modified: apps/gramps/docker-compose.yml

modified:   apps/nextcloud/docker-compose.yml
	modified:   apps/passbolt/docker-compose.yml
	modified:   core/authelia/configuration.yml
	modified:   core/docker-compose.yml
	modified:   default-environment.env
	modified:   monitoring/gotify/docker-compose.yml
	modified:   monitoring/prometheus/docker-compose.yml
	modified:   monitoring/prometheus/prometheus.yml
	modified:   services-up.sh

.env.example

@@ -0,0 +1,9 @@
+# Copy this file to default-environment.env (non-secret defaults) and update values.
+PROJECT_ROOT=/path/to/docker
+DOMAIN=example.com
+TZ=Etc/UTC
+EMAIL=admin@example.com
+
+# Required secret file path used by compose services.
+# Create this file from secrets/.env.secrets.example and keep it out of git.
+SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env

.gitignore

@@ -21,4 +21,6 @@ apps/searxng/*
 venv/
 core/authelia/users_database.yml
 monitoring/influxdb/*
-
+secrets/*
+!secrets/.env.secrets.example
+!.env.example

DEPLOYMENT.md

@@ -0,0 +1,49 @@
+# Deployment prerequisites (required)
+
+Before running `docker compose up`, you **must** provision runtime secrets.
+
+## 1) Create non-committed secret files
+
+```bash
+cp secrets/.env.secrets.example secrets/stack-secrets.env
+chmod 600 secrets/stack-secrets.env
+```
+
+Create these Docker secret files (all ignored by git):
+
+- `secrets/nextcloud_db_root_password.txt`
+- `secrets/nextcloud_db_password.txt`
+- `secrets/nextcloud_admin_password.txt`
+- `secrets/nextcloud_smtp_password.txt`
+- `secrets/nextcloud_redis_password.txt`
+- `secrets/passbolt_db_password.txt`
+- `secrets/gramps_db_password.txt`
+- `secrets/influxdb_init_password.txt`
+- `secrets/prometheus_kuma_basic_auth_password.txt`
+
+Recommended permissions:
+
+```bash
+chmod 600 secrets/*.txt
+```
+
+## 2) Rotate previously committed credentials
+
+These values were previously hardcoded and must be rotated in upstream systems immediately:
+
+- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
+- Nextcloud SMTP app password.
+- Authelia reset JWT secret, session secret, storage encryption key.
+- Traefik CrowdSec LAPI key.
+- Gotify admin password.
+- Prometheus Uptime Kuma basic-auth password.
+
+## 3) Start stack
+
+After secrets are provisioned:
+
+```bash
+docker compose -f core/docker-compose.yml up -d
+docker compose -f monitoring/prometheus/docker-compose.yml up -d
+docker compose -f apps/nextcloud/docker-compose.yml up -d
+```

SECURITY_SECRETS_INVENTORY.md

@@ -0,0 +1,31 @@
+# Credential Inventory (apps/, core/, monitoring/)
+
+## apps/
+- `apps/nextcloud/docker-compose.yml`
+  - `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
+  - `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
+  - `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
+  - `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
+  - Redis `--requirepass` inline value -> read from Docker secret at runtime.
+- `apps/passbolt/docker-compose.yml`
+  - `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
+- `apps/gramps/docker-compose.yml`
+  - `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
+  - `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
+
+## core/
+- `core/authelia/configuration.yml`
+  - `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
+  - `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
+  - `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
+- `core/traefik/dynamic.yml`
+  - `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
+
+## monitoring/
+- `monitoring/gotify/docker-compose.yml`
+  - `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
+- `monitoring/prometheus/docker-compose.yml`
+  - `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
+  - `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
+- `monitoring/prometheus/prometheus.yml`
+  - Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.

apps/gitea/docker-compose.yml

@@ -5,10 +5,10 @@ services:
     image: gitea/gitea:latest # change to 1-rootless once find out how to move data. 
     restart: always
     environment:
-      - USER_UID=1000
+      - USER_UID=${GITEA_USER_UID}
-      - USER_GID=1000
+      - USER_GID=${GITEA_USER_GID}
-      - GITEA__database__DB_TYPE=sqlite3
+      - GITEA__database__DB_TYPE=${GITEA_DB_TYPE}
-      - GITEA__server__ROOT_URL=https://gitea.lan.ddnsgeek.com/
+      - GITEA__server__ROOT_URL=${GITEA_ROOT_URL}
     volumes:
       - ${PROJECT_ROOT}/apps/gitea/data:/data
     networks:

apps/gramps/docker-compose.yml

@@ -4,22 +4,25 @@ services:
     image: postgres:13
     container_name: gramps-db
     restart: always
+    env_file:
+      - ${SECRETS_ENV_FILE}
     environment:
-      POSTGRES_USER: gramps
+      POSTGRES_USER: ${GRAMPS_DB_USER}
-      POSTGRES_PASSWORD: grampspassword
+      POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
-      POSTGRES_DB: gramps
+      POSTGRES_DB: ${GRAMPS_DB_NAME}
+    secrets:
+      - gramps_db_password
     volumes:
       - ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
     networks:
       - gramps
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -h db -p 5432 -U gramps -d gramps"]
+      test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
       interval: 10s
       timeout: 5s
       retries: 12
       start_period: 30s
 
-
   grampsweb:
     profiles: ["apps","all","gramps"]
     image: ghcr.io/gramps-project/grampsweb:latest
@@ -27,17 +30,17 @@ services:
     depends_on:
       - gramps-db
     restart: always
-#    ports:
+    env_file:
-#      - "5000:5000"          # access via http://localhost:5000
+      - ${SECRETS_ENV_FILE}
     environment:
-      DB_URI: postgresql://gramps:grampspassword@db:5432/gramps
+      DB_URI: ${GRAMPS_DB_URI}
-      GRAMPSWEB_LOGLEVEL: INFO
+      GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL}
       # default admin user created on first run:
-      INITIAL_ADMIN: admin
+      INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN}
-      INITIAL_ADMIN_PASSWORD: admin
+      INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD}
       # optional: storage paths inside container
-      GRAMPSWEB_MEDIAPATH: /app/media
+      GRAMPSWEB_MEDIAPATH: ${GRAMPSWEB_MEDIAPATH}
-      GRAMPSWEB_TREE: "main"
+      GRAMPSWEB_TREE: "${GRAMPSWEB_TREE}"
     volumes:
       - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users
       - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media
@@ -62,10 +65,9 @@ services:
       retries: 6
       start_period: 60s
 
-
-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
   gramps:
-#    driver: bridge
+
+secrets:
+  gramps_db_password:
+    file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt

apps/nextcloud/docker-compose.yml

@@ -1,12 +1,13 @@
 services:
   nextcloud-webapp:
-#    image: nextcloud:production
     profiles: ["apps","all","nextcloud"]
     build:
       context: ${PROJECT_ROOT}/apps/nextcloud
     container_name: nextcloud-webapp
     restart: always
-    hostname: nextcloud.lan.ddnsgeek.com
+    hostname: ${NEXTCLOUD_TRUSTED_DOMAINS}
+#    env_file:
+#      - ${SECRETS_ENV_FILE}
     volumes:
       - ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
       - ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
@@ -16,31 +17,33 @@ services:
       - nextcloud-db
       - nextcloud-redis
     environment:
-      - MYSQL_PASSWORD=R1m@dmin
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
-      - MYSQL_DATABASE=nextcloud
+      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
-      - MYSQL_USER=nextcloud
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
-      - MYSQL_HOST=nextcloud_db:3306
+      - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST}
-      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
+      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
-      - OVERWRITEPROTOCOL=https
+      - OVERWRITEPROTOCOL=${NEXTCLOUD_OVERWRITEPROTOCOL}
-      - OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com
+      - OVERWRITECLIURL=${NEXTCLOUD_OVERWRITECLIURL}
-
+      - SMTP_HOST=${NEXTCLOUD_SMTP_HOST}
-      - SMTP_HOST=smtp.gmail.com
+      - SMTP_SECURE=${NEXTCLOUD_SMTP_SECURE}
-      - SMTP_SECURE=tls
+      - SMTP_PORT=${NEXTCLOUD_SMTP_PORT}
-      - SMTP_PORT=587
+      - SMTP_AUTHTYPE=${NEXTCLOUD_SMTP_AUTHTYPE}
-      - SMTP_AUTHTYPE=login
+      - MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
-      - MAIL_FROM_ADDRESS=beatz174
+      - MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
-      - MAIL_DOMAIN=gmail.com
+      - SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
-      - SMTP_NAME=beatz174@gmail.com
+      - SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
-      - SMTP_PASSWORD=kqdw fvml wlag ldgv
+      - REDIS_HOST=${NEXTCLOUD_REDIS_HOST}
-
+      - REDIS_HOST_PORT=${NEXTCLOUD_REDIS_HOST_PORT}
-      - REDIS_HOST=redis
+      - REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
-      - REDIS_HOST_PORT=6379
+    secrets:
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+      - nextcloud_db_password
+      - nextcloud_smtp_password
+      - nextcloud_redis_password
     networks:
       - traefik
       - nextcloud
     labels:
-      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lan.ddnsgeek.com`)"
+      - "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_TRUSTED_DOMAINS}`)"
       - "traefik.enable=true"
       - "traefik.http.routers.nextcloud.entrypoints=websecure"
       - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
@@ -54,7 +57,6 @@ services:
       - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
       - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
       - "traefik.docker.network=core_traefik"
-
     healthcheck:
       test:
         - CMD-SHELL
@@ -68,9 +70,6 @@ services:
       retries: 6
       start_period: 180s
 
-
-
-
   nextcloud-db:
     image: mariadb:11.4
     restart: always
@@ -78,36 +77,41 @@ services:
     container_name: nextcloud-db
     hostname: nextcloud_db
     command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     volumes:
       - ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
     environment:
-      - MYSQL_ROOT_PASSWORD=R1m@dmin
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
-      - MYSQL_PASSWORD=R1m@dmin
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
-      - MYSQL_DATABASE=nextcloud
+      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
-      - MYSQL_USER=nextcloud
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
-      - MARIADB_AUTO_UPGRADE=1
+      - MARIADB_AUTO_UPGRADE=${NEXTCLOUD_MARIADB_AUTO_UPGRADE}
-      - NEXTCLOUD_ADMIN_USER=admin
+      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
-      - NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin
+      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
+    secrets:
+      - nextcloud_db_root_password
+      - nextcloud_db_password
+      - nextcloud_admin_password
     networks:
       - nextcloud
     labels:
       - "io.portainer.accesscontrol.public"
     healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -u nextcloud --password=R1m@dmin --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
       interval: 10s
       timeout: 5s
       retries: 12
       start_period: 60s
 
-
   nextcloud-redis:
     image: "redis"
     profiles: ["apps","all","nextcloud"]
-    command: ["redis-server", "--requirepass", "TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n", "--appendonly", "yes", "--save", "60", "1000"]
+    command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
     hostname: redis
     container_name: nextcloud-redis
-    environment:
+    secrets:
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+      - nextcloud_redis_password
     volumes:
       - ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
     restart: always
@@ -116,15 +120,23 @@ services:
     labels:
       - "io.portainer.accesscontrol.public"
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli -a TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n PING | grep -q PONG"]
+      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
       interval: 10s
       timeout: 5s
       retries: 6
       start_period: 10s
 
-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
   nextcloud:
-#    driver: bridge
+
+secrets:
+  nextcloud_db_root_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
+  nextcloud_db_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
+  nextcloud_admin_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
+  nextcloud_smtp_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
+  nextcloud_redis_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt

apps/passbolt/docker-compose.yml

@@ -4,17 +4,21 @@ services:
     container_name: passbolt-db
     image: mariadb:12
     restart: always
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
-      MYSQL_RANDOM_ROOT_PASSWORD: "true"
+      MYSQL_RANDOM_ROOT_PASSWORD: ${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD}
-      MYSQL_DATABASE: "passbolt"
+      MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
-      MYSQL_USER: "passbolt"
+      MYSQL_USER: ${PASSBOLT_DB_USER}
-      MYSQL_PASSWORD: "P4ssb0lt"
+      MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
+    secrets:
+      - passbolt_db_password
     volumes:
       - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
     networks:
       - passbolt
     healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
       interval: 10s
       timeout: 5s
       retries: 12
@@ -22,22 +26,24 @@ services:
     labels:
        - "io.portainer.accesscontrol.public"
 
-
   passbolt-webapp:
     image: passbolt/passbolt:latest-ce
     profiles: ["apps","all","passbolt"]
     container_name: passbolt-webapp
-    #Alternatively you can use rootless:
     restart: always
     depends_on:
       - passbolt-db
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
-      APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
+      APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL}
-      DATASOURCES_DEFAULT_HOST: "passbolt-db"
+      DATASOURCES_DEFAULT_HOST: ${PASSBOLT_DATASOURCES_DEFAULT_HOST}
-      DATASOURCES_DEFAULT_USERNAME: "passbolt"
+      DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
-      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
+      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
-      DATASOURCES_DEFAULT_DATABASE: "passbolt"
+      DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
-      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
+      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: ${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}
+    secrets:
+      - passbolt_db_password
     volumes:
       - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
       - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
       - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
       - "io.portainer.accesscontrol.public"
       - "traefik.docker.network=core_traefik"
-
     healthcheck:
       test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
-#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
-#        | grep -q "No error found"
       interval: 30s
       timeout: 10s
       retries: 6
       start_period: 120s
 
-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
-#  internal:
-#    driver: bridge
   passbolt:
+
+secrets:
+  passbolt_db_password:
+    file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt

core/authelia/configuration.yml

@@ -23,8 +23,6 @@ authentication_backend:
 access_control:
   default_policy: deny
   rules:
-#    - domain: "*.lan.ddnsgeek.com"
-#      policy: two_factor
     - domain: alertmanager.lan.ddnsgeek.com
       resources:
         - "^/api/.*"
@@ -52,7 +50,6 @@ access_control:
         - "^/metrics"
       policy: bypass
 
-
     - domain: "*.lan.ddnsgeek.com"
       policy: two_factor
 

core/docker-compose.yml

@@ -17,6 +17,8 @@ services:
 
     build:
       context: ${PROJECT_ROOT}/core
+ #   env_file:
+ #     - ${PROJECT_ROOT}/secrets/stack-secrets.env
 
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -52,6 +54,7 @@ services:
     restart: always
     environment:
       - COLLECTIONS=crowdsecurity/traefik
+#      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
     volumes:
       - ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro
       - ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data
@@ -73,7 +76,7 @@ services:
     container_name: error-pages
     read_only: true
     environment:
-      TEMPLATE_NAME: app-down
+      TEMPLATE_NAME: ${ERROR_PAGES_TEMPLATE_NAME}
     networks:
 #      - reverse_proxy
       - traefik
@@ -99,6 +102,12 @@ services:
     restart: always
     build:
       context: ${PROJECT_ROOT}/core/authelia
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
+#    environment:
+#      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:${AUTHELIA_JWT_SECRET}
+#      - AUTHELIA_SESSION_SECRET:${AUTHELIA_SESSION_SECRET}
+#      - AUTHELIA_STORAGE_ENCRYPTION_KEY:${AUTHELIA_STORAGE_ENCRYPTION_KEY}
     volumes:
       - ${PROJECT_ROOT}/core/authelia:/config
     networks:

core/traefik/dynamic.yml

@@ -4,7 +4,7 @@ http:
       plugin:
         crowdsec-bouncer:
           crowdsecMode: live
-          crowdsecLapiKey: HeneLa2mazFVzl5+DQRKOdchBuJxKdjrHsHBE/03Acs
+          crowdsecLapiKey: ${CROWDSEC_LAPI_KEY}
           crowdsecLapiHost: crowdsec:8080
           crowdsecLapiScheme: http
 

default-environment.env

@@ -2,3 +2,59 @@ PROJECT_ROOT=/home/nixos/docker
 DOMAIN=lan.ddnsgeek.com
 TZ=Australia/Brisbane
 EMAIL=wayne.bennett@live.com
+SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env
+
+# Core
+CROWDSEC_COLLECTIONS=crowdsecurity/traefik
+ERROR_PAGES_TEMPLATE_NAME=app-down
+
+# Gitea
+GITEA_USER_UID=1000
+GITEA_USER_GID=1000
+GITEA_DB_TYPE=sqlite3
+GITEA_ROOT_URL=https://gitea.lan.ddnsgeek.com/
+
+# Grafana
+GRAFANA_ROOT_URL=https://grafana.lan.ddnsgeek.com/
+
+# Nextcloud
+NEXTCLOUD_MYSQL_DATABASE=nextcloud
+NEXTCLOUD_MYSQL_HOST=nextcloud_db:3306
+NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
+NEXTCLOUD_OVERWRITEPROTOCOL=https
+NEXTCLOUD_OVERWRITECLIURL=https://${NEXTCLOUD_TRUSTED_DOMAINS}
+NEXTCLOUD_SMTP_HOST=smtp.gmail.com
+NEXTCLOUD_SMTP_SECURE=tls
+NEXTCLOUD_SMTP_PORT=587
+NEXTCLOUD_SMTP_AUTHTYPE=login
+NEXTCLOUD_REDIS_HOST=redis
+NEXTCLOUD_REDIS_HOST_PORT=6379
+NEXTCLOUD_MARIADB_AUTO_UPGRADE=1
+
+# Passbolt
+PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD=true
+PASSBOLT_MYSQL_DATABASE=passbolt
+PASSBOLT_MYSQL_USER=passbolt
+PASSBOLT_APP_FULL_BASE_URL=https://passbolt.lan.ddnsgeek.com
+PASSBOLT_DATASOURCES_DEFAULT_HOST=passbolt-db
+
+# Gramps
+GRAMPSWEB_LOGLEVEL=INFO
+GRAMPSWEB_MEDIAPATH=/app/media
+GRAMPSWEB_TREE=main
+
+# Prometheus stack
+INFLUXDB_INIT_MODE=setup
+INFLUXDB_INIT_ORG=pbs
+INFLUXDB_INIT_BUCKET=telemetry
+
+DOCKER_EXPORTER_LOG_LEVEL=INFO
+
+PIHOLE_HOSTNAME=pihole.sweet.home
+PIHOLE_EXPORTER_PORT=9617
+
+# Gotify
+GOTIFY_REGISTRATION=false
+
+# Portainer
+PORTAINER_GODEBUG=netdns=cgo

monitoring/gotify/docker-compose.yml

@@ -4,20 +4,18 @@ services:
     image: gotify/server:latest
     container_name: gotify
     restart: always
-
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     volumes:
       - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
-
     environment:
       - TZ=${TZ}
-      - GOTIFY_DEFAULTUSER_NAME=admin
+      - GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
-      - GOTIFY_DEFAULTUSER_PASS=R1m@dmin
+      - GOTIFY_DEFAULTUSER_PASS=${GOTIFY_DEFAULTUSER_PASS}
-      - GOTIFY_REGISTRATION=false
+      - GOTIFY_REGISTRATION=${GOTIFY_REGISTRATION}
 
     networks:
-#      - traefik_reverse_proxy
       - traefik
-
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=core_traefik"
@@ -26,7 +24,3 @@ services:
       - "traefik.http.routers.gotify.entrypoints=websecure"
       - "traefik.http.routers.gotify.tls.certresolver=myresolver"
       - "traefik.http.services.gotify.loadbalancer.server.port=80"
-
-#networks:
-#  traefik_reverse_proxy:
-#    external: true

monitoring/grafana/docker-compose.yml

@@ -5,7 +5,7 @@ services:
     container_name: grafana
     restart: unless-stopped
     environment:
-      - GF_SERVER_ROOT_URL=https://grafana.lan.ddnsgeek.com/
+      - GF_SERVER_ROOT_URL=${GRAFANA_ROOT_URL}
     volumes:
       - ${PROJECT_ROOT}/monitoring/grafana/data:/var/lib/grafana
     networks:

monitoring/portainer/docker-compose.yml

@@ -24,7 +24,7 @@ services:
       - traefik.http.services.portainer.loadbalancer.server.port=9000
 
     environment:
-      - GODEBUG=netdns=cgo
+      - GODEBUG=${PORTAINER_GODEBUG}
 #    healthcheck:
 #      test: ["CMD", "wget", "--spider", "-q", "https://portainer.lan.ddnsgeek.com/api/status"]
 #      interval: 30s

monitoring/prometheus/docker-compose.yml

@@ -4,6 +4,8 @@ services:
   prometheus:
     profiles: ["monitoring","all","prometheus"]
     image: prom/prometheus:latest
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     container_name: prometheus
     depends_on:
 #      - alertmanager
@@ -22,6 +24,7 @@ services:
       - ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
       - ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
       - ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
+      - ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro
 
     restart: unless-stopped
     labels:
@@ -53,7 +56,7 @@ services:
 #    volumes:
 #      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 #    restart: unless-stopped
-#    networks:
+#    secrets:
 #      - edge
 #      - traefik_reverse_proxy
 #    healthcheck:
@@ -101,14 +104,18 @@ services:
     image: influxdb:2.7
     container_name: influxdb
     restart: unless-stopped
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     volumes:
       - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
     environment:
-      DOCKER_INFLUXDB_INIT_MODE: setup
+      DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE}
-      DOCKER_INFLUXDB_INIT_USERNAME: admin
+      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
-      DOCKER_INFLUXDB_INIT_PASSWORD: adminpassword
+      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
-      DOCKER_INFLUXDB_INIT_ORG: pbs
+      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
-      DOCKER_INFLUXDB_INIT_BUCKET: telemetry
+      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
+    secrets:
+      - influxdb_init_password
     networks:
 #      - edge
 #      - traefik_reverse_proxy
@@ -162,7 +169,7 @@ services:
 #      - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
 #      - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
     environment:
-      LOG_LEVEL: INFO
+      LOG_LEVEL: ${DOCKER_EXPORTER_LOG_LEVEL}
 
     volumes:
       - ~/.docker/config.json:/root/.docker/config.json:ro
@@ -205,12 +212,14 @@ services:
     profiles: ["monitoring","all","prometheus-exporters"]
     image: ekofr/pihole-exporter:latest
     container_name: pihole-exporter
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
-      PIHOLE_HOSTNAME: pihole.sweet.home
+      PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
-      PIHOLE_PASSWORD: ""
+      PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
-      PORT: 9617
+      PORT: ${PIHOLE_EXPORTER_PORT}
     ports:
-      - "9617:9617"
+      - "${PIHOLE_EXPORTER_PORT}:${PIHOLE_EXPORTER_PORT}"
     restart: unless-stopped
     networks:
 #      - edge
@@ -228,3 +237,8 @@ services:
 #    external: true
 
 
+
+
+secrets:
+  influxdb_init_password:
+    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt

monitoring/prometheus/prometheus.yml

@@ -97,8 +97,8 @@ scrape_configs:
 
     basic_auth:
       username: wayne.bennett@live.com
-      password: '4vjCco?[%{=+,t`):C'
+      password_file: /run/secrets/prometheus_kuma_basic_auth_password
-
+#      password: '4vjCco?[%{=+,t`):C'
     static_configs:
       - targets:
           - monitor-kuma:3001

secrets/.env.secrets.example

@@ -0,0 +1,35 @@
+# Copy to secrets/stack-secrets.env and set real values.
+# Do NOT commit secrets/stack-secrets.env.
+
+NEXTCLOUD_DB_NAME=nextcloud
+NEXTCLOUD_DB_USER=nextcloud
+NEXTCLOUD_ADMIN_USER=admin
+NEXTCLOUD_SMTP_FROM_ADDRESS=mailuser
+NEXTCLOUD_SMTP_DOMAIN=example.com
+NEXTCLOUD_SMTP_NAME=mailuser@example.com
+
+PASSBOLT_DB_NAME=passbolt
+PASSBOLT_DB_USER=passbolt
+
+GRAMPS_DB_NAME=gramps
+GRAMPS_DB_USER=gramps
+GRAMPS_DB_PASSWORD=CHANGE_ME
+GRAMPS_INITIAL_ADMIN=admin
+GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME
+
+GOTIFY_DEFAULTUSER_NAME=admin
+GOTIFY_DEFAULTUSER_PASS=CHANGE_ME
+
+INFLUXDB_INIT_USERNAME=admin
+INFLUXDB_INIT_ORG=homelab
+INFLUXDB_INIT_BUCKET=telemetry
+
+PIHOLE_HOSTNAME=pihole.example.com
+PIHOLE_PASSWORD=CHANGE_ME
+
+PROMETHEUS_KUMA_BASIC_AUTH_USERNAME=monitoring@example.com
+
+AUTHELIA_JWT_SECRET=CHANGE_ME
+AUTHELIA_SESSION_SECRET=CHANGE_ME
+AUTHELIA_STORAGE_ENCRYPTION_KEY=CHANGE_ME
+CROWDSEC_LAPI_KEY=CHANGE_ME

services-up.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 ENV="default-environment.env"
+SECRETS="secrets/stack-secrets.env"
 PROJECT="core"
 FILES=(
   -f default-network.yml
@@ -21,4 +22,4 @@ FILES=(
   -f core/test/docker-compose.yml
 )
 
-docker compose -p $PROJECT --env-file $ENV  "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9
+docker compose -p $PROJECT --env-file $ENV --env-file $SECRETS  "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9