docker-compose-templates/baserow.env at 5aa85b0920be0135e49a3583367c5715ef4760f8 - docker-compose-templates - Gitea: Git with a cup of tea

homelab/docker-compose-templates

Files

T

lukas 5aa85b0920 secrets: migrate exposed plaintext secrets to git-crypt

Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:

- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
  baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env

Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.

Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.

Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-12 13:15:25 +02:00

12 lines

359 B

Bash

Raw Blame History

 BASEROW_PUBLIC_URL=https://baserow.${DOMAIN}
 DATABASE_HOST=${POSTGRES_HOST}
 DATABASE_NAME=baserow
 DATABASE_USER=baserow
 # DATABASE_PASSWORD provided via secrets/baserow.env
 EMAIL_SMTP=1
 EMAIL_SMTP_HOST=${EMAIL_HOST}
 EMAIL_SMTP_PASSWORD=${EMAIL_PASSWORD}
 EMAIL_SMTP_PORT=${EMAIL_PORT}
 EMAIL_SMTP_USE_TLS=1
 EMAIL_SMTP_USER=${EMAIL_FROM}
 FROM_EMAIL=${EMAIL_FROM}