sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
64c8a0ec2c5380d37a6cc8d9e5a24828ba28a1ee
orion/.gitignore
Samir Boulahtit e44f5c0458
All checks were successful
CI / ruff (push) Successful in 17s
Details
CI / pytest (push) Successful in 2h48m4s
Details
CI / validate (push) Successful in 36s
Details
CI / docs (push) Successful in 56s
Details
CI / deploy (push) Successful in 1m12s
Details
CI / dependency-scanning (push) Successful in 37s
Details
chore(alertmanager): untrack alertmanager.yml + ship .example template (post-SMTP migration) 
Yesterday's deploy debug surfaced a SendGrid API key pasted into the
tracked monitoring/alertmanager/alertmanager.yml on prod, with the
in-repo file literally captioning the field "TODO: Paste your SG.xxx
API key here" — actively encouraging the anti-pattern. Forensic
follow-up (bash history lines 290-357) confirmed it was a user-driven
nano edit that was never committed, just left as a long-running local
mod. Three problems collapsed into this finding:

  1. Real SMTP credential lived in a tracked git file on prod.
  2. The SendGrid → mail1.myservices.hosting SMTP migration never
     touched alertmanager — it still pointed at smtp.sendgrid.net.
  3. The alertmanager container has been Up 13 days with the
     pre-paste empty smtp_auth_password loaded from disk, so prod's
     email alerting has been silently failing.

Resolution shipped here:

- `git rm --cached monitoring/alertmanager/alertmanager.yml` so the
  prod-edited file on each host stops being a tracked file and the
  credential can't accidentally reach git again.
- Add `monitoring/alertmanager/alertmanager.yml` to .gitignore.
- Ship `monitoring/alertmanager/alertmanager.yml.example` as the
  template — pre-filled with the post-migration non-secret routing
  (`mail1.myservices.hosting:587`, `support@wizard.lu` auth,
  `alerts@wizard.lu` From for inbox clarity), only `smtp_auth_password`
  left as `CHANGEME`. Includes inline guidance for the From-vs-auth
  rule that some SMTP relays enforce.

Per-host steps (Hetzner): backup the prod-edited file → revert local
change → pull → copy the template over the old file → fill in the
password → SIGHUP alertmanager. Doc reference will follow in the next
commit (Hetzner deploy doc still needs an "alertmanager.yml lives
outside git" footnote).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 11:32:10 +02:00

199 lines
2.4 KiB
Plaintext
Raw Blame History

# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
/lib/
/lib64/
parts/
sdist/
var/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
**/.coverage
**/.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
test-results/
test-reports/
# MkDocs documentation
site/
docs/_build/
# PyCharm / IntelliJ IDEA
.idea/
*.iml
*.iws
*.ipr
# VS Code
.vscode/
*.code-workspace
# Jupyter Notebook
.ipynb_checkpoints
*.ipynb_checkpoints/
# pyenv
.python-version
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# pytype
.pytype/
# Cython debug symbols
cython_debug/
# Environment variables
.env
.env.*
!.env.example
# Virtual environments
venv/
ENV/
env/
.venv/
env.bak/
venv.bak/
# macOS
.DS_Store
.AppleDouble
.LSOverride
# Windows
Thumbs.db
ehthumbs.db
Desktop.ini
$RECYCLE.BIN/
# Database files
*.sqlite
*.sqlite3
*.db
*.db-shm
*.db-wal
*.db-journal
*.sql
# Log files
*.log
logs/
# Temporary documentation/structure files
*-structure.txt
temp-*.txt
*.tmp
*.temp
TODO
# Backup files
*.bak
*.swp
*.swo
*~
.backup/
*.orig
# Static file collections
staticfiles/
static_root/
media/
media_root/
# Celery
celerybeat-schedule
celerybeat-schedule-shm
celerybeat-schedule-wal
celerybeat.pid
# User uploads (served via /uploads)
uploads/
# FastAPI specific
__pypackages__/
# Docker
.dockerignore.local
# Deployment & Security
.build-info
deployment-local/
*.pem
*.key
!*.pub
secrets/
credentials/
# Google Cloud service account keys
*-service-account.json
google-wallet-sa.json
orion-*.json
# Alembic
# Note: Keep alembic/versions/ tracked for migrations
# alembic/versions/*.pyc is already covered by __pycache__
.aider*
# Node.js / npm
node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
package-lock.json
tailadmin-free-tailwind-dashboard-template/
static/shared/css/tailwind.css
# Export files
orion_letzshop_export_*.csv
exports/
# Security audit (needs revamping)
scripts/security-audit/
# Alertmanager config is per-host (contains SMTP credentials) — ship
# alertmanager.yml.example as the template, real file lives outside git.
monitoring/alertmanager/alertmanager.yml
Reference in New Issue View Git Blame Copy Permalink