secrets: migrate exposed plaintext secrets to git-crypt

Move all hardcoded credentials out of tracked compose/env files into the git-crypt-encrypted secrets/ directory, using each app's supported mechanism: - env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch, baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden - file:///run/secrets: authentik email password - jelu DB password appended to existing secrets/jelu.env Untrack root .env (interpolated ${VAR} secrets) and add sanitized .env.example template; gitignore /.env. Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into secrets/ to preserve values while encrypting them. Add SECURITY.md documenting the secrets conventions and a rotation checklist. NOTE: all migrated values remain in prior git history and must be rotated at their providers. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 13:15:25 +02:00
parent d35a9cf672
commit 5aa85b0920
32 changed files with 136 additions and 36 deletions
@@ -19,7 +19,7 @@ services:
    environment:
      SERVER_PORT: 80
      SPRING_DATASOURCE_USERNAME: lukas
-      SPRING_DATASOURCE_PASSWORD: Q^k5i2^hN!wmEr6JLkYP9ME
+      # SPRING_DATASOURCE_PASSWORD provided via secrets/jelu.env
      JELU_CORS_ALLOWED-ORIGINS: https://jelu.${DOMAIN}
    restart: unless-stopped

@@ -45,7 +45,7 @@ configs:

      kavita:
        baseUri: "http://localhost:5000" #or env:KOMF_KAVITA_BASE_URI
-        apiKey: "16707507-d05d-4696-b126-c3976ae14ffb" #or env:KOMF_KAVITA_API_KEY
+        apiKey: # set via env:KOMF_KAVITA_API_KEY (secrets/komf.env)
        eventListener:
          enabled: false # if disabled will not connect to kavita and won't pick up newly added entries
          metadataLibraryFilter: [ ]  # listen to all events if empty
@@ -194,12 +194,14 @@ services:
    user: 1000:100
    ports:
      - "8085:8085"
+    env_file:
+      - ../secrets/komf.env
    environment:
      - KOMF_KOMGA_BASE_URI=http://komga:25600
      - KOMF_KOMGA_USER=lukas@kucharczyk.xyz
-      - KOMF_KOMGA_PASSWORD=kRalovna12514265!
+      # KOMF_KOMGA_PASSWORD provided via secrets/komf.env
      - KOMF_KAVITA_BASE_URI=http://kavita:${KAVITA_INTERNAL_PORT}
-      - KOMF_KAVITA_API_KEY=c8023836-7aab-46ed-9409-c24b950002d4
+      # KOMF_KAVITA_API_KEY provided via secrets/komf.env
      - KOMF_LOG_LEVEL=INFO
      - JAVA_TOOL_OPTIONS=-XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -XX:ShenandoahGCHeuristics=compact -XX:ShenandoahGuaranteedGCInterval=3600000 -XX:TrimNativeHeapInterval=3600000
    configs:
@@ -12,13 +12,15 @@ services:
    volumes:
      - "${DOCKER_STORAGE_PATH}/openldap/config:/etc/ldap/slapd.d"
      - "${DOCKER_STORAGE_PATH}/openldap/data:/var/lib/ldap"
+    env_file:
+      - ../secrets/openldap.env
    environment:
      - LDAP_ORGANISATION=Homelab
      - LDAP_DOMAIN=${DOMAIN}
-      - LDAP_ADMIN_PASSWORD=kral
+      # LDAP_ADMIN_PASSWORD provided via secrets/openldap.env
      - LDAP_OPENLDAP_UID=${PUID}
      - LDAP_OPENLDAP_GID=${PGID}
      - LDAP_READONLY_USER=true
      - LDAP_READONLY_USER_USERNAME=readonly
-      - LDAP_READONLY_USER_PASSWORD=readonly
+      # LDAP_READONLY_USER_PASSWORD provided via secrets/openldap.env
    restart: unless-stopped