p24-infra Docs

README

2 min read

06 — Secrets & Credentials

Single source of truth for how credentials are stored, accessed, rotated, and audited across the Ecotrans infrastructure.

Infisical CE (running on vps-i1 at infisical.vps-i1.infra.zintegrowana.online) is the vault for all p24-infra credentials. GitHub Secrets are synced FROM Infisical for CI/CD use.

Key Documents

DocumentDescription
secrets-management.mdPolicy, patterns, and rules for all credential types
infisical-ce-operations.mdInfisical CE deployment, project map, Machine Identity setup, rotation procedures
n8n-secrets-audit.mdAudit of all n8n credential references — no hardcoded keys
secrets-rotation-log.mdChronological log of every credential rotation
password-rotation-procedures.mdStep-by-step rotation procedures per credential type
03-secrets-management.mdSecrets management improvement proposals

Infisical Project Map

ProjectHosts coveredLocal fallback
p24-monitoringvps-i1 monitoring stack/opt/p24-infra/monitoring/.env.bak
n8n-bms4bms-4 n8n stack/root/.env.bak on bms-4
vps-h1Hostinger WAHA stack/root/.env.bak on vps-h1
bms-serversBMS root + MongoDB passwordsGH Secrets backup
github-actionsCI/CD secretsGH Secrets (synced from Infisical)
art-agencyArt Agency credentialsArt-Agency/.env.local
radekkonarski-brandPersonal brand credentials.env.local

Rules (mandatory — no exceptions)

  • Never display a credential value in chat or commit it to git
  • Never ask the user to paste a secret value into chat
  • Always read from Infisical or .env.bak / .env.local; reference by variable name only
  • Rotate the old value at source after the new value is live everywhere
  • Append every rotation to secrets-rotation-log.md

Adding a New Secret

  1. Add to the correct Infisical project via UI
  2. Regenerate .env.bak on affected host:
    • vps-i1: ssh root@217.154.82.162 "bash /opt/infisical/regen-monitoring-envbak.sh"
    • bms-4: bash /opt/infisical/regen-n8n-envbak.sh
  3. Restart only the affected container(s)
  4. Update .env.local on developer workstation if needed

Cross-references

  • README — SSH keys and OAuth (distinct from API secrets)
  • README — you are here
  • README — rotation log and session-based rotation actions

Graph View

Backlinks