homelab/docker-compose-templates
1
0
Fork 0
Code Pull Requests Activity

secrets: migrate exposed plaintext secrets to git-crypt

Browse Source 
Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:

- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
  baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env

Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.

Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.

Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit was merged in pull request #1.
This commit is contained in:
Lukáš Kucharczyk
2026-06-12 13:15:25 +02:00
parent d35a9cf672
commit 5aa85b0920
32 changed files with 136 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
photoprism.env
+2 -2
View File
@@ -1,7 +1,7 @@
PHOTOPRISM_ADMIN_PASSWORD=kRalovna12514265!
# PHOTOPRISM_ADMIN_PASSWORD provided via secrets/photoprism.env
PHOTOPRISM_DATABASE_DRIVER=mysql
PHOTOPRISM_DATABASE_NAME=photoprism
PHOTOPRISM_DATABASE_PASSWORD=TWB64mcPZ^TSdo
# PHOTOPRISM_DATABASE_PASSWORD provided via secrets/photoprism.env
PHOTOPRISM_DATABASE_SERVER=mariadb
PHOTOPRISM_DATABASE_USER=photoprism
PHOTOPRISM_IMPORT_PATH=/photoprism/import