chore: bootstrap Atay Makhzan ops repo
This commit is contained in:
+37
@@ -0,0 +1,37 @@
|
||||
# Security Policy
|
||||
|
||||
This repository is public. Treat it as documentation and reproducible operations code, not as a secret store.
|
||||
|
||||
## Never commit
|
||||
|
||||
- Real `.env` files
|
||||
- Gitea `app.ini` secrets
|
||||
- Database passwords
|
||||
- SMTP credentials
|
||||
- OAuth secrets
|
||||
- SSH private keys
|
||||
- API tokens
|
||||
- Gitea dump archives
|
||||
- PostgreSQL dump files
|
||||
- TLS private keys
|
||||
- Full production logs containing sensitive data
|
||||
|
||||
## Safe to commit
|
||||
|
||||
- `.env.example` with placeholders
|
||||
- Docker Compose templates with variable references
|
||||
- Nginx templates without private keys
|
||||
- Runbooks
|
||||
- Scripts that read secrets from the environment
|
||||
- Architecture records
|
||||
|
||||
## If a secret is committed
|
||||
|
||||
1. Rotate the secret immediately.
|
||||
2. Remove it from current files.
|
||||
3. Rewrite public Git history only if the exposure is severe and worth the operational risk.
|
||||
4. Assume the secret was copied by someone else.
|
||||
|
||||
## Operational rule
|
||||
|
||||
For production maintenance, create backups before upgrades and verify both web and SSH Git paths after changes.
|
||||
Reference in New Issue
Block a user