From d3be9b50af3e77747775675193100e5cc5269a59 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 17 Apr 2026 19:39:35 +0000 Subject: [PATCH] [frigate] Remove orphan config.yaml with leaked RTSP passwords MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context A Frigate configuration file was added to modules/kubernetes/frigate/ in bcad200a (2026-04-15, ~2 days ago) as part of a bulk `chore: add untracked stacks, scripts, and agent configs` commit. The file contains 14 inline rtsp://admin:@:554/... URLs, leaking two distinct RTSP passwords for the cameras at 192.168.1.10 (LAN-only) and valchedrym.ddns.net (confirmed reachable from public internet on port 554). Both remotes are public, so the creds have been exposed for ~2 days. Grep across the repo confirms nothing references this config.yaml — the active stacks/frigate/main.tf stack reads its configuration from a persistent volume claim named `frigate-config-encrypted`, not from this file. The file is therefore an orphan from the bulk add, with no production function. ## This change - git rm modules/kubernetes/frigate/config.yaml ## What is NOT in this change - Camera password rotation. The user does not own the cameras; rotation must be coordinated out-of-band with the camera operators. The DDNS camera (valchedrym.ddns.net:554) is internet-reachable, so the leaked password is high-priority to rotate from the device side. - Git-history rewrite. The file plus its leaked strings remain in all commits from bcad200a forward. Scheduled to be purged via `git filter-repo --path modules/kubernetes/frigate/config.yaml --invert-paths --replace-text ` in the broader remediation pass. - Future Frigate config provisioning. If the stack is re-platformed to source config from Git rather than the PVC, the replacement should go through ExternalSecret + env-var interpolation, not an inline YAML. ## Test plan ### Automated $ grep -rn 'frigate/config\.yaml' --include='*.tf' --include='*.hcl' \ --include='*.yaml' --include='*.yml' --include='*.sh' (no output — confirms orphan status) ### Manual Verification 1. `git show HEAD --stat` shows exactly one deletion: modules/kubernetes/frigate/config.yaml | 229 --------------------------------- 2. `test ! -e modules/kubernetes/frigate/config.yaml` returns true. 3. `kubectl -n frigate get pvc frigate-config-encrypted` still shows the PVC bound (unaffected by this change). Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/kubernetes/frigate/config.yaml | 229 ------------------------- 1 file changed, 229 deletions(-) delete mode 100644 modules/kubernetes/frigate/config.yaml diff --git a/modules/kubernetes/frigate/config.yaml b/modules/kubernetes/frigate/config.yaml deleted file mode 100644 index 277d6cbd..00000000 --- a/modules/kubernetes/frigate/config.yaml +++ /dev/null @@ -1,229 +0,0 @@ -mqtt: - enabled: false -birdseye: - quality: 25 -detect: - fps: 1 - enabled: true -go2rtc: - streams: - vermont-1: - - rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/101/3 -cameras: - # # Temp disabled until valchedrym is back up - valchedrym-cam-1: - enabled: true - ffmpeg: - inputs: - #- path: rtsp://admin:REDACTED_RTSP_PW@192.168.0.11:554/Streaming/Channels/101 # <----- The stream you want to use for detection - - path: rtsp://admin:REDACTED_RTSP_PW@valchedrym.ddns.net:554/Streaming/Channels/101 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - objects: - # Optional: list of objects to track from labelmap.txt (full list - https://docs.frigate.video/configuration/objects) - track: - - person - - bicycle - - car - - bird - - cat - - dog - - horse - valchedrym-cam-2: - enabled: true - ffmpeg: - inputs: - #- path: rtsp://admin:REDACTED_RTSP_PW@192.168.0.11:554/Streaming/Channels/201 # <----- The stream you want to use for detection - - path: rtsp://admin:REDACTED_RTSP_PW@valchedrym.ddns.net:554/Streaming/Channels/201 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - objects: - # Optional: list of objects to track from labelmap.txt (full list - https://docs.frigate.video/configuration/objects) - track: - - person - - bicycle - - car - - bird - - cat - - dog - - horse - vermont-1: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/101/3 # <----- The stream you want to use for detection - roles: - - record - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - detect: - enabled: false - vermont-2: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/201/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-3: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/301/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-4: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/401/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-5: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/501/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-6: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/601/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-7: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/701/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-8: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/801/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - vermont-9: - enabled: true - ffmpeg: - inputs: - - path: rtsp://admin:REDACTED_RTSP_PW@192.168.1.10:554/Streaming/Channels/901/1 # <----- The stream you want to use for detection - detect: - enabled: false # <---- disable detection until you have a working camera feed - width: 704 # <---- update for your camera's resolution - height: 576 # <---- update for your camera's resolution - rtmp: - enabled: false - record: - enabled: false - snapshots: - enabled: false - # london-ipcam: - # enabled: false - # ffmpeg: - # inputs: - # - path: rtsp://192.168.2.2:8554/london_cam # <----- The stream you want to use for detection - # roles: - # - rtmp - # - record - # - detect - # detect: - # enabled: False - # width: 1280 - # height: 720 - # record: - # enabled: False # Not needed for this camera but keeping for reference - # events: - # retain: - # default: 10 - # objects: - # # Optional: list of objects to track from labelmap.txt (full list - https://docs.frigate.video/configuration/objects) - # track: - # - person - # - shoe - # - handbag - # - wine glass - # - knife - # - pizza - # - laptop - # - book