Merge pull request #19 from beatz174-bit/codex/update-security_secrets_inventory.md
docs: align secrets inventory with current .env example
This commit is contained in:
beatz174-bit
@@ -1,31 +1,40 @@
|
|||||||
# Credential Inventory (apps/, core/, monitoring/)
|
# Security Secrets Inventory
|
||||||
|
|
||||||
## apps/
|
This inventory is aligned with `secrets/.env.secrets.example` and documents only the values that are expected to be set in the non-committed secrets env file (`secrets/stack-secrets.env`).
|
||||||
- `apps/nextcloud/docker-compose.yml`
|
|
||||||
- `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
|
|
||||||
- `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
|
|
||||||
- `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
|
|
||||||
- `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
|
|
||||||
- Redis `--requirepass` inline value -> read from Docker secret at runtime.
|
|
||||||
- `apps/passbolt/docker-compose.yml`
|
|
||||||
- `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
|
|
||||||
- `apps/gramps/docker-compose.yml`
|
|
||||||
- `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
|
|
||||||
- `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
|
|
||||||
|
|
||||||
## core/
|
## Secrets expected in `secrets/.env.secrets.example`
|
||||||
- `core/authelia/configuration.yml`
|
|
||||||
- `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
|
|
||||||
- `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
|
|
||||||
- `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
|
|
||||||
- `core/traefik/dynamic.yml`
|
|
||||||
- `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
|
|
||||||
|
|
||||||
## monitoring/
|
| Variable | Used by | Purpose / Notes |
|
||||||
- `monitoring/gotify/docker-compose.yml`
|
|---|---|---|
|
||||||
- `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
|
| `NEXTCLOUD_DB_USER` | `apps/nextcloud/docker-compose.yml` | Nextcloud database username (non-secret identifier but environment-specific). |
|
||||||
- `monitoring/prometheus/docker-compose.yml`
|
| `NEXTCLOUD_ADMIN_USER` | `apps/nextcloud/docker-compose.yml` | Initial Nextcloud admin username. |
|
||||||
- `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
|
| `NEXTCLOUD_SMTP_FROM_ADDRESS` | `apps/nextcloud/docker-compose.yml` | SMTP sender local-part for outbound mail configuration. |
|
||||||
- `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
|
| `NEXTCLOUD_SMTP_DOMAIN` | `apps/nextcloud/docker-compose.yml` | SMTP sender domain for outbound mail configuration. |
|
||||||
- `monitoring/prometheus/prometheus.yml`
|
| `NEXTCLOUD_SMTP_NAME` | `apps/nextcloud/docker-compose.yml` | Derived from address + domain in the example file. |
|
||||||
- Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.
|
| `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. |
|
||||||
|
| `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. |
|
||||||
|
| `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. |
|
||||||
|
| `GRAMPS_DB_NAME` | `apps/gramps/docker-compose.yml` | Gramps database name. |
|
||||||
|
| `GRAMPS_DB_USER` | `apps/gramps/docker-compose.yml` | Gramps database username. |
|
||||||
|
| `GRAMPS_DB_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps database password. |
|
||||||
|
| `GRAMPS_INITIAL_ADMIN` | `apps/gramps/docker-compose.yml` | Gramps initial admin username/email (deployment-specific). |
|
||||||
|
| `GRAMPS_INITIAL_ADMIN_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps initial admin password. |
|
||||||
|
| `GRAMPS_DB_URI` | `apps/gramps/docker-compose.yml` | Derived connection string in the example file. |
|
||||||
|
| `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. |
|
||||||
|
| `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. |
|
||||||
|
| `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |
|
||||||
|
| `PIHOLE_PASSWORD` | `monitoring/prometheus/docker-compose.yml` | Exporter auth / Pi-hole integration password. |
|
||||||
|
|
||||||
|
## Managed outside `.env.secrets.example`
|
||||||
|
|
||||||
|
The following sensitive values are intentionally not duplicated in `secrets/.env.secrets.example` because they are provided via Docker secrets (`*_FILE`) or other mounted secret files:
|
||||||
|
|
||||||
|
- Database/root passwords for Nextcloud, Passbolt, and supporting services that are wired through Docker secrets.
|
||||||
|
- Redis runtime password (`--requirepass`) loaded from a Docker secret.
|
||||||
|
- `DOCKER_INFLUXDB_INIT_PASSWORD` loaded from Docker secret in monitoring.
|
||||||
|
- Uptime Kuma basic auth password loaded via `password_file` in Prometheus config.
|
||||||
|
- Core stack secrets injected via env substitution in committed config files, such as:
|
||||||
|
- `AUTHELIA_JWT_SECRET`
|
||||||
|
- `AUTHELIA_SESSION_SECRET`
|
||||||
|
- `AUTHELIA_STORAGE_ENCRYPTION_KEY`
|
||||||
|
- `CROWDSEC_LAPI_KEY`
|
||||||
|
|||||||
Reference in New Issue
Block a user