Samir Boulahtit
e44f5c0458
All checks were successful
Yesterday's deploy debug surfaced a SendGrid API key pasted into the
tracked monitoring/alertmanager/alertmanager.yml on prod, with the
in-repo file literally captioning the field "TODO: Paste your SG.xxx
API key here" — actively encouraging the anti-pattern. Forensic
follow-up (bash history lines 290-357) confirmed it was a user-driven
nano edit that was never committed, just left as a long-running local
mod. Three problems collapsed into this finding:
1. Real SMTP credential lived in a tracked git file on prod.
2. The SendGrid → mail1.myservices.hosting SMTP migration never
touched alertmanager — it still pointed at smtp.sendgrid.net.
3. The alertmanager container has been Up 13 days with the
pre-paste empty smtp_auth_password loaded from disk, so prod's
email alerting has been silently failing.
Resolution shipped here:
- `git rm --cached monitoring/alertmanager/alertmanager.yml` so the
prod-edited file on each host stops being a tracked file and the
credential can't accidentally reach git again.
- Add `monitoring/alertmanager/alertmanager.yml` to .gitignore.
- Ship `monitoring/alertmanager/alertmanager.yml.example` as the
template — pre-filled with the post-migration non-secret routing
(`mail1.myservices.hosting:587`, `support@wizard.lu` auth,
`alerts@wizard.lu` From for inbox clarity), only `smtp_auth_password`
left as `CHANGEME`. Includes inline guidance for the From-vs-auth
rule that some SMTP relays enforce.
Per-host steps (Hetzner): backup the prod-edited file → revert local
change → pull → copy the template over the old file → fill in the
password → SIGHUP alertmanager. Doc reference will follow in the next
commit (Hetzner deploy doc still needs an "alertmanager.yml lives
outside git" footnote).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
199 lines
2.4 KiB
Plaintext
199 lines
2.4 KiB
Plaintext
# Byte-compiled / optimized / DLL files
|
|
__pycache__/
|
|
*.py[cod]
|
|
*$py.class
|
|
|
|
# C extensions
|
|
*.so
|
|
|
|
# Distribution / packaging
|
|
.Python
|
|
build/
|
|
develop-eggs/
|
|
dist/
|
|
downloads/
|
|
eggs/
|
|
.eggs/
|
|
/lib/
|
|
/lib64/
|
|
parts/
|
|
sdist/
|
|
var/
|
|
*.egg-info/
|
|
.installed.cfg
|
|
*.egg
|
|
MANIFEST
|
|
|
|
# PyInstaller
|
|
*.manifest
|
|
*.spec
|
|
|
|
# Installer logs
|
|
pip-log.txt
|
|
pip-delete-this-directory.txt
|
|
|
|
# Unit test / coverage reports
|
|
htmlcov/
|
|
.tox/
|
|
.nox/
|
|
.coverage
|
|
.coverage.*
|
|
**/.coverage
|
|
**/.coverage.*
|
|
.cache
|
|
nosetests.xml
|
|
coverage.xml
|
|
*.cover
|
|
*.py,cover
|
|
.hypothesis/
|
|
.pytest_cache/
|
|
test-results/
|
|
test-reports/
|
|
|
|
# MkDocs documentation
|
|
site/
|
|
docs/_build/
|
|
|
|
# PyCharm / IntelliJ IDEA
|
|
.idea/
|
|
*.iml
|
|
*.iws
|
|
*.ipr
|
|
|
|
# VS Code
|
|
.vscode/
|
|
*.code-workspace
|
|
|
|
# Jupyter Notebook
|
|
.ipynb_checkpoints
|
|
*.ipynb_checkpoints/
|
|
|
|
# pyenv
|
|
.python-version
|
|
|
|
# mypy
|
|
.mypy_cache/
|
|
.dmypy.json
|
|
dmypy.json
|
|
|
|
# Pyre type checker
|
|
.pyre/
|
|
|
|
# pytype
|
|
.pytype/
|
|
|
|
# Cython debug symbols
|
|
cython_debug/
|
|
|
|
# Environment variables
|
|
.env
|
|
.env.*
|
|
!.env.example
|
|
|
|
# Virtual environments
|
|
venv/
|
|
ENV/
|
|
env/
|
|
.venv/
|
|
env.bak/
|
|
venv.bak/
|
|
|
|
# macOS
|
|
.DS_Store
|
|
.AppleDouble
|
|
.LSOverride
|
|
|
|
# Windows
|
|
Thumbs.db
|
|
ehthumbs.db
|
|
Desktop.ini
|
|
$RECYCLE.BIN/
|
|
|
|
# Database files
|
|
*.sqlite
|
|
*.sqlite3
|
|
*.db
|
|
*.db-shm
|
|
*.db-wal
|
|
*.db-journal
|
|
*.sql
|
|
|
|
# Log files
|
|
*.log
|
|
logs/
|
|
|
|
# Temporary documentation/structure files
|
|
*-structure.txt
|
|
temp-*.txt
|
|
*.tmp
|
|
*.temp
|
|
TODO
|
|
|
|
# Backup files
|
|
*.bak
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
.backup/
|
|
*.orig
|
|
|
|
# Static file collections
|
|
staticfiles/
|
|
static_root/
|
|
media/
|
|
media_root/
|
|
|
|
# Celery
|
|
celerybeat-schedule
|
|
celerybeat-schedule-shm
|
|
celerybeat-schedule-wal
|
|
celerybeat.pid
|
|
|
|
# User uploads (served via /uploads)
|
|
uploads/
|
|
|
|
# FastAPI specific
|
|
__pypackages__/
|
|
|
|
# Docker
|
|
.dockerignore.local
|
|
|
|
# Deployment & Security
|
|
.build-info
|
|
deployment-local/
|
|
*.pem
|
|
*.key
|
|
!*.pub
|
|
secrets/
|
|
credentials/
|
|
|
|
# Google Cloud service account keys
|
|
*-service-account.json
|
|
google-wallet-sa.json
|
|
orion-*.json
|
|
|
|
# Alembic
|
|
# Note: Keep alembic/versions/ tracked for migrations
|
|
# alembic/versions/*.pyc is already covered by __pycache__
|
|
.aider*
|
|
|
|
# Node.js / npm
|
|
node_modules/
|
|
npm-debug.log*
|
|
yarn-debug.log*
|
|
yarn-error.log*
|
|
package-lock.json
|
|
tailadmin-free-tailwind-dashboard-template/
|
|
static/shared/css/tailwind.css
|
|
|
|
# Export files
|
|
orion_letzshop_export_*.csv
|
|
exports/
|
|
|
|
# Security audit (needs revamping)
|
|
scripts/security-audit/
|
|
|
|
# Alertmanager config is per-host (contains SMTP credentials) — ship
|
|
# alertmanager.yml.example as the template, real file lives outside git.
|
|
monitoring/alertmanager/alertmanager.yml
|