beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: overhaul repo documentation and workflow guides

Browse Source
This commit is contained in:
beatz174-bit
2026-04-21 09:28:55 +10:00
parent 020d6ecb79
commit c7dd9f2229
13 changed files with 539 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY_SECRETS_INVENTORY.md
+29 -11
View File
@@ -1,6 +1,14 @@
# Security Secrets Inventory
This inventory is aligned with `secrets/.env.secrets.example` and documents only the values that are expected to be set in the non-committed secrets env file (`secrets/stack-secrets.env`).
This inventory tracks values expected in local secret material and where they are consumed.
## Scope and authority
- Canonical example template: `secrets/.env.secrets.example`
- Runtime-loaded secret env file: `secrets/stack-secrets.env` (local, non-committed)
- Docker secret files: `secrets/*.txt` (local, non-committed)
For setup steps, see [DEPLOYMENT.md](DEPLOYMENT.md).
## Secrets expected in `secrets/.env.secrets.example`
@@ -22,16 +30,26 @@ This inventory is aligned with `secrets/.env.secrets.example` and documents only
| `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |
| `PIHOLE_PASSWORD` | `monitoring/prometheus/docker-compose.yml` | Exporter auth / Pi-hole integration password. |
## Managed outside `.env.secrets.example`
## Secrets managed outside `.env.secrets.example`
The following sensitive values are intentionally not duplicated in `secrets/.env.secrets.example` because they are provided via Docker secrets (`*_FILE`) or other mounted secret files:
The following sensitive values are intentionally provided via Docker secret files (`*_FILE`) or other mounted secret files instead of the shared `.env` template:
- Database/root passwords for Nextcloud, Passbolt, and supporting services that are wired through Docker secrets.
- Redis runtime password (`--requirepass`) loaded from a Docker secret.
- Database/root passwords for Nextcloud, Passbolt, and supporting services.
- Redis runtime password loaded from a Docker secret.
- `DOCKER_INFLUXDB_INIT_PASSWORD` loaded from Docker secret in monitoring.
- Uptime Kuma basic auth password loaded via `password_file` in Prometheus config.
- Core stack secrets injected via env substitution in committed config files, such as:
- `AUTHELIA_JWT_SECRET`
- `AUTHELIA_SESSION_SECRET`
- `AUTHELIA_STORAGE_ENCRYPTION_KEY`
- `CROWDSEC_LAPI_KEY`
- Uptime Kuma basic-auth password loaded via `password_file` in Prometheus config.
- Core stack secret values injected via env substitution (for example Authelia and CrowdSec values).
## Commit safety rules
Never commit:
- `secrets/stack-secrets.env`
- `secrets/*.txt` real secret files
- real Terraform `.tfvars` containing credentials
- Terraform state files with sensitive runtime metadata
## Related docs
- [DEPLOYMENT.md](DEPLOYMENT.md)
- [docs/source-of-truth.md](docs/source-of-truth.md)