Harden compose secrets and add required provisioning docs

2026-04-07 16:12:50 +10:00
parent 417973b1cb
commit 3c2d28c763
14 changed files with 242 additions and 93 deletions
@@ -0,0 +1,9 @@
 # Copy this file to default-environment.env (non-secret defaults) and update values.
 PROJECT_ROOT=/path/to/docker
 DOMAIN=example.com
 TZ=Etc/UTC
 EMAIL=admin@example.com
 # Required secret file path used by compose services.
 # Create this file from secrets/.env.secrets.example and keep it out of git.
 SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env
@@ -21,4 +21,6 @@ apps/searxng/*
 venv/
 core/authelia/users_database.yml
 monitoring/influxdb/*
-
+secrets/*
 !secrets/.env.secrets.example
 !.env.example
@@ -0,0 +1,49 @@
 # Deployment prerequisites (required)
 Before running `docker compose up`, you **must** provision runtime secrets.
 ## 1) Create non-committed secret files
 ```bash
 cp secrets/.env.secrets.example secrets/stack-secrets.env
 chmod 600 secrets/stack-secrets.env
 ```
 Create these Docker secret files (all ignored by git):
 - `secrets/nextcloud_db_root_password.txt`
 - `secrets/nextcloud_db_password.txt`
 - `secrets/nextcloud_admin_password.txt`
 - `secrets/nextcloud_smtp_password.txt`
 - `secrets/nextcloud_redis_password.txt`
 - `secrets/passbolt_db_password.txt`
 - `secrets/gramps_db_password.txt`
 - `secrets/influxdb_init_password.txt`
 - `secrets/prometheus_kuma_basic_auth_password.txt`
 Recommended permissions:
 ```bash
 chmod 600 secrets/*.txt
 ```
 ## 2) Rotate previously committed credentials
 These values were previously hardcoded and must be rotated in upstream systems immediately:
 - Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
 - Nextcloud SMTP app password.
 - Authelia reset JWT secret, session secret, storage encryption key.
 - Traefik CrowdSec LAPI key.
 - Gotify admin password.
 - Prometheus Uptime Kuma basic-auth password.
 ## 3) Start stack
 After secrets are provisioned:
 ```bash
 docker compose -f core/docker-compose.yml up -d
 docker compose -f monitoring/prometheus/docker-compose.yml up -d
 docker compose -f apps/nextcloud/docker-compose.yml up -d
 ```
@@ -0,0 +1,31 @@
 # Credential Inventory (apps/, core/, monitoring/)
 ## apps/
 - `apps/nextcloud/docker-compose.yml`
  - `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
  - `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
  - `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
  - `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
  - Redis `--requirepass` inline value -> read from Docker secret at runtime.
 - `apps/passbolt/docker-compose.yml`
  - `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
 - `apps/gramps/docker-compose.yml`
  - `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
  - `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
 ## core/
 - `core/authelia/configuration.yml`
  - `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
  - `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
  - `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
 - `core/traefik/dynamic.yml`
  - `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
 ## monitoring/
 - `monitoring/gotify/docker-compose.yml`
  - `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
 - `monitoring/prometheus/docker-compose.yml`
  - `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
  - `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
 - `monitoring/prometheus/prometheus.yml`
  - Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.
@@ -4,22 +4,25 @@ services:
    image: postgres:13
    container_name: gramps-db
    restart: always
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      POSTGRES_USER: gramps
+      POSTGRES_USER: ${GRAMPS_DB_USER}
-      POSTGRES_PASSWORD: grampspassword
+      POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
-      POSTGRES_DB: gramps
+      POSTGRES_DB: ${GRAMPS_DB_NAME}
    secrets:
      - gramps_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
    networks:
      - gramps
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -h db -p 5432 -U gramps -d gramps"]
+      test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 30s
  grampsweb:
    profiles: ["apps","all","gramps"]
    image: ghcr.io/gramps-project/grampsweb:latest
@@ -27,15 +30,13 @@ services:
    depends_on:
      - gramps-db
    restart: always
-#    ports:
+    env_file:
-#      - "5000:5000"          # access via http://localhost:5000
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      DB_URI: postgresql://gramps:grampspassword@db:5432/gramps
+      DB_URI: postgresql://${GRAMPS_DB_USER}:${GRAMPS_DB_PASSWORD}@gramps-db:5432/${GRAMPS_DB_NAME}
      GRAMPSWEB_LOGLEVEL: INFO
-      # default admin user created on first run:
+      INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN}
-      INITIAL_ADMIN: admin
+      INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD}
      INITIAL_ADMIN_PASSWORD: admin
      # optional: storage paths inside container
      GRAMPSWEB_MEDIAPATH: /app/media
      GRAMPSWEB_TREE: "main"
    volumes:
@@ -62,10 +63,9 @@ services:
      retries: 6
      start_period: 60s
 networks:
 #  traefik_reverse_proxy:
 #    external: true
  gramps:
-#    driver: bridge
+
 secrets:
  gramps_db_password:
    file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt
@@ -1,12 +1,13 @@
 services:
  nextcloud-webapp:
 #    image: nextcloud:production
    profiles: ["apps","all","nextcloud"]
    build:
      context: ${PROJECT_ROOT}/apps/nextcloud
    container_name: nextcloud-webapp
    restart: always
    hostname: nextcloud.lan.ddnsgeek.com
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
      - ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
@@ -16,26 +17,28 @@ services:
      - nextcloud-db
      - nextcloud-redis
    environment:
-      - MYSQL_PASSWORD=R1m@dmin
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
-      - MYSQL_DATABASE=nextcloud
+      - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
-      - MYSQL_USER=nextcloud
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
      - MYSQL_HOST=nextcloud_db:3306
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
      - OVERWRITEPROTOCOL=https
      - OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com
      - SMTP_HOST=smtp.gmail.com
      - SMTP_SECURE=tls
      - SMTP_PORT=587
      - SMTP_AUTHTYPE=login
-      - MAIL_FROM_ADDRESS=beatz174
+      - MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
-      - MAIL_DOMAIN=gmail.com
+      - MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
-      - SMTP_NAME=beatz174@gmail.com
+      - SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
-      - SMTP_PASSWORD=kqdw fvml wlag ldgv
+      - SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
      - REDIS_HOST=redis
      - REDIS_HOST_PORT=6379
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+      - REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
    secrets:
      - nextcloud_db_password
      - nextcloud_smtp_password
      - nextcloud_redis_password
    networks:
      - traefik
      - nextcloud
@@ -54,7 +57,6 @@ services:
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
      - "traefik.docker.network=core_traefik"
    healthcheck:
      test:
        - CMD-SHELL
@@ -68,9 +70,6 @@ services:
      retries: 6
      start_period: 180s
  nextcloud-db:
    image: mariadb:11.4
    restart: always
@@ -78,36 +77,41 @@ services:
    container_name: nextcloud-db
    hostname: nextcloud_db
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
    environment:
-      - MYSQL_ROOT_PASSWORD=R1m@dmin
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
-      - MYSQL_PASSWORD=R1m@dmin
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
-      - MYSQL_DATABASE=nextcloud
+      - MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
-      - MYSQL_USER=nextcloud
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
      - MARIADB_AUTO_UPGRADE=1
-      - NEXTCLOUD_ADMIN_USER=admin
+      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
-      - NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin
+      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
    secrets:
      - nextcloud_db_root_password
      - nextcloud_db_password
      - nextcloud_admin_password
    networks:
      - nextcloud
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -u nextcloud --password=R1m@dmin --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s
  nextcloud-redis:
    image: "redis"
    profiles: ["apps","all","nextcloud"]
-    command: ["redis-server", "--requirepass", "TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n", "--appendonly", "yes", "--save", "60", "1000"]
+    command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
    hostname: redis
    container_name: nextcloud-redis
-    environment:
+    secrets:
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+      - nextcloud_redis_password
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
    restart: always
@@ -116,15 +120,23 @@ services:
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli -a TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n PING | grep -q PONG"]
+      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 10s
 networks:
 #  traefik_reverse_proxy:
 #    external: true
  nextcloud:
-#    driver: bridge
+
 secrets:
  nextcloud_db_root_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
  nextcloud_db_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
  nextcloud_admin_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
  nextcloud_smtp_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
  nextcloud_redis_password:
    file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt
@@ -4,17 +4,21 @@ services:
    container_name: passbolt-db
    image: mariadb:12
    restart: always
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "passbolt"
+      MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
-      MYSQL_USER: "passbolt"
+      MYSQL_USER: ${PASSBOLT_DB_USER}
-      MYSQL_PASSWORD: "P4ssb0lt"
+      MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
    secrets:
      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
    networks:
      - passbolt
    healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -22,22 +26,24 @@ services:
    labels:
       - "io.portainer.accesscontrol.public"
  passbolt-webapp:
    image: passbolt/passbolt:latest-ce
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-webapp
    #Alternatively you can use rootless:
    restart: always
    depends_on:
      - passbolt-db
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
      APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
      DATASOURCES_DEFAULT_HOST: "passbolt-db"
-      DATASOURCES_DEFAULT_USERNAME: "passbolt"
+      DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
-      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
+      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
-      DATASOURCES_DEFAULT_DATABASE: "passbolt"
+      DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
    secrets:
      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
      - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.docker.network=core_traefik"
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
 #        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
 #        | grep -q "No error found"
      interval: 30s
      timeout: 10s
      retries: 6
      start_period: 120s
 networks:
 #  traefik_reverse_proxy:
 #    external: true
 #  internal:
 #    driver: bridge
  passbolt:
 secrets:
  passbolt_db_password:
    file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt
@@ -3,16 +3,16 @@ server.address: tcp://0.0.0.0:9091
 log:
  level: info
-identity_validation.reset_password.jwt_secret: T72Xcxa4d7xpQRypFDZpunlZt0IjqspojmBlxBr69gnkRjzR144YgjZsgFYZK0gS
+identity_validation.reset_password.jwt_secret: ${AUTHELIA_JWT_SECRET}
 session:
-  secret: BYksO7YUAJ8gXx9Endgpe46RgB10nkeKpD1qcQPt0GuYGQm2pS2zjJtNOrCEqpav
+  secret: ${AUTHELIA_SESSION_SECRET}
  cookies:
    - domain: lan.ddnsgeek.com
      authelia_url: https://auth.lan.ddnsgeek.com
 storage:
-  encryption_key: N7mkWziClgDhLgZDRkRwU6jEHmGF6ciOt53pzoFcZ0meEV1AZCC5bWZd24jeu19y
+  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/data/db.sqlite3
@@ -23,8 +23,6 @@ authentication_backend:
 access_control:
  default_policy: deny
  rules:
 #    - domain: "*.lan.ddnsgeek.com"
 #      policy: two_factor
    - domain: alertmanager.lan.ddnsgeek.com
      resources:
        - "^/api/.*"
@@ -45,7 +43,6 @@ access_control:
        - "^/metrics"
      policy: bypass
    - domain: "*.lan.ddnsgeek.com"
      policy: two_factor
@@ -17,6 +17,8 @@ services:
    build:
      context: ${PROJECT_ROOT}/core
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -52,6 +54,7 @@ services:
    restart: always
    environment:
      - COLLECTIONS=crowdsecurity/traefik
      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro
      - ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data
@@ -99,6 +102,8 @@ services:
    restart: always
    build:
      context: ${PROJECT_ROOT}/core/authelia
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/core/authelia:/config
    networks:
@@ -4,7 +4,7 @@ http:
      plugin:
        crowdsec-bouncer:
          crowdsecMode: live
-          crowdsecLapiKey: HeneLa2mazFVzl5+DQRKOdchBuJxKdjrHsHBE/03Acs
+          crowdsecLapiKey: ${CROWDSEC_LAPI_KEY}
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
@@ -4,20 +4,17 @@ services:
    image: gotify/server:latest
    container_name: gotify
    restart: always
-
+    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
    environment:
      - TZ=${TZ}
-      - GOTIFY_DEFAULTUSER_NAME=admin
+      - GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
-      - GOTIFY_DEFAULTUSER_PASS=R1m@dmin
+      - GOTIFY_DEFAULTUSER_PASS=${GOTIFY_DEFAULTUSER_PASS}
      - GOTIFY_REGISTRATION=false
    networks:
 #      - traefik_reverse_proxy
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=core_traefik"
@@ -26,7 +23,3 @@ services:
      - "traefik.http.routers.gotify.entrypoints=websecure"
      - "traefik.http.routers.gotify.tls.certresolver=myresolver"
      - "traefik.http.services.gotify.loadbalancer.server.port=80"
 #networks:
 #  traefik_reverse_proxy:
 #    external: true
@@ -4,6 +4,8 @@ services:
  prometheus:
    profiles: ["monitoring","all","prometheus"]
    image: prom/prometheus:latest
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    container_name: prometheus
    depends_on:
 #      - alertmanager
@@ -22,6 +24,7 @@ services:
      - ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
      - ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
      - ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro
    restart: unless-stopped
    labels:
@@ -53,7 +56,7 @@ services:
 #    volumes:
 #      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 #    restart: unless-stopped
-#    networks:
+#    secrets:
 #      - edge
 #      - traefik_reverse_proxy
 #    healthcheck:
@@ -101,14 +104,18 @@ services:
    image: influxdb:2.7
    container_name: influxdb
    restart: unless-stopped
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
    environment:
      DOCKER_INFLUXDB_INIT_MODE: setup
-      DOCKER_INFLUXDB_INIT_USERNAME: admin
+      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
-      DOCKER_INFLUXDB_INIT_PASSWORD: adminpassword
+      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
-      DOCKER_INFLUXDB_INIT_ORG: pbs
+      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
-      DOCKER_INFLUXDB_INIT_BUCKET: telemetry
+      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
    secrets:
      - influxdb_init_password
    networks:
 #      - edge
 #      - traefik_reverse_proxy
@@ -205,9 +212,11 @@ services:
    profiles: ["monitoring","all","prometheus-exporters"]
    image: ekofr/pihole-exporter:latest
    container_name: pihole-exporter
    env_file:
      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      PIHOLE_HOSTNAME: pihole.sweet.home
+      PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
-      PIHOLE_PASSWORD: ""
+      PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
      PORT: 9617
    ports:
      - "9617:9617"
@@ -228,3 +237,8 @@ services:
 #    external: true
 secrets:
  influxdb_init_password:
    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt
@@ -95,8 +95,8 @@ scrape_configs:
    scrape_interval: 30s
    basic_auth:
-      username: wayne.bennett@live.com
+      username: ${PROMETHEUS_KUMA_BASIC_AUTH_USERNAME}
-      password: '4vjCco?[%{=+,t`):C'
+      password_file: /run/secrets/prometheus_kuma_basic_auth_password
    static_configs:
      - targets:
@@ -0,0 +1,35 @@
 # Copy to secrets/stack-secrets.env and set real values.
 # Do NOT commit secrets/stack-secrets.env.
 NEXTCLOUD_DB_NAME=nextcloud
 NEXTCLOUD_DB_USER=nextcloud
 NEXTCLOUD_ADMIN_USER=admin
 NEXTCLOUD_SMTP_FROM_ADDRESS=mailuser
 NEXTCLOUD_SMTP_DOMAIN=example.com
 NEXTCLOUD_SMTP_NAME=mailuser@example.com
 PASSBOLT_DB_NAME=passbolt
 PASSBOLT_DB_USER=passbolt
 GRAMPS_DB_NAME=gramps
 GRAMPS_DB_USER=gramps
 GRAMPS_DB_PASSWORD=CHANGE_ME
 GRAMPS_INITIAL_ADMIN=admin
 GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME
 GOTIFY_DEFAULTUSER_NAME=admin
 GOTIFY_DEFAULTUSER_PASS=CHANGE_ME
 INFLUXDB_INIT_USERNAME=admin
 INFLUXDB_INIT_ORG=homelab
 INFLUXDB_INIT_BUCKET=telemetry
 PIHOLE_HOSTNAME=pihole.example.com
 PIHOLE_PASSWORD=CHANGE_ME
 PROMETHEUS_KUMA_BASIC_AUTH_USERNAME=monitoring@example.com
 AUTHELIA_JWT_SECRET=CHANGE_ME
 AUTHELIA_SESSION_SECRET=CHANGE_ME
 AUTHELIA_STORAGE_ENCRYPTION_KEY=CHANGE_ME
 CROWDSEC_LAPI_KEY=CHANGE_ME