higiene.

Objetivo

Nuevo secret 32 bytes hex, mismo api_key (o regenerar ambos), stack restart sin perdida sesion.

Plan

  1. Generar nuevo secret: openssl rand -hex 32.
  2. Editar configs/livekit/livekit.yaml → bloque keys: con nuevo valor.
  3. Editar .env de docker-compose (var LIVEKIT_SECRET consumida por livekit-jwt).
  4. Restart element_matrix_chat-livekit-1 y element_matrix_chat-livekit-jwt-1 en orden.
  5. Test call Element Call → handshake JWT OK.
  6. Guardar secret antiguo + nuevo en pass con timestamp rotacion.

Acceptance

  • docker inspect ... --format "{{.Config.Env}}" muestra secret nuevo.
  • Element Call inicia call sin error "invalid token".
  • Entry pass matrix/livekit-secret actualizada.

Definition of Done

  • Repetibilidad: rotacion documentada como funcion del registry (candidato livekit_secret_rotate_bash_infra).
  • Observabilidad: rotation log con timestamp.

Notas

Considerar promover el procedimiento a funcion del registry: livekit_secret_rotate_bash_infra(ssh_host, compose_dir) que automatiza pasos 1-5 y guarda en pass via gpg_pass_write.

Patron similar para otros secrets del stack (Synapse macaroon, MAS encryption key, postgres passwords) → capability group nuevo secret-rotation.

Reference in New Issue View Git Blame Copy Permalink