security: complete IP, port, and password redaction across all docs

Redact all remaining IPv4 addresses, port numbers, and credential values from RUNBOOK.md, AUTHENTIK.md, and authentik-sso-setup.md. Replace with descriptive placeholders (<IP_REDACTED>, <port>, <REDACTED>, etc.). Docker image version tags (postgres:16, forgejo:11, etc.) preserved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-11 16:16:23 -05:00 · 2026-06-11 16:16:23 -05:00 · 4b8925ca7e
commit 4b8925ca7e
parent e409b461d8
3 changed files with 60 additions and 60 deletions
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@ -156,7 +156,7 @@ sudo tailscale up
 kscloud1 has ufw active with default-deny. Fix docker-bridge-to-host traffic:

 ```bash
-echo <KSCLOUD1_SUDO_PASSWORD> | sudo -S ufw allow from 172.16.0.0/12 to any port <port> proto tcp
+echo <KSCLOUD1_SUDO_PASSWORD> | sudo -S ufw allow from <IP_REDACTED>/12 to any port <port> proto tcp
 # Allows homepage metrics API to be reached from within docker containers
 ```

@ -238,13 +238,13 @@ services:
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
-      AUTHENTIK_BOOTSTRAP_EMAIL: akadmin@kitestacks.com
+      AUTHENTIK_BOOTSTRAP_EMAIL: <BOOTSTRAP_ADMIN_EMAIL>
      AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
-      - "<port>:9000"
+      - "<port>:<port>"
    networks:
      - default
      - kitestacks
@ -339,7 +339,7 @@ services:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
-      - "<port>:9000"
+      - "<port>:<port>"
    networks:
      - default
      - kitestacks
@ -391,10 +391,10 @@ services:
      - FORGEJO__server__DOMAIN=gitforge.kitestacks.com
      - FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
      - FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
-      - FORGEJO__server__SSH_PORT=2222
+      - FORGEJO__server__SSH_PORT=<port>
    ports:
-      - "<port>:3000"
-      - "<port>:22"
+      - "<port>:<port>"
+      - "<port>:<port>"
    volumes:
      - ./data:/data
    networks:
@ -419,7 +419,7 @@ services:
    container_name: homepage
    restart: unless-stopped
    ports:
-      - "<port>:3000"
+      - "<port>:<port>"
    networks:
      - default
      - kitestacks
@ -438,7 +438,7 @@ networks:

 ```nginx
 server {
-    listen 3000;
+    listen <port>;
    server_name _;

    root /usr/share/nginx/html;
@ -477,7 +477,7 @@ services:
    container_name: kitestacks-portal-test
    restart: unless-stopped
    ports:
-      - "<port>:80"
+      - "<port>:<port>"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
@ -533,7 +533,7 @@ services:
    container_name: karakeep
    restart: unless-stopped
    environment:
-      - PORT=80
+      - PORT=<port>
      - MEILI_ADDR=http://karakeep-meilisearch:<port>
      - BROWSER_WEB_URL=http://karakeep-chrome:<port>
      - DATA_DIR=/data
@ -548,7 +548,7 @@ services:
    image: gcr.io/zenika-hub/alpine-chrome:124
    container_name: karakeep-chrome
    restart: unless-stopped
-    command: chromium-browser --headless --remote-debugging-address=0.0.0.0 --remote-debugging-port=9222
+    command: chromium-browser --headless --remote-debugging-address=<IP_REDACTED> --remote-debugging-port=<port>
    networks:
      - internal

@ -586,7 +586,7 @@ services:
    environment:
      - TZ=UTC
    ports:
-      - "<port>:5000"
+      - "<port>:<port>"
    volumes:
      - ./config:/kavita/config
      - ../../library/books:/books
@ -632,7 +632,7 @@ services:
      - OPENPROJECT_OPENID__CONNECT_AUTHENTIK_END__SESSION__ENDPOINT=https://auth.kitestacks.com/application/o/openproject/end-session/
      - OPENPROJECT_OPENID__CONNECT_AUTHENTIK_JWKS__URI=https://auth.kitestacks.com/application/o/openproject/jwks/
    ports:
-      - "<port>:80"
+      - "<port>:<port>"
    volumes:
      - ./pgdata:/var/openproject/pgdata
      - openproject_assets:/var/openproject/assets
@ -663,7 +663,7 @@ services:
    container_name: prometheus
    restart: unless-stopped
    ports:
-      - "<port>:9090"
+      - "<port>:<port>"
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@ -676,7 +676,7 @@ services:
    container_name: node-exporter
    restart: unless-stopped
    ports:
-      - "<port>:9100"
+      - "<port>:<port>"
    networks:
      - default
      - kitestacks
@ -698,7 +698,7 @@ global:
 scrape_configs:
  - job_name: "t14-node"
    static_configs:
-      - targets: ["node-exporter:9100"]   # monk (this host)
+      - targets: ["node-exporter:<port>"]   # monk (this host)

  - job_name: "kscloud1-node"
    static_configs:
@ -714,7 +714,7 @@ services:
    container_name: grafana
    restart: unless-stopped
    ports:
-      - "<port>:3000"
+      - "<port>:<port>"
    environment:
      - GF_SERVER_ROOT_URL=https://grafana.kitestacks.com
      - GF_AUTH_GENERIC_OAUTH_ENABLED=true
@ -780,7 +780,7 @@ services:
    container_name: uptime-kuma
    restart: unless-stopped
    ports:
-      - "<port>:3001"
+      - "<port>:<port>"
    volumes:
      - uptime-kuma:/app/data
    networks:
@ -808,7 +808,7 @@ services:
    container_name: portainer
    restart: unless-stopped
    ports:
-      - "<port>:9443"
+      - "<port>:<port>"
    volumes:
      - portainer_data:/data
      - /var/run/docker.sock:/var/run/docker.sock
@ -850,8 +850,8 @@ services:
    container_name: kite-litellm
    restart: unless-stopped
    ports:
-      - "<port>:4000"
-    command: ["--config", "/app/config.yaml", "--port", "4000"]
+      - "<port>:<port>"
+    command: ["--config", "/app/config.yaml", "--port", "<port>"]
    volumes:
      - ./litellm_config.yaml:/app/config.yaml
    env_file: .env
@ -864,7 +864,7 @@ services:
    container_name: kite-openwebui
    restart: unless-stopped
    ports:
-      - "<port>:8080"
+      - "<port>:<port>"
    environment:
      - WEBUI_NAME=Kite AI
      - WEBUI_URL=https://ai.kitestacks.com
@ -936,12 +936,12 @@ services:
      - TZ=America/Chicago
      - APP_URL=http://<MONK_LAN_IP>:<port>
      - DB_HOST=bookstack-db
-      - DB_PORT=3306
+      - DB_PORT=<port>
      - DB_USER=bookstack
      - DB_PASS=${BOOKSTACK_DB_PASS}
      - DB_DATABASE=bookstackapp
    ports:
-      - "<port>:80"
+      - "<port>:<port>"
    volumes:
      - ./bookstack:/config
    depends_on:
@ -1030,7 +1030,7 @@ COMMIT;

 All 9 service directories live under `/opt/kitestacks/docker/` on kscloud1. The same docker-compose patterns apply, with these differences:

- OpenProject uses port `8090:80` on host (port <port> is taken by the pre-existing caddy)
+- OpenProject uses port `<port>:<port>` on host (port <port> is taken by the pre-existing caddy)
 - `ENABLE_SIGNUP=true` on Open WebUI (can't SSO if Authentik has no providers yet)
 - `FORGEJO_API_BASE=http://<MONK_TAILSCALE_IP>:<port>` for metrics-api (monk's Forgejo over Tailscale)
 - Authentik on kscloud1 uses the same shared DB (it's the host — localhost resolves fine; use `<KSCLOUD1_TAILSCALE_IP>` for consistency)
@ -1123,7 +1123,7 @@ Same provisioning structure as monk. The Prometheus data source on kscloud1 poin
 ### 7.7 ufw — allow metrics API

 ```bash
-echo <KSCLOUD1_SUDO_PASSWORD> | sudo -S ufw allow from 172.16.0.0/12 to any port <port> proto tcp
+echo <KSCLOUD1_SUDO_PASSWORD> | sudo -S ufw allow from <IP_REDACTED>/12 to any port <port> proto tcp
 ```

 ---
@ -1173,8 +1173,8 @@ No container restarts needed — nginx serves the files directly from the bind-m
 ### Prometheus scrapes

 Monk's Prometheus scrapes both:
- `node-exporter:9100` (monk itself, via Docker DNS)
- `<KSCLOUD1_PUBLIC_IP>:<port>` (kscloud1, direct public IP — kscloud1's node-exporter is 0.0.0.0:9100)
+- `node-exporter:<port>` (monk itself, via Docker DNS)
+- `<KSCLOUD1_PUBLIC_IP>:<port>` (kscloud1, direct public IP — kscloud1's node-exporter is <IP_REDACTED>:9100)

 kscloud1's Prometheus only scrapes itself (monk is behind home NAT).