authentik: move sensitive data to secrets

docker-compose.yml

@@ -2,6 +2,18 @@
 secrets:
   gitea_runner_token:
     file: secrets/gitea_runner_token.txt
+  authentik_secret_key:
+    file: secrets/authentik_secret_key
+  email_host:
+    file: secrets/email_host
+  email_username:
+    file: secrets/email_username
+  email_password:
+    file: secrets/email_password
+  postgres_general_username:
+    file: secrets/postgres_general_username
+  postgres_general_password:
+    file: secrets/postgres_general_password
   mariadb_root_password:
     file: secrets/mariadb_root_password
 
@@ -791,12 +803,16 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+    secrets:
+      - authentik_secret_key
+      - postgres_general_username
+      - postgres_general_password
     environment:
       AUTHENTIK_POSTGRESQL__HOST: postgres
       AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
-      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
-      AUTHENTIK_SECRET_KEY: WH6M+8rmyMw4BPszIf9bKGInZVcm6Lmce83C9hdG8t4ZeIKi
+      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_general_password
+      AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/postgres_general_username
+      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
       AUTHENTIK_EMAIL__HOST: smtp.protonmail.ch
       AUTHENTIK_EMAIL__PORT: 587
       AUTHENTIK_EMAIL__USERNAME: lukas@kucharczyk.xyz
@@ -828,20 +844,27 @@ services:
     networks:
       public:
         ipv4_address: 192.168.240.62
+    secrets:
+      - authentik_secret_key
+      - email_host
+      - email_username
+      - email_password
+      - postgres_general_username
+      - postgres_general_password
     environment:
       AUTHENTIK_POSTGRESQL__HOST: postgres
       AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
-      AUTHENTIK_POSTGRESQL__USER: lukas
-      AUTHENTIK_SECRET_KEY: WH6M+8rmyMw4BPszIf9bKGInZVcm6Lmce83C9hdG8t4ZeIKi
-      AUTHENTIK_EMAIL__HOST: smtp.protonmail.ch
+      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_general_password
+      AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/postgres_general_username
+      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
+      AUTHENTIK_EMAIL__HOST: file:///run/secrets/email_host
       AUTHENTIK_EMAIL__PORT: 587
-      AUTHENTIK_EMAIL__USERNAME: lukas@kucharczyk.xyz
-      AUTHENTIK_EMAIL__PASSWORD: CQHMWAUWQG5FBJ2V
+      AUTHENTIK_EMAIL__USERNAME: file:///run/secrets/email_username
+      AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/email_password
       AUTHENTIK_EMAIL__USE_TLS: true
       AUTHENTIK_EMAIL__USE_SSL: false
       AUTHENTIK_EMAIL__TIMEOUT: 60
-      AUTHENTIK_EMAIL__FROM: lukas@kucharczyk.xyz
+      AUTHENTIK_EMAIL__FROM: file:///run/secrets/email_username
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.0}
     restart: unless-stopped
     user: root