57 lines
1.7 KiB
Markdown
57 lines
1.7 KiB
Markdown
# Config And Secrets
|
|
|
|
This document describes the current config layout and the intended secret-handling boundary for the Debian deployment.
|
|
|
|
## Current Config Files In Repo
|
|
|
|
Main runtime config examples live under:
|
|
|
|
- `share/conf/db.txt`
|
|
- `share/conf/game.txt`
|
|
|
|
These files are part of the runtime tree and are required by the legacy server layout.
|
|
|
|
## Important Security Boundary
|
|
|
|
The repository currently contains literal config values for legacy compatibility. They must be treated as bootstrap/default values, not as a safe long-term secret store.
|
|
|
|
Practical rule:
|
|
|
|
- do not treat git-tracked config files as the final production secret source of truth
|
|
|
|
## What Should Not Live In Git
|
|
|
|
Do not commit:
|
|
|
|
- production DB passwords
|
|
- real admin page passwords
|
|
- host-specific private tokens
|
|
- private SSH material
|
|
- per-environment override files with live secrets
|
|
|
|
## Current Operational Model
|
|
|
|
For the current Debian VPS:
|
|
|
|
- root-only operational wrappers may inject short-lived values locally
|
|
- headless login healthcheck uses a temporary password via environment, not a command-line literal
|
|
- the installed wrapper is root-only and not network-facing
|
|
|
|
## Admin Page Password
|
|
|
|
The source repository now supports hardening for the admin page password. The long-term goal should be:
|
|
|
|
- no implicit production default
|
|
- host-local secret injection
|
|
- explicit runtime validation
|
|
|
|
## Recommended Direction
|
|
|
|
The Debian deployment should eventually move to a clearer contract such as:
|
|
|
|
- git-tracked template/default files
|
|
- host-local env file or secret file owned by root
|
|
- documented override points
|
|
|
|
Until that is done, keep all real secret rotation and secret overrides on the host, not in commits.
|