From 5aa85b0920be0135e49a3583367c5715ef4760f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Fri, 12 Jun 2026 13:15:25 +0200 Subject: [PATCH] secrets: migrate exposed plaintext secrets to git-crypt Move all hardcoded credentials out of tracked compose/env files into the git-crypt-encrypted secrets/ directory, using each app's supported mechanism: - env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch, baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden - file:///run/secrets: authentik email password - jelu DB password appended to existing secrets/jelu.env Untrack root .env (interpolated ${VAR} secrets) and add sanitized .env.example template; gitignore /.env. Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into secrets/ to preserve values while encrypting them. Add SECURITY.md documenting the secrets conventions and a rotation checklist. NOTE: all migrated values remain in prior git history and must be rotated at their providers. Co-Authored-By: Claude Fable 5 --- .env => .env.example | 8 +-- .gitignore | 4 +- SECURITY.md | 91 +++++++++++++++++++++++++++++++ baserow.env | 2 +- docker-compose.yml | 28 +++++++--- maloja.env | 2 +- mediawiki.env | 3 - penpot.yml | 4 +- photoprism.env | 4 +- rtorrent.env | 6 -- secrets/authentik_email_password | Bin 0 -> 38 bytes secrets/baserow.env | Bin 0 -> 65 bytes secrets/jelu.env | Bin 76 -> 127 bytes secrets/karakeep.env | Bin 0 -> 87 bytes secrets/komf.env | Bin 0 -> 117 bytes secrets/maloja.env | Bin 0 -> 53 bytes secrets/mealie.env | Bin 0 -> 170 bytes secrets/mediawiki.env | Bin 0 -> 147 bytes secrets/meilisearch.env | Bin 0 -> 88 bytes secrets/navidrome.env | Bin 0 -> 122 bytes secrets/openldap.env | Bin 0 -> 84 bytes secrets/penpot.env | Bin 0 -> 47 bytes secrets/photoprism.env | Bin 0 -> 110 bytes secrets/rtorrent.env | Bin 0 -> 137 bytes secrets/snibox.env | Bin 0 -> 79 bytes secrets/valheim.env | Bin 0 -> 40 bytes secrets/vaultwarden.env | Bin 127 -> 274 bytes services/jelu.yml | 2 +- services/komga.yml | 8 ++- services/openldap.yml | 6 +- snibox.env | 2 - valheim.env | 2 +- 32 files changed, 136 insertions(+), 36 deletions(-) rename .env => .env.example (96%) create mode 100644 SECURITY.md delete mode 100644 mediawiki.env delete mode 100644 rtorrent.env create mode 100644 secrets/authentik_email_password create mode 100644 secrets/baserow.env create mode 100644 secrets/karakeep.env create mode 100644 secrets/komf.env create mode 100644 secrets/maloja.env create mode 100644 secrets/mealie.env create mode 100644 secrets/mediawiki.env create mode 100644 secrets/meilisearch.env create mode 100644 secrets/navidrome.env create mode 100644 secrets/openldap.env create mode 100644 secrets/penpot.env create mode 100644 secrets/photoprism.env create mode 100644 secrets/rtorrent.env create mode 100644 secrets/snibox.env create mode 100644 secrets/valheim.env delete mode 100644 snibox.env diff --git a/.env b/.env.example similarity index 96% rename from .env rename to .env.example index 178df5d..824e9fd 100644 --- a/.env +++ b/.env.example @@ -21,16 +21,16 @@ PHOTOS_STORAGE_PATH=/srv/dev-disk-by-uuid-2d34f1a9-4284-4cad-ae9a-f1ef36244201/p EMAIL_ADMIN=lukas@kucharczyk.xyz EMAIL_FROM=kucharczyk.lukas@gmail.com EMAIL_HOST=smtp.gmail.com -EMAIL_PASSWORD=sebrubdsgkuptcjr +EMAIL_PASSWORD= EMAIL_PORT=587 POSTGRES_HOST=postgres POSTGRES_USER=lukas -POSTGRES_PASSWORD=kralovna +POSTGRES_PASSWORD= POSTGRES_PORT=5432 MYSQL_HOST=mariadb MYSQL_USER=lukas -MYSQL_PASSWORD=kralovna -MYSQL_ROOT_PASSWORD=kralovna +MYSQL_PASSWORD= +MYSQL_ROOT_PASSWORD= MYSQL_PORT=3306 PUID=1000 PGID=100 diff --git a/.gitignore b/.gitignore index e50883d..6d2defd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -git-crypt-key \ No newline at end of file +git-crypt-key +# Real environment file with secrets; use .env.example as the template +/.env \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ad8bb47 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,91 @@ +# Security: secrets handling & rotation checklist + +## How secrets are stored in this repo + +- **`secrets/`** — git-crypt encrypted (see `.gitattributes`: `secrets/** filter=git-crypt`). + All real credentials live here. The working-tree copies are plaintext (git-crypt + only encrypts the committed blobs), so Docker reads them normally. +- **Root `.env`** — git-ignored (`/.env`) and **not** committed. It holds non-secret + config (ports, paths, domains) plus a few `${VAR}` values interpolated across + services. Use **`.env.example`** as the template; fill in the blanked secret values + locally. +- **Tracked compose / `*.env` files** — must contain **no secret values**. Pull secrets + in via one of: + - `env_file: - secrets/.env` (universal) + - `FILE__VARNAME=/run/secrets/` (LinuxServer.io images, e.g. calibre-web-automated) + - `VARNAME_FILE=/run/secrets/` (miniflux, gitea-runner, …) + - `file:///run/secrets/` (authentik) + +## Before you commit + +```sh +# git-crypt must be unlocked so secrets/ files encrypt on commit +git-crypt status | grep -i 'not encrypted' || echo "all secrets/ files encrypted" +``` + +Quick scan for accidental plaintext secrets in tracked files: + +```sh +git ls-files | grep -vE '^secrets/|^\.env\.example$' | xargs grep -nIE \ + '(PASSWORD|SECRET|TOKEN|API_?KEY|CLIENT_SECRET|MASTER_KEY)=[^ ]' 2>/dev/null \ + | grep -vE '_FILE|/run/secrets/|file:///|\$\{|=\s*$' +``` + +## Rotation checklist + +All values below were committed to git history in plaintext before the 2026-06-12 +migration. Migrating them to `secrets/` only protects them **going forward** — each +must be **rotated at its provider**, then history scrubbed (see bottom). + +Tick each once the credential has been regenerated and the new value written to the +corresponding `secrets/` file. + +### External / high priority (reachable beyond the LAN) +- [ ] **Gmail app password** — `EMAIL_PASSWORD` in `.env` (reused by vaultwarden, mealie, baserow SMTP). Regenerate at Google Account → App passwords. +- [ ] **ProtonMail SMTP token** — `secrets/authentik_email_password`. Regenerate in Proton → SMTP submission. +- [ ] **mealie OIDC client secret** — `secrets/mealie.env`. Rotate the `mealie` provider in Authentik. +- [ ] **Last.fm API key + secret** — `secrets/navidrome.env`. Reissue at last.fm/api/accounts. +- [ ] **Meilisearch master key** — `secrets/meilisearch.env` (used by karakeep + meilisearch). Generate a new random key. +- [ ] **karakeep `NEXTAUTH_SECRET`** — `secrets/karakeep.env`. `openssl rand -base64 36`. +- [ ] **vaultwarden `ADMIN_TOKEN`** — `secrets/vaultwarden.env`. Regenerate with `vaultwarden hash` (Argon2). +- [ ] **jelu `GOOGLE_API_KEY`** — `secrets/jelu.env`. Rotate in Google Cloud console. + +### Internal (LAN-only, still rotate — `kralovna` is reused widely) +- [ ] **Postgres password** — `POSTGRES_PASSWORD` in `.env` (`kralovna`). +- [ ] **MySQL/MariaDB passwords** — `MYSQL_PASSWORD`, `MYSQL_ROOT_PASSWORD` in `.env` (`kralovna`). +- [ ] **baserow DB password** — `secrets/baserow.env`. +- [ ] **photoprism admin + DB passwords** — `secrets/photoprism.env`. +- [ ] **jelu DB password** — `secrets/jelu.env`. +- [ ] **komf komga password + Kavita API key** — `secrets/komf.env`. +- [ ] **openldap admin + readonly passwords** — `secrets/openldap.env`. +- [ ] **maloja force password** — `secrets/maloja.env`. +- [ ] **valheim server password** — `secrets/valheim.env`. +- [ ] **penpot postgres password** — `secrets/penpot.env`. + +### Orphaned services (moved to `secrets/`; rotate if still running anywhere) +- [ ] **mediawiki MySQL password** — `secrets/mediawiki.env`. +- [ ] **rtorrent RPC2 password** — `secrets/rtorrent.env`. +- [ ] **snibox `SECRET_KEY_BASE`** — `secrets/snibox.env`. + +## Scrubbing git history + +After rotating, remove the old plaintext values from history so the leaked secrets +become useless even to someone with an old clone: + +```sh +# Using git-filter-repo (recommended). Removes the old tracked paths entirely. +git filter-repo --invert-paths \ + --path .env \ + --path mediawiki.env --path rtorrent.env --path snibox.env + +# Then force-push and have every clone re-clone (rewritten history diverges): +git push --force --all +git push --force --tags +``` + +For surgical edits to lines inside files that stay tracked (e.g. a secret that lived +in `docker-compose.yml`), use `git filter-repo --replace-text ` with +`old==>***REMOVED***` rules, or BFG's `--replace-text`. + +> Rotation is what actually neutralizes a leak. History scrubbing is best-effort — +> assume anything ever pushed is already compromised and rotate regardless. diff --git a/baserow.env b/baserow.env index 42efe82..b68e2da 100644 --- a/baserow.env +++ b/baserow.env @@ -2,7 +2,7 @@ BASEROW_PUBLIC_URL=https://baserow.${DOMAIN} DATABASE_HOST=${POSTGRES_HOST} DATABASE_NAME=baserow DATABASE_USER=baserow -DATABASE_PASSWORD=S@8rBtSApf@YpNLXS!2hr2F$ +# DATABASE_PASSWORD provided via secrets/baserow.env EMAIL_SMTP=1 EMAIL_SMTP_HOST=${EMAIL_HOST} EMAIL_SMTP_PASSWORD=${EMAIL_PASSWORD} diff --git a/docker-compose.yml b/docker-compose.yml index 9ec1c9a..f639445 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,6 +4,8 @@ secrets: file: secrets/gitea_runner_token.txt authentik_secret_key: file: secrets/authentik_secret_key + authentik_email_password: + file: secrets/authentik_email_password email_host: file: secrets/email_host email_username: @@ -288,7 +290,7 @@ services: OIDC_PROVIDER_NAME: Authentik OIDC_CONFIGURATION_URL: https://authentik.kucharczyk.xyz/application/o/mealie/.well-known/openid-configuration OIDC_CLIENT_ID: asDhzvutfxxpgwaaz0Jjr6SNpEtZo8GKjjs1WzUU - OIDC_CLIENT_SECRET: iIgP3aaF1t0sTd8JPwXrCYmd3Ycc5hhfQROdHN7ByDU81gFJiNbRQ1OrTU7e9yzuPAyqLShRQ2Ve7ov03maHpQtyZzZ2FBdb0OHCkoS4brVuV8uZ4cnVPCzwLEO9bk9U + # OIDC_CLIENT_SECRET provided via secrets/mealie.env OIDC_SIGNUP_ENABLED: false OIDC_USER_GROUP: mealie-users OIDC_ADMIN_GROUP: mealie-admins @@ -297,6 +299,7 @@ services: ALLOW_PASSWORD_LOGIN: false env_file: - mealie.env + - secrets/mealie.env volumes: - "${DOCKER_STORAGE_PATH}/mealie/data/:/app/data" networks: @@ -332,6 +335,7 @@ services: - ${DOCKER_STORAGE_PATH}/valheim/data:/opt/valheim env_file: - valheim.env + - secrets/valheim.env ports: - ${VALHEIM_EXTERNAL_PORT}:${VALHEIM_INTERNAL_PORT} cap_add: @@ -403,9 +407,10 @@ services: # caddy.@api_expiry.status: "3xx" # caddy.forward_auth_0.handle_response_0: "path /api/*" # caddy.forward_auth_0.handle_response_1: "replace_status 401" + env_file: + - secrets/navidrome.env environment: - ND_LASTFM_APIKEY: 29e22ee836a0cb51cfaacb72d605e30d - ND_LASTFM_SECRET: 10aa58294eeffa142685e78a0cd78ad6 + # ND_LASTFM_APIKEY / ND_LASTFM_SECRET provided via secrets/navidrome.env ND_DEEZER_ENABLED: true ND_DEVACTIVITYPANEL: true ND_ENABLESHARING: true @@ -427,6 +432,7 @@ services: - "${MALOJA_EXTERNAL_PORT}:${MALOJA_INTERNAL_PORT}" env_file: - maloja.env + - secrets/maloja.env user: "${PUID}:${PGID}" volumes: - "${DOCKER_STORAGE_PATH}/maloja:/data" @@ -606,6 +612,7 @@ services: - mariadb env_file: - photoprism.env + - secrets/photoprism.env volumes: - "${PHOTOS_STORAGE_PATH}/import:/photoprism/import" - "${PHOTOS_STORAGE_PATH}/originals:/photoprism/originals" @@ -651,6 +658,7 @@ services: - postgres env_file: - baserow.env + - secrets/baserow.env volumes: - "${DOCKER_STORAGE_PATH}/baserow:/baserow/data" restart: unless-stopped @@ -715,7 +723,7 @@ services: # PUSH_INSTALLATION_KEY= - PUSH_RELAY_URI=https://api.bitwarden.eu - PUSH_IDENTITY_URI=https://identity.bitwarden.eu - - ADMIN_TOKEN=$$argon2id$$v=19$$m=65540,t=3,p=4$$aWJ2cVRvYUsySkM3M01TMTJJMnZqbUF0Wm1qRWhvd1B6Sk50Q1hwck96dz0$$FKjZ36E54pX2e0AE9OaDpiH43TyAyfVwr3IvracbqEA + # ADMIN_TOKEN provided via secrets/vaultwarden.env - SMTP_HOST=${EMAIL_HOST} - SMTP_FROM=${EMAIL_FROM} - SMTP_FROM_NAME="Bitwarden (bw.kucharczyk.xyz)" @@ -821,12 +829,14 @@ services: - 3003:3000 env_file: - .env + - secrets/meilisearch.env + - secrets/karakeep.env environment: LOG_LEVEL: debug MEILI_ADDR: http://meilisearch:7700 BROWSER_WEB_URL: http://chrome:9222 - NEXTAUTH_SECRET: lB5mx3t9mdKclELtt+cs2pVBefB+8vD4dKuzhvUP+JzR9bL1 - MEILI_MASTER_KEY: Cvu7m/RIGYQPiYcIrxacHFhbfLKfKq3wwSAWJPKVWQEauiIX + # NEXTAUTH_SECRET provided via secrets/karakeep.env + # MEILI_MASTER_KEY provided via secrets/meilisearch.env NEXTAUTH_URL: https://karakeep.${DOMAIN} DISABLE_SIGNUPS: TRUE CRAWLER_VIDEO_DOWNLOAD: TRUE @@ -872,9 +882,10 @@ services: restart: unless-stopped env_file: - .env + - secrets/meilisearch.env environment: MEILI_NO_ANALYTICS: "true" - MEILI_MASTER_KEY: Cvu7m/RIGYQPiYcIrxacHFhbfLKfKq3wwSAWJPKVWQEauiIX + # MEILI_MASTER_KEY provided via secrets/meilisearch.env volumes: - meilisearch:/meili_data networks: @@ -890,6 +901,7 @@ services: - authentik_secret_key - postgres_general_username - postgres_general_password + - authentik_email_password environment: AUTHENTIK_POSTGRESQL__HOST: postgres AUTHENTIK_POSTGRESQL__NAME: authentik @@ -899,7 +911,7 @@ services: AUTHENTIK_EMAIL__HOST: smtp.protonmail.ch AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAIL__USERNAME: lukas@kucharczyk.xyz - AUTHENTIK_EMAIL__PASSWORD: CQHMWAUWQG5FBJ2V + AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/authentik_email_password AUTHENTIK_EMAIL__USE_TLS: true AUTHENTIK_EMAIL__USE_SSL: false AUTHENTIK_EMAIL__TIMEOUT: 60 diff --git a/maloja.env b/maloja.env index 23d38d1..cd80706 100644 --- a/maloja.env +++ b/maloja.env @@ -1,2 +1,2 @@ MALOJA_DATA_DIRECTORY=/data -MALOJA_FORCE_PASSWORD=kralovna \ No newline at end of file +# MALOJA_FORCE_PASSWORD provided via secrets/maloja.env \ No newline at end of file diff --git a/mediawiki.env b/mediawiki.env deleted file mode 100644 index 972c746..0000000 --- a/mediawiki.env +++ /dev/null @@ -1,3 +0,0 @@ -MYSQL_DATABASE=mediawiki -MYSQL_USER=mediawiki -MYSQL_PASSWORD=41eebea0e3ef17dc68064e004e03dafeddd996bf513021b5cf7daf5a0c4d2b32 \ No newline at end of file diff --git a/penpot.yml b/penpot.yml index fbc23d0..fab425b 100644 --- a/penpot.yml +++ b/penpot.yml @@ -56,11 +56,13 @@ services: restart: always stop_signal: SIGINT + env_file: + - secrets/penpot.env environment: - POSTGRES_INITDB_ARGS=--data-checksums - POSTGRES_DB=penpot - POSTGRES_USER=penpot - - POSTGRES_PASSWORD=penpot + # POSTGRES_PASSWORD provided via secrets/penpot.env volumes: - penpot_postgres_data:/var/lib/postgresql/data diff --git a/photoprism.env b/photoprism.env index f2def08..670f092 100644 --- a/photoprism.env +++ b/photoprism.env @@ -1,7 +1,7 @@ -PHOTOPRISM_ADMIN_PASSWORD=kRalovna12514265! +# PHOTOPRISM_ADMIN_PASSWORD provided via secrets/photoprism.env PHOTOPRISM_DATABASE_DRIVER=mysql PHOTOPRISM_DATABASE_NAME=photoprism -PHOTOPRISM_DATABASE_PASSWORD=TWB64mcPZ^TSdo +# PHOTOPRISM_DATABASE_PASSWORD provided via secrets/photoprism.env PHOTOPRISM_DATABASE_SERVER=mariadb PHOTOPRISM_DATABASE_USER=photoprism PHOTOPRISM_IMPORT_PATH=/photoprism/import diff --git a/rtorrent.env b/rtorrent.env deleted file mode 100644 index 95dcf8a..0000000 --- a/rtorrent.env +++ /dev/null @@ -1,6 +0,0 @@ -VPN_ENABLED=no -ENABLE_WEBUI_AUTH=no -ENABLE_RPC2=yes -ENABLE_RPC2_AUTH=yes -RPC2_USER=lukas -RPC2_PASS=5zpxni8N@DYCaZL diff --git a/secrets/authentik_email_password b/secrets/authentik_email_password new file mode 100644 index 0000000000000000000000000000000000000000..0ce8573f2456e5c3481dfd755916edf853c85eac GIT binary patch literal 38 ucmZQ@_Y83kiVO&0kmaaUxcoEi(v(Vm@c1rEm+hG literal 0 HcmV?d00001 diff --git a/secrets/jelu.env b/secrets/jelu.env index f3dcbc363cf3ed64d763f54c6f37efaeb25d9581..8ccab98d8ad647af29c8439273344f83e0c24fde 100644 GIT binary patch literal 127 zcmV-_0D%7hM@dveQdv+`07J?Fi7!W|u#bBasD{uSqLUgJ!*&7>jc2AYNFl8qlIFHg zW=Jsy7*wst9)iN1kbD%G7^G}!^Ibr|+ literal 76 zcmV-S0JHx9M@dveQdv+`06_gI(kcm+wW=+hn|Q68G!B8!EQA>NI9b!!y8@hqm#jPX id+Vax@1^2_Ci2259j%_T@#fc&30`rUOG>=zxP8Mfq$aii diff --git a/secrets/karakeep.env b/secrets/karakeep.env new file mode 100644 index 0000000000000000000000000000000000000000..1a522bf210736d3796eefa9427cb2a54f038993c GIT binary patch literal 87 zcmV-d0I2@}M@dveQdv+`01oHiub^dSczx+$VWI?aMJ&5{|M|yAF>*tkzl^t6P_YW& t-B+>%q8{e+6p_a?8JJIA!;8-9RC7Q+15g)K*LJ}HlsxN3c9%&rfBv~VC@ug1 literal 0 HcmV?d00001 diff --git a/secrets/komf.env b/secrets/komf.env new file mode 100644 index 0000000000000000000000000000000000000000..7f50583cdbd6efe9e2758d96af768a0a745c3be2 GIT binary patch literal 117 zcmV-*0E+(rM@dveQdv+`05%#)gT~G>>-yy>Y3k;8_va!kk+8)ezjT)4AWVG zT;S?kRCtM5a<>?U3_Kfx(oP4(3i9IfCIe47g6g{BV{XPPMCazZm|7E|1dc;!4;6IW!iAjMtWF~MuRp?+{G Ll-^+c-@8|-H6a)& literal 0 HcmV?d00001 diff --git a/secrets/mealie.env b/secrets/mealie.env new file mode 100644 index 0000000000000000000000000000000000000000..a58e71a59eb07fd52d1b3824265c186d48a5c7ac GIT binary patch literal 170 zcmV;b09F40M@dveQdv+`07+iIaJXuZ)HrC!qEZ)_0HDZ;pLX%UP&APMO*RLbGk!>~ zH_f|~We9oZ(^aJa6I4lsSl~`6f+}qlsd9_9Ymj!x#2?-v*yb;m6zZT_sJxR?)j8Iz z$PrNmTqtHb)MAAr>p+gT#E&v}IX9jg)M!s5t%|mNT#Qn1EYK+2mj5FWDFNUIMoyP$+~Ek15#Mzs9!}Nd1s=ouE|3zB zlL?5fVM-0=Tx2DGKIe&P6XwH BLK6T0 literal 0 HcmV?d00001 diff --git a/secrets/meilisearch.env b/secrets/meilisearch.env new file mode 100644 index 0000000000000000000000000000000000000000..56e510e6999f8cc1cc62ba66f5cca7e0a87654da GIT binary patch literal 88 zcmV-e0H^-|M@dveQdv+`0HdJRvpl99yBE(${)qR{IFNSjro2Y1#nJw0bzwzEFoDi$ ulVn$)A{;%BU3#f9NVlc&ob{F7YYmB2+Kpx?Cw^EJrBhUf4nOIgS=P!!b}D@U literal 0 HcmV?d00001 diff --git a/secrets/navidrome.env b/secrets/navidrome.env new file mode 100644 index 0000000000000000000000000000000000000000..832d22233b05378934ecbc641e5545acea33bc8b GIT binary patch literal 122 zcmV-=0EPbmM@dveQdv+`00_f$wXn10FjE=njbjxA8^&QpK^FtA-8`U?>t9@ML&lE6 z7Qt1V?x6_#i?PW8o;DMXu&^CX%B2 Fj-dN27B>I@ literal 0 HcmV?d00001 diff --git a/secrets/photoprism.env b/secrets/photoprism.env new file mode 100644 index 0000000000000000000000000000000000000000..23158991ba2fd89cb5c3c36384693312c9aed88e GIT binary patch literal 110 zcmV-!0FnOyM@dveQdv+`0FH6|tQLYAhBI8PzG9M%E?dX|Om&a`hfY18^X5=EF$T5; zl3a7a(w~ir;Ll&7o~&>m>ZXOV)ZQ22lj}YcJ5Ps&0xbBhk>_Xc3%)dVS=|9a8=k;j QgseUMuX#)r*=8PaCZTF33 z0VPQ^FcmZ27_+TV4CdAtF5z4-p-oN=)rfCkk4%m2qE@K4*Q};U$brkG$12Uu)HIhU r#1c9rdN#Q>QvF*}#~lm=tjhHi0(88zITRz7AqS(iIh0*~Se~0hc*;9t literal 0 HcmV?d00001 diff --git a/secrets/snibox.env b/secrets/snibox.env new file mode 100644 index 0000000000000000000000000000000000000000..62b839554358156a2726fb190ec0ab9329539fbb GIT binary patch literal 79 zcmV-V0I>f6M@dveQdv+`05g$}sph*iNJNriOx1JZ{*P8$)lj4RX5H|q%FxXl3EbEL lnMhFkeS(?T8jIC{e_E5X&d(pOp0>Jpm!|8uY8&kT2TX$AXh-PN8Ltp8+RSYgzZ9 zmz&?|At|5ppLwlis>W}zqJe^mhD_$=b!xQ)>`7Om^-GAA^|P)AM!%Pe)Ql4-V6UP0@$4Xa|NYp9NdN!< literal 127 zcmV-_0D%7hM@dveQdv+`07<^hr#y|MHmEq6_To154GBIFl4$h6QMs){JYV^N;}1pL z&eMK33UH-&jn}R!p4oY}B7nY}_WU{f#VR7UQK+#JnIU-eTCuOU`z`Hiwhh7y+3Q{| h(SIAoyBC$G4G{kZb-Uf+D@<(oq(E1bbQ5Gc5@1mQK05#a diff --git a/services/jelu.yml b/services/jelu.yml index cd1fffa..24ff19d 100644 --- a/services/jelu.yml +++ b/services/jelu.yml @@ -19,7 +19,7 @@ services: environment: SERVER_PORT: 80 SPRING_DATASOURCE_USERNAME: lukas - SPRING_DATASOURCE_PASSWORD: Q^k5i2^hN!wmEr6JLkYP9ME + # SPRING_DATASOURCE_PASSWORD provided via secrets/jelu.env JELU_CORS_ALLOWED-ORIGINS: https://jelu.${DOMAIN} restart: unless-stopped diff --git a/services/komga.yml b/services/komga.yml index dbebc4e..604e56c 100644 --- a/services/komga.yml +++ b/services/komga.yml @@ -45,7 +45,7 @@ configs: kavita: baseUri: "http://localhost:5000" #or env:KOMF_KAVITA_BASE_URI - apiKey: "16707507-d05d-4696-b126-c3976ae14ffb" #or env:KOMF_KAVITA_API_KEY + apiKey: # set via env:KOMF_KAVITA_API_KEY (secrets/komf.env) eventListener: enabled: false # if disabled will not connect to kavita and won't pick up newly added entries metadataLibraryFilter: [ ] # listen to all events if empty @@ -194,12 +194,14 @@ services: user: 1000:100 ports: - "8085:8085" + env_file: + - ../secrets/komf.env environment: - KOMF_KOMGA_BASE_URI=http://komga:25600 - KOMF_KOMGA_USER=lukas@kucharczyk.xyz - - KOMF_KOMGA_PASSWORD=kRalovna12514265! + # KOMF_KOMGA_PASSWORD provided via secrets/komf.env - KOMF_KAVITA_BASE_URI=http://kavita:${KAVITA_INTERNAL_PORT} - - KOMF_KAVITA_API_KEY=c8023836-7aab-46ed-9409-c24b950002d4 + # KOMF_KAVITA_API_KEY provided via secrets/komf.env - KOMF_LOG_LEVEL=INFO - JAVA_TOOL_OPTIONS=-XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -XX:ShenandoahGCHeuristics=compact -XX:ShenandoahGuaranteedGCInterval=3600000 -XX:TrimNativeHeapInterval=3600000 configs: diff --git a/services/openldap.yml b/services/openldap.yml index 9bb665d..a5519f7 100644 --- a/services/openldap.yml +++ b/services/openldap.yml @@ -12,13 +12,15 @@ services: volumes: - "${DOCKER_STORAGE_PATH}/openldap/config:/etc/ldap/slapd.d" - "${DOCKER_STORAGE_PATH}/openldap/data:/var/lib/ldap" + env_file: + - ../secrets/openldap.env environment: - LDAP_ORGANISATION=Homelab - LDAP_DOMAIN=${DOMAIN} - - LDAP_ADMIN_PASSWORD=kral + # LDAP_ADMIN_PASSWORD provided via secrets/openldap.env - LDAP_OPENLDAP_UID=${PUID} - LDAP_OPENLDAP_GID=${PGID} - LDAP_READONLY_USER=true - LDAP_READONLY_USER_USERNAME=readonly - - LDAP_READONLY_USER_PASSWORD=readonly + # LDAP_READONLY_USER_PASSWORD provided via secrets/openldap.env restart: unless-stopped diff --git a/snibox.env b/snibox.env deleted file mode 100644 index 5f0d1e1..0000000 --- a/snibox.env +++ /dev/null @@ -1,2 +0,0 @@ -SECRET_KEY_BASE=sMHYqzrgJQgPynv6ZDG7M8ZpF -FORCE_SSL=false \ No newline at end of file diff --git a/valheim.env b/valheim.env index e341220..dc50763 100644 --- a/valheim.env +++ b/valheim.env @@ -1,4 +1,4 @@ SERVER_NAME=LukasJirkaDominik WORLD_NAME=Mujnovyserver -SERVER_PASS=heslo +# SERVER_PASS provided via secrets/valheim.env VALHEIM_PLUS=true \ No newline at end of file -- 2.52.0