Refactor secrets inventory into docs + machine-readable JSON

2026-04-21 11:24:45 +10:00
parent 451be4ab0d
commit 9f36dabcdc
9 changed files with 214 additions and 64 deletions
@@ -0,0 +1,49 @@
+# Deployment Prerequisites
+
+Before running compose operations, provision local secret material.
+
+## 1) Create non-committed secret env file
+
+```bash
+cp secrets/.env.secrets.example secrets/stack-secrets.env
+chmod 600 secrets/stack-secrets.env
+```
+
+## 2) Create required Docker secret files
+
+All files below are expected locally and are gitignored:
+
+- `secrets/nextcloud_db_root_password.txt`
+- `secrets/nextcloud_db_password.txt`
+- `secrets/nextcloud_admin_password.txt`
+- `secrets/nextcloud_smtp_password.txt`
+- `secrets/nextcloud_redis_password.txt`
+- `secrets/passbolt_db_password.txt`
+- `secrets/influxdb_init_password.txt`
+- `secrets/prometheus_kuma_basic_auth_password.txt`
+
+Recommended permissions:
+
+```bash
+chmod 600 secrets/*.txt
+```
+
+## 3) Validate composed configuration
+
+Use the repository composition entrypoint:
+
+```bash
+./services-up.sh --profile all config
+```
+
+This confirms compose rendering with shared env/network inputs before any runtime operation.
+
+## 4) Rotate previously committed credentials
+
+If migrating from older states where secrets were committed, rotate upstream values immediately (DB credentials, app passwords, auth keys, and API tokens).
+
+## Related docs
+
+- [`./security-secrets.md`](./security-secrets.md)
+- [`./docker-environment.md`](./docker-environment.md)
+- [`./source-of-truth.md`](./source-of-truth.md)