Refactor secrets inventory into docs + machine-readable JSON

2026-04-21 11:24:45 +10:00
parent 451be4ab0d
commit 9f36dabcdc
9 changed files with 214 additions and 64 deletions
@@ -0,0 +1,152 @@
+{
+  "scope_and_authority": {
+    "canonical_example_template": "secrets/.env.secrets.example",
+    "runtime_loaded_secret_env_file": "secrets/stack-secrets.env",
+    "docker_secret_files_pattern": "secrets/*.txt"
+  },
+  "env_template_variables": [
+    {
+      "variable": "NEXTCLOUD_DB_USER",
+      "used_by": "apps/nextcloud/docker-compose.yml",
+      "purpose": "Nextcloud database username (non-secret identifier but environment-specific)."
+    },
+    {
+      "variable": "NEXTCLOUD_ADMIN_USER",
+      "used_by": "apps/nextcloud/docker-compose.yml",
+      "purpose": "Initial Nextcloud admin username."
+    },
+    {
+      "variable": "NEXTCLOUD_SMTP_FROM_ADDRESS",
+      "used_by": "apps/nextcloud/docker-compose.yml",
+      "purpose": "SMTP sender local-part for outbound mail configuration."
+    },
+    {
+      "variable": "NEXTCLOUD_SMTP_DOMAIN",
+      "used_by": "apps/nextcloud/docker-compose.yml",
+      "purpose": "SMTP sender domain for outbound mail configuration."
+    },
+    {
+      "variable": "NEXTCLOUD_SMTP_NAME",
+      "used_by": "apps/nextcloud/docker-compose.yml",
+      "purpose": "SMTP display/sender name derived from address + domain in the example file."
+    },
+    {
+      "variable": "PASSBOLT_DB_NAME",
+      "used_by": "apps/passbolt/docker-compose.yml",
+      "purpose": "Passbolt database name."
+    },
+    {
+      "variable": "PASSBOLT_DB_USER",
+      "used_by": "apps/passbolt/docker-compose.yml",
+      "purpose": "Passbolt database username."
+    },
+    {
+      "variable": "PASSBOLT_GPG_SERVER_KEY_FINGERPRINT",
+      "used_by": "apps/passbolt/docker-compose.yml",
+      "purpose": "Passbolt server GPG key fingerprint."
+    },
+    {
+      "variable": "GRAMPSWEB_SECRET_KEY",
+      "used_by": "apps/gramps/docker-compose.yml",
+      "purpose": "Secret key used by Gramps Web for session/security signing."
+    },
+    {
+      "variable": "GRAMPSWEB_EMAIL_HOST_USER",
+      "used_by": "apps/gramps/docker-compose.yml",
+      "purpose": "SMTP username for Gramps outbound email."
+    },
+    {
+      "variable": "GRAMPSWEB_EMAIL_HOST_PASSWORD",
+      "used_by": "apps/gramps/docker-compose.yml",
+      "purpose": "SMTP password for Gramps outbound email."
+    },
+    {
+      "variable": "GOTIFY_DEFAULTUSER_NAME",
+      "used_by": "monitoring/gotify/docker-compose.yml",
+      "purpose": "Gotify default username."
+    },
+    {
+      "variable": "GOTIFY_DEFAULTUSER_PASS",
+      "used_by": "monitoring/gotify/docker-compose.yml",
+      "purpose": "Gotify default user password."
+    },
+    {
+      "variable": "INFLUXDB_INIT_USERNAME",
+      "used_by": "monitoring/prometheus/docker-compose.yml",
+      "purpose": "InfluxDB initial username."
+    },
+    {
+      "variable": "PIHOLE_PASSWORD",
+      "used_by": "monitoring/prometheus/docker-compose.yml",
+      "purpose": "Exporter auth / Pi-hole integration password."
+    }
+  ],
+  "file_based_secrets": [
+    {
+      "path": "secrets/nextcloud_db_root_password.txt",
+      "purpose": "Nextcloud MariaDB root password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/nextcloud_db_password.txt",
+      "purpose": "Nextcloud MariaDB application user password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/nextcloud_admin_password.txt",
+      "purpose": "Initial Nextcloud admin password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/nextcloud_smtp_password.txt",
+      "purpose": "Nextcloud SMTP account password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/nextcloud_redis_password.txt",
+      "purpose": "Nextcloud Redis runtime password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/passbolt_db_password.txt",
+      "purpose": "Passbolt database user password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/influxdb_init_password.txt",
+      "purpose": "InfluxDB initialization password file.",
+      "managed_by": "local_file",
+      "committed": false
+    },
+    {
+      "path": "secrets/prometheus_kuma_basic_auth_password.txt",
+      "purpose": "Uptime Kuma Prometheus scrape basic-auth password file.",
+      "managed_by": "local_file",
+      "committed": false
+    }
+  ],
+  "externally_managed_secrets": [
+    "Database/root passwords for Nextcloud, Passbolt, and supporting services are provided via Docker secret files.",
+    "Redis runtime password is loaded from a Docker secret file.",
+    "DOCKER_INFLUXDB_INIT_PASSWORD is loaded from a Docker secret in monitoring.",
+    "Uptime Kuma basic-auth password is loaded via password_file in Prometheus configuration.",
+    "Core stack secret values (for example Authelia and CrowdSec values) are injected via environment substitution."
+  ],
+  "commit_safety_rules": [
+    "Never commit secrets/stack-secrets.env.",
+    "Never commit real secrets/*.txt files.",
+    "Never commit real Terraform .tfvars containing credentials.",
+    "Never commit Terraform state files with sensitive runtime metadata."
+  ],
+  "related_docs": [
+    "docs/security-secrets.md",
+    "docs/deployment-prerequisites.md",
+    "docs/source-of-truth.md"
+  ]
+}