secrets: migrate exposed plaintext secrets to git-crypt
Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:
- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env
Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.
Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.
Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit was merged in pull request #1.
This commit is contained in:
+116
@@ -0,0 +1,116 @@
|
||||
REGISTRY_URL=registry.kucharczyk.xyz
|
||||
DOMAIN=kucharczyk.xyz
|
||||
DOMAIN_LOCAL=home.arpa
|
||||
TS_DOMAIN=jacob-shark.ts.net
|
||||
TS_DOMAIN_NAS=nas.${TS_DOMAIN}
|
||||
TZ=Europe/Prague
|
||||
STORAGE_PATH=/srv/mergerfs/storage
|
||||
MEDIA_PATH=${STORAGE_PATH}/media
|
||||
COMIC_PATH=${MEDIA_PATH}/comics
|
||||
ANIME_PATH=${STORAGE_PATH}/media/anime
|
||||
TV_PATH=${STORAGE_PATH}/media/tv
|
||||
MOVIE_PATH=${STORAGE_PATH}/media/movies
|
||||
MUSIC_PATH=${STORAGE_PATH}/media/music2
|
||||
DOWNLOADS_PATH=${STORAGE_PATH}/download
|
||||
NZB_DOWNLOADS_PATH=${DOWNLOADS_PATH}/sabnzbd
|
||||
TORRENTS_SEED_PATH=${STORAGE_PATH}/seed
|
||||
TORRENTS_WATCH_PATH=${DOWNLOADS_PATH}/watch
|
||||
DOCKER_STORAGE_PATH=/docker
|
||||
DOCKER_STORAGE_PATH_SLOW=${STORAGE_PATH}/docker-storage
|
||||
PHOTOS_STORAGE_PATH=/srv/dev-disk-by-uuid-2d34f1a9-4284-4cad-ae9a-f1ef36244201/photos
|
||||
EMAIL_ADMIN=lukas@kucharczyk.xyz
|
||||
EMAIL_FROM=kucharczyk.lukas@gmail.com
|
||||
EMAIL_HOST=smtp.gmail.com
|
||||
EMAIL_PASSWORD=
|
||||
EMAIL_PORT=587
|
||||
POSTGRES_HOST=postgres
|
||||
POSTGRES_USER=lukas
|
||||
POSTGRES_PASSWORD=
|
||||
POSTGRES_PORT=5432
|
||||
MYSQL_HOST=mariadb
|
||||
MYSQL_USER=lukas
|
||||
MYSQL_PASSWORD=
|
||||
MYSQL_ROOT_PASSWORD=
|
||||
MYSQL_PORT=3306
|
||||
PUID=1000
|
||||
PGID=100
|
||||
KAVITA_INTERNAL_PORT=5000
|
||||
KAVITA_EXTERNAL_PORT=5100
|
||||
VALHEIM_INTERNAL_PORT=2456-2457/udp
|
||||
VALHEIM_EXTERNAL_PORT=2456-2457
|
||||
NTFY_EXTERNAL_PORT=8100
|
||||
NTFY_INTERNAL_PORT=80
|
||||
WEBHOOK_EXTERNAL_PORT=9200
|
||||
WEBHOOK_INTERNAL_PORT=9000
|
||||
CHANGEDETECTION_EXTERNAL_PORT=5200
|
||||
CHANGEDETECTION_INTERNAL_PORT=5000
|
||||
TIMETRACKER_EXTERNAL_PORT=8003
|
||||
TIMETRACKER_INTERNAL_PORT=8000
|
||||
TRILIUM_EXTERNAL_PORT=8080
|
||||
TRILIUM_INTERNAL_PORT=8080
|
||||
NETBOOTXYZ_INTERNAL_PORT=3001
|
||||
GITEA_INTERNAL_PORT=3002
|
||||
LOGSEQ_INTERNAL_PORT=80
|
||||
LOGSEQ_EXTERNAL_PORT=3005
|
||||
DENDRON_NOTES_EXTERNAL_PORT=2020
|
||||
DENDRON_NOTES_INTERNAL_PORT=2020
|
||||
DOKKU_EXTERNAL_PORT_1=3022
|
||||
DOKKU_INTERNAL_PORT_1=22
|
||||
DOKKU_EXTERNAL_PORT_2=8081
|
||||
DOKKU_INTERNAL_PORT_2=80
|
||||
DOKKU_EXTERNAL_PORT_3=8443
|
||||
DOKKU_INTERNAL_PORT_3=443
|
||||
LOKI_EXTERNAL_PORT=3200
|
||||
LOKI_INTERNAL_PORT=3100
|
||||
GRAFANA_EXTERNAL_PORT=3600
|
||||
GRAFANA_INTERNAL_PORT=3000
|
||||
STASH_EXTERNAL_PORT=9998
|
||||
STASH_INTERNAL_PORT=9999
|
||||
MALOJA_EXTERNAL_PORT=42010
|
||||
MALOJA_INTERNAL_PORT=42010
|
||||
PAPERLESS_EXTERNAL_PORT=8004
|
||||
PAPERLESS_INTERNAL_PORT=8000
|
||||
HOMER_EXTERNAL_PORT=7080
|
||||
HOMER_INTERNAL_PORT=8080
|
||||
SYNCTHING_EXTERNAL_PORT1=8384
|
||||
SYNCTHING_INTERNAL_PORT1=8384
|
||||
SYNCTHING_EXTERNAL_PORT2=22000
|
||||
SYNCTHING_INTERNAL_PORT2=22000/tcp
|
||||
SYNCTHING_EXTERNAL_PORT3=22000
|
||||
SYNCTHING_INTERNAL_PORT3=22000/udp
|
||||
SYNCTHING_EXTERNAL_PORT4=21027
|
||||
SYNCTHING_INTERNAL_PORT4=21027/udp
|
||||
SEARXNG_EXTERNAL_PORT=8082
|
||||
SEARXNG_INTERNAL_PORT=8080
|
||||
MEDIAWIKI_EXTERNAL_PORT=8083
|
||||
MEDIAWIKI_INTERNAL_PORT=80
|
||||
MARIADB_INTERNAL_PORT=3307
|
||||
MARIADB_EXTERNAL_PORT=3307
|
||||
PHOTOPRISM_EXTERNAL_PORT=2342
|
||||
PHOTOPRISM_INTERNAL_PORT=2342
|
||||
SONARR_TV_STANDARD_EXTERNAL_PORT=8989
|
||||
SONARR_ANIME_EXTERNAL_PORT=8988
|
||||
SONARR_INTERNAL_PORT=8989
|
||||
RADARR_INTERNAL_PORT=7878
|
||||
BASEROW_INTERNAL_PORT=80
|
||||
GITEA_WEBUI_EXTERNAL_PORT=3002
|
||||
GITEA_WEBUI_INTERNAL_PORT=3000
|
||||
GITEA_SSH_EXTERNAL_PORT=2022
|
||||
GITEA_SSH_INTERNAL_PORT=22
|
||||
VAULTWARDEN_EXTERNAL_PORT=8666
|
||||
VAULTWARDEN_INTERNAL_PORT=80
|
||||
BAZARR_EXTERNAL_PORT=6767
|
||||
BAZARR_INTERNAL_PORT=6767
|
||||
GLUETUN_JAPAN_INTERNAL_PORT=8888
|
||||
GLUETUN_JAPAN_EXTERNAL_PORT=8888
|
||||
HANDBRAKER_SERVER_INTERNAL_PORT=9999
|
||||
HANDBRAKER_SERVER_EXTERNAL_PORT=9997
|
||||
REDLIB_EXTERNAL_PORT=8088
|
||||
SABNZBD_EXTERNAL_PORT=8081
|
||||
SABNZBD_INTERNAL_PORT=8080
|
||||
QBITTORRENT_WEBUI_PORT=9092
|
||||
QBITTORRENT_WEBUI_EXTERNAL_PORT=${QBITTORRENT_WEBUI_PORT}
|
||||
QBITTORRENT_WEBUI_INTERNAL_PORT=${QBITTORRENT_WEBUI_PORT}
|
||||
CWA_CONFIG_DIR="${DOCKER_STORAGE_PATH}/calibre-web-automated/config"
|
||||
CWA_DB_FILE=${CWA_CONFIG_DIR}/app.db
|
||||
CWA_INGEST_DIR=${DOWNLOADS_PATH}/cwa-book-ingest
|
||||
Reference in New Issue
Block a user