Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: Rotate exposed Authentik API token

Browse source 
GitGuardian detected hardcoded secret in test-oidc-provider.py.

Actions taken:
1.  Deleted test-oidc-provider.py (previous commit)
2.  Rotated authentik_bootstrap_token in secrets file
3.  Added test scripts to .gitignore to prevent future exposure

Old token (COMPROMISED): ak_0Xj3OmKT0rx5E_TDKjuvXAl2Ry8IfxlSDKPSRq7fH71uPX3M04d-Xg
New token: Encrypted in SOPS secrets file

Impact: Test environment only (test.vrije.cloud)
Next step: Redeploy test server to activate new token

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Pieter 2026-01-09 08:32:45 +01:00
parent bb41dbbbe3
commit d95862f522
3 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.gitignore vendored
View file

@ -56,3 +56,8 @@ venv/
tmp/ tmp/
temp/ temp/
*.tmp *.tmp
# Test/debug scripts with secrets
scripts/*-test*.py
scripts/test-*.py
**/test-oidc-provider.py

0
secrets/clients/test-temp.sops.yaml Normal file
View file

6
secrets/clients/test.sops.yaml
View file

@ -9,7 +9,7 @@ authentik_db_password: ENC[AES256_GCM,data:HsyTlbM8pewD6ZUndnPQzBzlNECdlOqEWt6Ag
authentik_secret_key: ENC[AES256_GCM,data:cl1U+PGeaQNu2OW3t4QzfWIyMtvkQdYk8Adb7EmLrSHceeHxfXgKwgxvp2Fn7C8RDpuCsztkxEz1D2vePO2xSpIo3Q==,iv:trlB7PJd4os21wOK+CyfymE+oopdksydS+z3VHBT1wU=,tag:BwQ2FygYOaX22YKOTgY0mw==,type:str] authentik_secret_key: ENC[AES256_GCM,data:cl1U+PGeaQNu2OW3t4QzfWIyMtvkQdYk8Adb7EmLrSHceeHxfXgKwgxvp2Fn7C8RDpuCsztkxEz1D2vePO2xSpIo3Q==,iv:trlB7PJd4os21wOK+CyfymE+oopdksydS+z3VHBT1wU=,tag:BwQ2FygYOaX22YKOTgY0mw==,type:str]
#ENC[AES256_GCM,data:3AF1/xf9DULcTEhTfxSr9ls8U0cr0ToG88783V10OAmsOclhq5h3ncFoLM3GZXY=,iv:Ji7447QFwRn0MKoXakAoe7ZDeJrT0fYAVHwYBWr/hjQ=,tag:+CQyj9pZxzKualOV/hlrkg==,type:comment] #ENC[AES256_GCM,data:3AF1/xf9DULcTEhTfxSr9ls8U0cr0ToG88783V10OAmsOclhq5h3ncFoLM3GZXY=,iv:Ji7447QFwRn0MKoXakAoe7ZDeJrT0fYAVHwYBWr/hjQ=,tag:+CQyj9pZxzKualOV/hlrkg==,type:comment]
authentik_bootstrap_password: ENC[AES256_GCM,data:K0nR2CCA+mZLwt1eKY3NU0iB3aXRbze+aX089cmAfTXunBsRZgXWirC3Pg==,iv:Ki4G/iMoL8rqIR/E5YWWNa60TEFEJlpmjfSO17ccjms=,tag:c91a6Dlu2cDeAbtH0VMynw==,type:str] authentik_bootstrap_password: ENC[AES256_GCM,data:K0nR2CCA+mZLwt1eKY3NU0iB3aXRbze+aX089cmAfTXunBsRZgXWirC3Pg==,iv:Ki4G/iMoL8rqIR/E5YWWNa60TEFEJlpmjfSO17ccjms=,tag:c91a6Dlu2cDeAbtH0VMynw==,type:str]
authentik_bootstrap_token: ENC[AES256_GCM,data:/4lmrHtopWceNuXRf5MADsh7QHxw/8p8Kd4hSsQLSimHBQpfio1hMycfMX/Zeq4Y/0I2RW/Zd+bt,iv:DDE3XbnqiGIeREGdjV3aRm/t0TzGwJuJSHeR0fO36QI=,tag:Ir6VTQ3eOCuRymxyE/cf3Q==,type:str] authentik_bootstrap_token: ENC[AES256_GCM,data:wzToXlHEEo4hqbTpYaj8VcjIzl9JIBYelb6csfSXB3gsecyOOriUsvpBua2By0l6c2DMpUVipRR1fEo6CZLc,iv:3U7eseITVM6LTzlc7tEPV44qYTdiLbKpOcDR+S0y9ME=,tag:UFxakIe4ZhgJy8K8caF16A==,type:str]
authentik_bootstrap_email: ENC[AES256_GCM,data:3H2b7nl+i5AnXVSWCWkpzfCe7lk8ow==,iv:KlpRA6aP1/sSG5PSs8Q3aRshn1ZgHQwW4AtTYwCgd+0=,tag:SpD7K4Xme/QUTxLEL7Xi3A==,type:str] authentik_bootstrap_email: ENC[AES256_GCM,data:3H2b7nl+i5AnXVSWCWkpzfCe7lk8ow==,iv:KlpRA6aP1/sSG5PSs8Q3aRshn1ZgHQwW4AtTYwCgd+0=,tag:SpD7K4Xme/QUTxLEL7Xi3A==,type:str]
#ENC[AES256_GCM,data:ZXsSQkRtXNF5DMUPAAaLBWkAgh/hJMUX,iv:+r+WtRYebnFEkw3qmIkXRPUUYSep53qzgy2FvpGhSfw=,tag:S+w04XduCSLRntLJiEDFUQ==,type:comment] #ENC[AES256_GCM,data:ZXsSQkRtXNF5DMUPAAaLBWkAgh/hJMUX,iv:+r+WtRYebnFEkw3qmIkXRPUUYSep53qzgy2FvpGhSfw=,tag:S+w04XduCSLRntLJiEDFUQ==,type:comment]
nextcloud_domain: ENC[AES256_GCM,data:i0hWB89Lxjn+s9NOrFsYZr/zsQ2/BzZKIk0=,iv:AU1LLm04+4Ekjm9Q3Gqe3MpqdIdGAGK7EaClJMO2bz0=,tag:8AEN6jdruVUzFEZe0sVBrg==,type:str] nextcloud_domain: ENC[AES256_GCM,data:i0hWB89Lxjn+s9NOrFsYZr/zsQ2/BzZKIk0=,iv:AU1LLm04+4Ekjm9Q3Gqe3MpqdIdGAGK7EaClJMO2bz0=,tag:8AEN6jdruVUzFEZe0sVBrg==,type:str]
@ -32,7 +32,7 @@ sops:
NnN0SE4rZ0lFWUlaNjBIc293UzlxakkKYOxxyTtwEEo3j6iMGeHyArYSquT+2ieB NnN0SE4rZ0lFWUlaNjBIc293UzlxakkKYOxxyTtwEEo3j6iMGeHyArYSquT+2ieB
cPA1QayU4OBucKo34WuZTh41TxIg2hr1GG3Ews5QDEiTJlAQuAzldw== cPA1QayU4OBucKo34WuZTh41TxIg2hr1GG3Ews5QDEiTJlAQuAzldw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T09:40:07Z" lastmodified: "2026-01-09T07:31:15Z"
mac: ENC[AES256_GCM,data:E4FjdHpimloNy3THoUNNlAstaZlb6287PUaV1HTGTXEoFz+6JYRkfR2V3KpTcinHhs8siQoiLMWCL+pl0wEDrs64TgIb730yy12qMmopYJ9LsRWtXLE5x5DN346bggGhUcdAI2Uvb+32UypvY5szOh9hPQRhTMn3uz80er7Ye8Y=,iv:H/t8M+CDW7w3uoG0PM/QYmzDSA7Xu0Mg6K1DnBXGJJ8=,tag:hWuClsYVH+FWcTqZou+fsQ==,type:str] mac: ENC[AES256_GCM,data:MSnPPzLLCZIIK/RmhlpMaNGEeZCHVzY2PK4A4PhC4nXuw9AwGjYDrHn3FQ9aJywi7NlXxLqFWo9nSnFswNlIUpea/3MTsa5LNimX6a22c9YRut+yImwrBU3abcgzxVJsHk7DUGIA1TY/AElC5ZLNROrw/X+sVf5L2pq7P2/oous=,iv:cOxocMqLgzzzT89RdfJdfvOfZ3Ph4tWbE6bV21WZgZI=,tag:zrthLaXOrdx3IU4I5G+zBQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0