homelab/docker-compose-templates
1
0
Fork 0
Code Pull Requests Activity

remove exposed secrets #1

Merged
lukas merged 1 commits from security/migrate-secrets-to-git-crypt into main 2026-06-12 13:38:01 +00:00
Conversation 0 Commits 1 Files Changed 32
+136 -36
lukas commented 2026-06-12 13:21:49 +00:00
Owner
Copy Link
Copy Source
No description provided.
lukas added 18 commits 2026-06-12 13:21:50 +00:00
kavita: update to 0.9.0.2 f4f68793b7
miniflux: update to 2.3.0 6eeaf836be
miniflux: make it work with custom cert 15f02adc22
shelfmark: update to 1.3.0 3a3050ff86
shelfmark: use secrets 987eed082d
cwa: use secrets 2ff03d8934
cwa: switch to next gen fork e563af37a4
add framework13 host record 5d8d51949d
add qui 913e7ba387
rss-bridge: use labels ab1a6336aa
karakeep: update ai conf e107be3474
use different chrome image 41c92dc6e7
authentik: update b20474b7b5
slskd: update ef214f03aa
yamtrack: update 2fece90ad2
polaris: add 72406c0000
navidrome: auth workaround d35a9cf672
secrets: migrate exposed plaintext secrets to git-crypt 5aa85b0920 
Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:

- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
  baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env

Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.

Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.

Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
lukas merged commit 5aa85b0920 into main 2026-06-12 13:38:01 +00:00
lukas deleted branch security/migrate-secrets-to-git-crypt 2026-06-12 13:38:01 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
lukas (Lukáš Kucharczyk)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: homelab/docker-compose-templates#1
Delete Branch "security/migrate-secrets-to-git-crypt"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?