lukas
5aa85b0920
Move all hardcoded credentials out of tracked compose/env files into the
git-crypt-encrypted secrets/ directory, using each app's supported mechanism:
- env_file -> secrets/*.env: mealie, navidrome, karakeep, meilisearch,
baserow, maloja, valheim, photoprism, komf, openldap, penpot, vaultwarden
- file:///run/secrets: authentik email password
- jelu DB password appended to existing secrets/jelu.env
Untrack root .env (interpolated ${VAR} secrets) and add sanitized
.env.example template; gitignore /.env.
Move unreferenced orphan files (mediawiki/rtorrent/snibox .env) into
secrets/ to preserve values while encrypting them.
Add SECURITY.md documenting the secrets conventions and a rotation
checklist. NOTE: all migrated values remain in prior git history and
must be rotated at their providers.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
11 lines
483 B
Bash
11 lines
483 B
Bash
# PHOTOPRISM_ADMIN_PASSWORD provided via secrets/photoprism.env
|
|
PHOTOPRISM_DATABASE_DRIVER=mysql
|
|
PHOTOPRISM_DATABASE_NAME=photoprism
|
|
# PHOTOPRISM_DATABASE_PASSWORD provided via secrets/photoprism.env
|
|
PHOTOPRISM_DATABASE_SERVER=mariadb
|
|
PHOTOPRISM_DATABASE_USER=photoprism
|
|
PHOTOPRISM_IMPORT_PATH=/photoprism/import
|
|
PHOTOPRISM_ORIGINALS_PATH=/photoprism/originals
|
|
PHOTOPRISM_SITE_URL=https://photoprism.${DOMAIN_LOCAL}
|
|
PHOTOPRISM_SPONSOR=true
|
|
PHOTOPRISM_STORAGE_PATH=/photoprism/storage |