Harden compose secrets and add required provisioning docs

2026-04-07 16:12:50 +10:00
parent 417973b1cb
commit 3c2d28c763
14 changed files with 242 additions and 93 deletions
@@ -0,0 +1,49 @@
+# Deployment prerequisites (required)
+
+Before running `docker compose up`, you **must** provision runtime secrets.
+
+## 1) Create non-committed secret files
+
+```bash
+cp secrets/.env.secrets.example secrets/stack-secrets.env
+chmod 600 secrets/stack-secrets.env
+```
+
+Create these Docker secret files (all ignored by git):
+
+- `secrets/nextcloud_db_root_password.txt`
+- `secrets/nextcloud_db_password.txt`
+- `secrets/nextcloud_admin_password.txt`
+- `secrets/nextcloud_smtp_password.txt`
+- `secrets/nextcloud_redis_password.txt`
+- `secrets/passbolt_db_password.txt`
+- `secrets/gramps_db_password.txt`
+- `secrets/influxdb_init_password.txt`
+- `secrets/prometheus_kuma_basic_auth_password.txt`
+
+Recommended permissions:
+
+```bash
+chmod 600 secrets/*.txt
+```
+
+## 2) Rotate previously committed credentials
+
+These values were previously hardcoded and must be rotated in upstream systems immediately:
+
+- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
+- Nextcloud SMTP app password.
+- Authelia reset JWT secret, session secret, storage encryption key.
+- Traefik CrowdSec LAPI key.
+- Gotify admin password.
+- Prometheus Uptime Kuma basic-auth password.
+
+## 3) Start stack
+
+After secrets are provisioned:
+
+```bash
+docker compose -f core/docker-compose.yml up -d
+docker compose -f monitoring/prometheus/docker-compose.yml up -d
+docker compose -f apps/nextcloud/docker-compose.yml up -d
+```