secrets: migrate exposed plaintext secrets to git-crypt
Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:
- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env
Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.
Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.
Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit was merged in pull request #1.
This commit is contained in:
+20
-8
@@ -4,6 +4,8 @@ secrets:
|
||||
file: secrets/gitea_runner_token.txt
|
||||
authentik_secret_key:
|
||||
file: secrets/authentik_secret_key
|
||||
authentik_email_password:
|
||||
file: secrets/authentik_email_password
|
||||
email_host:
|
||||
file: secrets/email_host
|
||||
email_username:
|
||||
@@ -288,7 +290,7 @@ services:
|
||||
OIDC_PROVIDER_NAME: Authentik
|
||||
OIDC_CONFIGURATION_URL: https://authentik.kucharczyk.xyz/application/o/mealie/.well-known/openid-configuration
|
||||
OIDC_CLIENT_ID: asDhzvutfxxpgwaaz0Jjr6SNpEtZo8GKjjs1WzUU
|
||||
OIDC_CLIENT_SECRET: iIgP3aaF1t0sTd8JPwXrCYmd3Ycc5hhfQROdHN7ByDU81gFJiNbRQ1OrTU7e9yzuPAyqLShRQ2Ve7ov03maHpQtyZzZ2FBdb0OHCkoS4brVuV8uZ4cnVPCzwLEO9bk9U
|
||||
# OIDC_CLIENT_SECRET provided via secrets/mealie.env
|
||||
OIDC_SIGNUP_ENABLED: false
|
||||
OIDC_USER_GROUP: mealie-users
|
||||
OIDC_ADMIN_GROUP: mealie-admins
|
||||
@@ -297,6 +299,7 @@ services:
|
||||
ALLOW_PASSWORD_LOGIN: false
|
||||
env_file:
|
||||
- mealie.env
|
||||
- secrets/mealie.env
|
||||
volumes:
|
||||
- "${DOCKER_STORAGE_PATH}/mealie/data/:/app/data"
|
||||
networks:
|
||||
@@ -332,6 +335,7 @@ services:
|
||||
- ${DOCKER_STORAGE_PATH}/valheim/data:/opt/valheim
|
||||
env_file:
|
||||
- valheim.env
|
||||
- secrets/valheim.env
|
||||
ports:
|
||||
- ${VALHEIM_EXTERNAL_PORT}:${VALHEIM_INTERNAL_PORT}
|
||||
cap_add:
|
||||
@@ -403,9 +407,10 @@ services:
|
||||
# caddy.@api_expiry.status: "3xx"
|
||||
# caddy.forward_auth_0.handle_response_0: "path /api/*"
|
||||
# caddy.forward_auth_0.handle_response_1: "replace_status 401"
|
||||
env_file:
|
||||
- secrets/navidrome.env
|
||||
environment:
|
||||
ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d
|
||||
ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6
|
||||
# ND_LASTFM_APIKEY / ND_LASTFM_SECRET provided via secrets/navidrome.env
|
||||
ND_DEEZER_ENABLED: true
|
||||
ND_DEVACTIVITYPANEL: true
|
||||
ND_ENABLESHARING: true
|
||||
@@ -427,6 +432,7 @@ services:
|
||||
- "${MALOJA_EXTERNAL_PORT}:${MALOJA_INTERNAL_PORT}"
|
||||
env_file:
|
||||
- maloja.env
|
||||
- secrets/maloja.env
|
||||
user: "${PUID}:${PGID}"
|
||||
volumes:
|
||||
- "${DOCKER_STORAGE_PATH}/maloja:/data"
|
||||
@@ -606,6 +612,7 @@ services:
|
||||
- mariadb
|
||||
env_file:
|
||||
- photoprism.env
|
||||
- secrets/photoprism.env
|
||||
volumes:
|
||||
- "${PHOTOS_STORAGE_PATH}/import:/photoprism/import"
|
||||
- "${PHOTOS_STORAGE_PATH}/originals:/photoprism/originals"
|
||||
@@ -651,6 +658,7 @@ services:
|
||||
- postgres
|
||||
env_file:
|
||||
- baserow.env
|
||||
- secrets/baserow.env
|
||||
volumes:
|
||||
- "${DOCKER_STORAGE_PATH}/baserow:/baserow/data"
|
||||
restart: unless-stopped
|
||||
@@ -715,7 +723,7 @@ services:
|
||||
# PUSH_INSTALLATION_KEY=
|
||||
- PUSH_RELAY_URI=https://api.bitwarden.eu
|
||||
- PUSH_IDENTITY_URI=https://identity.bitwarden.eu
|
||||
- ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$aWJ2cVRvYUsySkM3M01TMTJJMnZqbUF0Wm1qRWhvd1B6Sk50Q1hwck96dz0$$FKjZ36E54pX2e0AE9OaDpiH43TyAyfVwr3IvracbqEA
|
||||
# ADMIN_TOKEN provided via secrets/vaultwarden.env
|
||||
- SMTP_HOST=${EMAIL_HOST}
|
||||
- SMTP_FROM=${EMAIL_FROM}
|
||||
- SMTP_FROM_NAME="Bitwarden (bw.kucharczyk.xyz)"
|
||||
@@ -821,12 +829,14 @@ services:
|
||||
- 3003:3000
|
||||
env_file:
|
||||
- .env
|
||||
- secrets/meilisearch.env
|
||||
- secrets/karakeep.env
|
||||
environment:
|
||||
LOG_LEVEL: debug
|
||||
MEILI_ADDR: http://meilisearch:7700
|
||||
BROWSER_WEB_URL: http://chrome:9222
|
||||
NEXTAUTH_SECRET: lB5mx3t9mdKclELtt+cs2pVBefB+8vD4dKuzhvUP+JzR9bL1
|
||||
MEILI_MASTER_KEY: Cvu7m/RIGYQPiYcIrxacHFhbfLKfKq3wwSAWJPKVWQEauiIX
|
||||
# NEXTAUTH_SECRET provided via secrets/karakeep.env
|
||||
# MEILI_MASTER_KEY provided via secrets/meilisearch.env
|
||||
NEXTAUTH_URL: https://karakeep.${DOMAIN}
|
||||
DISABLE_SIGNUPS: TRUE
|
||||
CRAWLER_VIDEO_DOWNLOAD: TRUE
|
||||
@@ -872,9 +882,10 @@ services:
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
- .env
|
||||
- secrets/meilisearch.env
|
||||
environment:
|
||||
MEILI_NO_ANALYTICS: "true"
|
||||
MEILI_MASTER_KEY: Cvu7m/RIGYQPiYcIrxacHFhbfLKfKq3wwSAWJPKVWQEauiIX
|
||||
# MEILI_MASTER_KEY provided via secrets/meilisearch.env
|
||||
volumes:
|
||||
- meilisearch:/meili_data
|
||||
networks:
|
||||
@@ -890,6 +901,7 @@ services:
|
||||
- authentik_secret_key
|
||||
- postgres_general_username
|
||||
- postgres_general_password
|
||||
- authentik_email_password
|
||||
environment:
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgres
|
||||
AUTHENTIK_POSTGRESQL__NAME: authentik
|
||||
@@ -899,7 +911,7 @@ services:
|
||||
AUTHENTIK_EMAIL__HOST: smtp.protonmail.ch
|
||||
AUTHENTIK_EMAIL__PORT: 587
|
||||
AUTHENTIK_EMAIL__USERNAME: lukas@kucharczyk.xyz
|
||||
AUTHENTIK_EMAIL__PASSWORD: CQHMWAUWQG5FBJ2V
|
||||
AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/authentik_email_password
|
||||
AUTHENTIK_EMAIL__USE_TLS: true
|
||||
AUTHENTIK_EMAIL__USE_SSL: false
|
||||
AUTHENTIK_EMAIL__TIMEOUT: 60
|
||||
|
||||
Reference in New Issue
Block a user