beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #8 from beatz174-bit/codex/refactor-credential-management-for-docker

Browse Source 
Harden compose secret handling and require secret provisioning
This commit is contained in:
beatz174-bit
2026-04-07 16:18:16 +10:00
committed by GitHub
parent 8d0ecf0adf 698fc19e82
commit cf45a16c67
14 changed files with 249 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+9
View File
@@ -0,0 +1,9 @@
# Copy this file to default-environment.env (non-secret defaults) and update values.
PROJECT_ROOT=/path/to/docker
DOMAIN=example.com
TZ=Etc/UTC
EMAIL=admin@example.com
# Required secret file path used by compose services.
# Create this file from secrets/.env.secrets.example and keep it out of git.
SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env
.gitignore
+3 -1
View File
@@ -21,4 +21,6 @@ apps/searxng/*
venv/
core/authelia/users_database.yml
monitoring/influxdb/*
secrets/*
!secrets/.env.secrets.example
!.env.example
DEPLOYMENT.md
+49
View File
@@ -0,0 +1,49 @@
# Deployment prerequisites (required)
Before running `docker compose up`, you **must** provision runtime secrets.
## 1) Create non-committed secret files
```bash
cp secrets/.env.secrets.example secrets/stack-secrets.env
chmod 600 secrets/stack-secrets.env
```
Create these Docker secret files (all ignored by git):
- `secrets/nextcloud_db_root_password.txt`
- `secrets/nextcloud_db_password.txt`
- `secrets/nextcloud_admin_password.txt`
- `secrets/nextcloud_smtp_password.txt`
- `secrets/nextcloud_redis_password.txt`
- `secrets/passbolt_db_password.txt`
- `secrets/gramps_db_password.txt`
- `secrets/influxdb_init_password.txt`
- `secrets/prometheus_kuma_basic_auth_password.txt`
Recommended permissions:
```bash
chmod 600 secrets/*.txt
```
## 2) Rotate previously committed credentials
These values were previously hardcoded and must be rotated in upstream systems immediately:
- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
- Nextcloud SMTP app password.
- Authelia reset JWT secret, session secret, storage encryption key.
- Traefik CrowdSec LAPI key.
- Gotify admin password.
- Prometheus Uptime Kuma basic-auth password.
## 3) Start stack
After secrets are provisioned:
```bash
docker compose -f core/docker-compose.yml up -d
docker compose -f monitoring/prometheus/docker-compose.yml up -d
docker compose -f apps/nextcloud/docker-compose.yml up -d
```
SECURITY_SECRETS_INVENTORY.md
+31
View File
@@ -0,0 +1,31 @@
# Credential Inventory (apps/, core/, monitoring/)
## apps/
- `apps/nextcloud/docker-compose.yml`
- `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
- `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
- `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
- `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
- Redis `--requirepass` inline value -> read from Docker secret at runtime.
- `apps/passbolt/docker-compose.yml`
- `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
- `apps/gramps/docker-compose.yml`
- `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
- `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
## core/
- `core/authelia/configuration.yml`
- `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
- `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
- `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
- `core/traefik/dynamic.yml`
- `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
## monitoring/
- `monitoring/gotify/docker-compose.yml`
- `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
- `monitoring/prometheus/docker-compose.yml`
- `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
- `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
- `monitoring/prometheus/prometheus.yml`
- Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.
apps/gramps/docker-compose.yml
+14 -12
View File
@@ -4,22 +4,25 @@ services:
image: postgres:13
container_name: gramps-db
restart: always
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
POSTGRES_USER: ${GRAMPS_POSTGRES_USER}
POSTGRES_PASSWORD: ${GRAMPS_POSTGRES_PASSWORD}
POSTGRES_DB: ${GRAMPS_POSTGRES_DB}
POSTGRES_USER: ${GRAMPS_DB_USER}
POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
POSTGRES_DB: ${GRAMPS_DB_NAME}
secrets:
- gramps_db_password
volumes:
- ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
networks:
- gramps
healthcheck:
test: ["CMD-SHELL", "pg_isready -h db -p 5432 -U gramps -d gramps"]
test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
interval: 10s
timeout: 5s
retries: 12
start_period: 30s
grampsweb:
profiles: ["apps","all","gramps"]
image: ghcr.io/gramps-project/grampsweb:latest
@@ -27,8 +30,8 @@ services:
depends_on:
- gramps-db
restart: always
# ports:
# - "5000:5000" # access via http://localhost:5000
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
DB_URI: ${GRAMPS_DB_URI}
GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL}
@@ -62,10 +65,9 @@ services:
retries: 6
start_period: 60s
networks:
# traefik_reverse_proxy:
# external: true
gramps:
# driver: bridge
secrets:
gramps_db_password:
file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt
apps/nextcloud/docker-compose.yml
+52 -40
View File
@@ -1,12 +1,13 @@
services:
nextcloud-webapp:
# image: nextcloud:production
profiles: ["apps","all","nextcloud"]
build:
context: ${PROJECT_ROOT}/apps/nextcloud
container_name: nextcloud-webapp
restart: always
hostname: nextcloud.lan.ddnsgeek.com
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
- ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
@@ -16,26 +17,28 @@ services:
- nextcloud-db
- nextcloud-redis
environment:
- MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
- MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
- MYSQL_USER=${NEXTCLOUD_MYSQL_USER}
- MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST}
- NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
- OVERWRITEPROTOCOL=${NEXTCLOUD_OVERWRITEPROTOCOL}
- OVERWRITECLIURL=${NEXTCLOUD_OVERWRITECLIURL}
- SMTP_HOST=${NEXTCLOUD_SMTP_HOST}
- SMTP_SECURE=${NEXTCLOUD_SMTP_SECURE}
- SMTP_PORT=${NEXTCLOUD_SMTP_PORT}
- SMTP_AUTHTYPE=${NEXTCLOUD_SMTP_AUTHTYPE}
- MAIL_FROM_ADDRESS=${NEXTCLOUD_MAIL_FROM_ADDRESS}
- MAIL_DOMAIN=${NEXTCLOUD_MAIL_DOMAIN}
- MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MYSQL_HOST=nextcloud_db:3306
- NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
- OVERWRITEPROTOCOL=https
- OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com
- SMTP_HOST=smtp.gmail.com
- SMTP_SECURE=tls
- SMTP_PORT=587
- SMTP_AUTHTYPE=login
- MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
- MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
- SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
- SMTP_PASSWORD=${NEXTCLOUD_SMTP_PASSWORD}
- REDIS_HOST=${NEXTCLOUD_REDIS_HOST}
- REDIS_HOST_PORT=${NEXTCLOUD_REDIS_HOST_PORT}
- REDIS_HOST_PASSWORD=${NEXTCLOUD_REDIS_HOST_PASSWORD}
- SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
- REDIS_HOST=redis
- REDIS_HOST_PORT=6379
- REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
secrets:
- nextcloud_db_password
- nextcloud_smtp_password
- nextcloud_redis_password
networks:
- traefik
- nextcloud
@@ -54,7 +57,6 @@ services:
- "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
- "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
- "traefik.docker.network=core_traefik"
healthcheck:
test:
- CMD-SHELL
@@ -68,9 +70,6 @@ services:
retries: 6
start_period: 180s
nextcloud-db:
image: mariadb:11.4
restart: always
@@ -78,36 +77,41 @@ services:
container_name: nextcloud-db
hostname: nextcloud_db
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
environment:
- MYSQL_ROOT_PASSWORD=${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=${NEXTCLOUD_MYSQL_PASSWORD}
- MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
- MYSQL_USER=${NEXTCLOUD_MYSQL_USER}
- MARIADB_AUTO_UPGRADE=${NEXTCLOUD_MARIADB_AUTO_UPGRADE}
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
- MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
- MYSQL_DATABASE=${NEXTCLOUD_DB_NAME}
- MYSQL_USER=${NEXTCLOUD_DB_USER}
- MARIADB_AUTO_UPGRADE=1
- NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
- NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
- NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
secrets:
- nextcloud_db_root_password
- nextcloud_db_password
- nextcloud_admin_password
networks:
- nextcloud
labels:
- "io.portainer.accesscontrol.public"
healthcheck:
test: ["CMD-SHELL", "mariadb-admin ping -u ${NEXTCLOUD_MYSQL_USER} --password=${NEXTCLOUD_MYSQL_PASSWORD} --silent"]
test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
interval: 10s
timeout: 5s
retries: 12
start_period: 60s
nextcloud-redis:
image: "redis"
profiles: ["apps","all","nextcloud"]
command: ["redis-server", "--requirepass", "${NEXTCLOUD_REDIS_HOST_PASSWORD}", "--appendonly", "yes", "--save", "60", "1000"]
command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
hostname: redis
container_name: nextcloud-redis
environment:
- REDIS_HOST_PASSWORD=${NEXTCLOUD_REDIS_HOST_PASSWORD}
secrets:
- nextcloud_redis_password
volumes:
- ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
restart: always
@@ -116,15 +120,23 @@ services:
labels:
- "io.portainer.accesscontrol.public"
healthcheck:
test: ["CMD-SHELL", "redis-cli -a ${NEXTCLOUD_REDIS_HOST_PASSWORD} PING | grep -q PONG"]
test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
interval: 10s
timeout: 5s
retries: 6
start_period: 10s
networks:
# traefik_reverse_proxy:
# external: true
nextcloud:
# driver: bridge
secrets:
nextcloud_db_root_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
nextcloud_db_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
nextcloud_admin_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
nextcloud_smtp_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
nextcloud_redis_password:
file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt
apps/passbolt/docker-compose.yml
+23 -21
View File
@@ -4,17 +4,21 @@ services:
container_name: passbolt-db
image: mariadb:12
restart: always
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD}"
MYSQL_DATABASE: "${PASSBOLT_MYSQL_DATABASE}"
MYSQL_USER: "${PASSBOLT_MYSQL_USER}"
MYSQL_PASSWORD: "${PASSBOLT_MYSQL_PASSWORD}"
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
MYSQL_USER: ${PASSBOLT_DB_USER}
MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
secrets:
- passbolt_db_password
volumes:
- ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
networks:
- passbolt
healthcheck:
test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
interval: 10s
timeout: 5s
retries: 12
@@ -22,22 +26,24 @@ services:
labels:
- "io.portainer.accesscontrol.public"
passbolt-webapp:
image: passbolt/passbolt:latest-ce
profiles: ["apps","all","passbolt"]
container_name: passbolt-webapp
#Alternatively you can use rootless:
restart: always
depends_on:
- passbolt-db
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL}
DATASOURCES_DEFAULT_HOST: "${PASSBOLT_DATASOURCES_DEFAULT_HOST}"
DATASOURCES_DEFAULT_USERNAME: "${PASSBOLT_DATASOURCES_DEFAULT_USERNAME}"
DATASOURCES_DEFAULT_PASSWORD: "${PASSBOLT_DATASOURCES_DEFAULT_PASSWORD}"
DATASOURCES_DEFAULT_DATABASE: "${PASSBOLT_DATASOURCES_DEFAULT_DATABASE}"
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}"
APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
DATASOURCES_DEFAULT_HOST: "passbolt-db"
DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
secrets:
- passbolt_db_password
volumes:
- ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
- ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
- "traefik.http.routers.passbolt.tls.certresolver=myresolver"
- "io.portainer.accesscontrol.public"
- "traefik.docker.network=core_traefik"
healthcheck:
test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
# su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
# | grep -q "No error found"
interval: 30s
timeout: 10s
retries: 6
start_period: 120s
networks:
# traefik_reverse_proxy:
# external: true
# internal:
# driver: bridge
passbolt:
secrets:
passbolt_db_password:
file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt
core/authelia/configuration.yml
+3 -6
View File
@@ -3,16 +3,16 @@ server.address: tcp://0.0.0.0:9091
log:
level: info
identity_validation.reset_password.jwt_secret: T72Xcxa4d7xpQRypFDZpunlZt0IjqspojmBlxBr69gnkRjzR144YgjZsgFYZK0gS
identity_validation.reset_password.jwt_secret: ${AUTHELIA_JWT_SECRET}
session:
secret: BYksO7YUAJ8gXx9Endgpe46RgB10nkeKpD1qcQPt0GuYGQm2pS2zjJtNOrCEqpav
secret: ${AUTHELIA_SESSION_SECRET}
cookies:
- domain: lan.ddnsgeek.com
authelia_url: https://auth.lan.ddnsgeek.com
storage:
encryption_key: N7mkWziClgDhLgZDRkRwU6jEHmGF6ciOt53pzoFcZ0meEV1AZCC5bWZd24jeu19y
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
local:
path: /config/data/db.sqlite3
@@ -23,8 +23,6 @@ authentication_backend:
access_control:
default_policy: deny
rules:
# - domain: "*.lan.ddnsgeek.com"
# policy: two_factor
- domain: alertmanager.lan.ddnsgeek.com
resources:
- "^/api/.*"
@@ -52,7 +50,6 @@ access_control:
- "^/metrics"
policy: bypass
- domain: "*.lan.ddnsgeek.com"
policy: two_factor
core/docker-compose.yml
+6 -1
View File
@@ -17,6 +17,8 @@ services:
build:
context: ${PROJECT_ROOT}/core
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -51,7 +53,8 @@ services:
container_name: crowdsec
restart: always
environment:
- COLLECTIONS=${CROWDSEC_COLLECTIONS}
- COLLECTIONS=crowdsecurity/traefik
- CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
volumes:
- ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro
- ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data
@@ -99,6 +102,8 @@ services:
restart: always
build:
context: ${PROJECT_ROOT}/core/authelia
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/core/authelia:/config
networks:
core/traefik/dynamic.yml
+1 -1
View File
@@ -4,7 +4,7 @@ http:
plugin:
crowdsec-bouncer:
crowdsecMode: live
crowdsecLapiKey: HeneLa2mazFVzl5+DQRKOdchBuJxKdjrHsHBE/03Acs
crowdsecLapiKey: ${CROWDSEC_LAPI_KEY}
crowdsecLapiHost: crowdsec:8080
crowdsecLapiScheme: http
monitoring/gotify/docker-compose.yml
+2 -8
View File
@@ -4,10 +4,10 @@ services:
image: gotify/server:latest
container_name: gotify
restart: always
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
environment:
- TZ=${TZ}
- GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
@@ -15,9 +15,7 @@ services:
- GOTIFY_REGISTRATION=${GOTIFY_REGISTRATION}
networks:
# - traefik_reverse_proxy
- traefik
labels:
- "traefik.enable=true"
- "traefik.docker.network=core_traefik"
@@ -26,7 +24,3 @@ services:
- "traefik.http.routers.gotify.entrypoints=websecure"
- "traefik.http.routers.gotify.tls.certresolver=myresolver"
- "traefik.http.services.gotify.loadbalancer.server.port=80"
#networks:
# traefik_reverse_proxy:
# external: true
monitoring/prometheus/docker-compose.yml
+19 -5
View File
@@ -4,6 +4,8 @@ services:
prometheus:
profiles: ["monitoring","all","prometheus"]
image: prom/prometheus:latest
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
container_name: prometheus
depends_on:
# - alertmanager
@@ -22,6 +24,7 @@ services:
- ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
- ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
- ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
- ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro
restart: unless-stopped
labels:
@@ -53,7 +56,7 @@ services:
# volumes:
# - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
# restart: unless-stopped
# networks:
# secrets:
# - edge
# - traefik_reverse_proxy
# healthcheck:
@@ -101,14 +104,18 @@ services:
image: influxdb:2.7
container_name: influxdb
restart: unless-stopped
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
volumes:
- ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
environment:
DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE}
DOCKER_INFLUXDB_INIT_MODE: setup
DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
DOCKER_INFLUXDB_INIT_PASSWORD: ${INFLUXDB_INIT_PASSWORD}
DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
secrets:
- influxdb_init_password
networks:
# - edge
# - traefik_reverse_proxy
@@ -205,10 +212,12 @@ services:
profiles: ["monitoring","all","prometheus-exporters"]
image: ekofr/pihole-exporter:latest
container_name: pihole-exporter
env_file:
- ${PROJECT_ROOT}/secrets/stack-secrets.env
environment:
PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
PIHOLE_PASSWORD: "${PIHOLE_PASSWORD}"
PORT: ${PIHOLE_EXPORTER_PORT}
PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
PORT: 9617
ports:
- "9617:9617"
restart: unless-stopped
@@ -228,3 +237,8 @@ services:
# external: true
secrets:
influxdb_init_password:
file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt
monitoring/prometheus/prometheus.yml
+2 -2
View File
@@ -96,8 +96,8 @@ scrape_configs:
scrape_interval: 30s
basic_auth:
username: wayne.bennett@live.com
password: '4vjCco?[%{=+,t`):C'
username: ${PROMETHEUS_KUMA_BASIC_AUTH_USERNAME}
password_file: /run/secrets/prometheus_kuma_basic_auth_password
static_configs:
- targets:
secrets/.env.secrets.example
+35
View File
@@ -0,0 +1,35 @@
# Copy to secrets/stack-secrets.env and set real values.
# Do NOT commit secrets/stack-secrets.env.
NEXTCLOUD_DB_NAME=nextcloud
NEXTCLOUD_DB_USER=nextcloud
NEXTCLOUD_ADMIN_USER=admin
NEXTCLOUD_SMTP_FROM_ADDRESS=mailuser
NEXTCLOUD_SMTP_DOMAIN=example.com
NEXTCLOUD_SMTP_NAME=mailuser@example.com
PASSBOLT_DB_NAME=passbolt
PASSBOLT_DB_USER=passbolt
GRAMPS_DB_NAME=gramps
GRAMPS_DB_USER=gramps
GRAMPS_DB_PASSWORD=CHANGE_ME
GRAMPS_INITIAL_ADMIN=admin
GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME
GOTIFY_DEFAULTUSER_NAME=admin
GOTIFY_DEFAULTUSER_PASS=CHANGE_ME
INFLUXDB_INIT_USERNAME=admin
INFLUXDB_INIT_ORG=homelab
INFLUXDB_INIT_BUCKET=telemetry
PIHOLE_HOSTNAME=pihole.example.com
PIHOLE_PASSWORD=CHANGE_ME
PROMETHEUS_KUMA_BASIC_AUTH_USERNAME=monitoring@example.com
AUTHELIA_JWT_SECRET=CHANGE_ME
AUTHELIA_SESSION_SECRET=CHANGE_ME
AUTHELIA_STORAGE_ENCRYPTION_KEY=CHANGE_ME
CROWDSEC_LAPI_KEY=CHANGE_ME