260209:1642 Update Infrastructure 3

2026-02-09 16:42:27 +07:00
parent fe0f8aade7
commit d5e37d986f
10 changed files with 926 additions and 254 deletions
--- a/specs/08-infrastructure/08_secrets_management.md
+++ b/specs/08-infrastructure/08_secrets_management.md
@@ -0,0 +1,201 @@
+# Secrets Management สำหรับ LCBP3-DMS
+
+> 📍 **Version:** v1.8.0
+> ⚠️ **Security Level:** CONFIDENTIAL
+
+---
+
+## Overview
+
+เอกสารนี้อธิบายวิธีการจัดการ Secrets และ Sensitive Data สำหรับ LCBP3-DMS
+
+---
+
+## 1. Secret Categories
+
+| Category             | Examples                       | Storage Location         |
+| :------------------- | :----------------------------- | :----------------------- |
+| Database Credentials | `MYSQL_ROOT_PASSWORD`          | `.env` file (gitignored) |
+| API Keys             | `JWT_SECRET`, `REDIS_PASSWORD` | `.env` file (gitignored) |
+| SSL Certificates     | Let's Encrypt certs            | NPM volume               |
+| SSH Keys             | Backup access keys             | ASUSTOR secure storage   |
+
+---
+
+## 2. Environment File Structure
+
+### 2.1 Main Environment File
+
+```bash
+# File: /share/np-dms/.env (QNAP)
+# ⚠️ This file MUST be in .gitignore
+
+# === Database ===
+MYSQL_ROOT_PASSWORD=<strong-password>
+MYSQL_DATABASE=lcbp3_db
+MYSQL_USER=lcbp3_user
+MYSQL_PASSWORD=<strong-password>
+
+# === Redis ===
+REDIS_PASSWORD=<strong-password>
+
+# === Application ===
+JWT_SECRET=<random-256-bit-string>
+SESSION_SECRET=<random-256-bit-string>
+
+# === Monitoring ===
+GRAFANA_PASSWORD=<admin-password>
+
+# === External Services ===
+LINE_CHANNEL_SECRET=<line-secret>
+LINE_CHANNEL_ACCESS_TOKEN=<line-token>
+SMTP_PASSWORD=<email-password>
+```
+
+### 2.2 Docker Compose Override (Optional)
+
+```yaml
+# File: /share/np-dms/docker-compose.override.yml
+# For additional local development secrets
+
+services:
+  backend:
+    environment:
+      - DEBUG_MODE=true
+      - LOG_LEVEL=debug
+```
+
+---
+
+## 3. Secret Generation
+
+### 3.1 Generate Strong Passwords
+
+```bash
+# Generate random 32-character password
+openssl rand -base64 32
+
+# Generate random hex string (for JWT)
+openssl rand -hex 64
+```
+
+### 3.2 Recommended Password Policy
+
+| Type       | Length | Characters             | Example Tool              |
+| :--------- | :----- | :--------------------- | :------------------------ |
+| Database   | 24+    | Alphanumeric + symbols | `openssl rand -base64 32` |
+| JWT Secret | 64+    | Hex                    | `openssl rand -hex 64`    |
+| API Keys   | 32+    | Alphanumeric           | `openssl rand -base64 32` |
+
+---
+
+## 4. Secret Rotation
+
+### 4.1 Rotation Schedule
+
+| Secret Type       | Rotation Period      | Impact on Services     |
+| :---------------- | :------------------- | :--------------------- |
+| JWT Secret        | 90 days              | Users need to re-login |
+| Database Password | 180 days             | Requires restart       |
+| Redis Password    | 180 days             | Requires restart       |
+| SSL Certificates  | Auto (Let's Encrypt) | None                   |
+
+### 4.2 Rotation Procedure
+
+```bash
+# 1. Update .env file with new secret
+nano /share/np-dms/.env
+
+# 2. Restart affected services
+docker-compose up -d --force-recreate backend
+
+# 3. Verify services are running
+docker ps
+curl https://backend.np-dms.work/health
+```
+
+---
+
+## 5. Access Control
+
+### 5.1 Who Has Access
+
+| Role         | .env Access | Server SSH | Backup Access |
+| :----------- | :---------- | :--------- | :------------ |
+| System Admin | ✅ Full      | ✅ Full     | ✅ Full        |
+| DevOps       | ✅ Read      | ✅ Limited  | ❌ None        |
+| Developer    | ❌ None      | ❌ None     | ❌ None        |
+
+### 5.2 Audit Logging
+
+```bash
+# View SSH login attempts
+tail -100 /var/log/auth.log
+
+# Monitor file access
+auditctl -w /share/np-dms/.env -p rwa -k secrets_access
+```
+
+---
+
+## 6. Emergency Procedures
+
+### 6.1 Secret Compromised
+
+1. **Immediately** rotate the compromised secret
+2. **Check** access logs for unauthorized access
+3. **Notify** security team
+4. **Document** incident
+
+### 6.2 Lost Access to Secrets
+
+1. Contact QNAP Admin for direct access
+2. Use backup `.env` from ASUSTOR (encrypted)
+3. If both unavailable, regenerate all secrets and reset passwords
+
+---
+
+## 7. Backup of Secrets
+
+```bash
+# Encrypted backup of .env (run on QNAP)
+gpg --symmetric --cipher-algo AES256 \
+  /share/np-dms/.env -o /tmp/env.gpg
+
+# Copy to ASUSTOR
+scp /tmp/env.gpg admin@192.168.10.9:/volume1/backup/secrets/
+
+# Clean up
+rm /tmp/env.gpg
+```
+
+### 7.1 Restore from Backup
+
+```bash
+# Copy from ASUSTOR
+scp admin@192.168.10.9:/volume1/backup/secrets/env.gpg /tmp/
+
+# Decrypt
+gpg --decrypt /tmp/env.gpg > /share/np-dms/.env
+
+# Clean up
+rm /tmp/env.gpg
+```
+
+---
+
+## 8. Checklist
+
+- [ ] `.env` file exists and is configured
+- [ ] `.env` is in `.gitignore`
+- [ ] All passwords are strong (24+ characters)
+- [ ] JWT secret is 64+ hex characters
+- [ ] Encrypted backup of secrets exists on ASUSTOR
+- [ ] Access control is properly configured
+- [ ] Rotation schedule is documented
+
+---
+
+> ⚠️ **Security Warning**: ห้ามเก็บ secrets ใน version control หรือ commit ไปยัง Git repository
+> 
+> 📝 **หมายเหตุ**: เอกสารนี้อ้างอิงจาก Architecture Document **v1.8.0**