modified: apps/gramps/docker-compose.yml

modified: apps/nextcloud/docker-compose.yml modified: apps/passbolt/docker-compose.yml modified: core/authelia/configuration.yml modified: core/docker-compose.yml modified: default-environment.env modified: monitoring/gotify/docker-compose.yml modified: monitoring/prometheus/docker-compose.yml modified: monitoring/prometheus/prometheus.yml modified: services-up.sh
Merge branch 'main' of https://github.com/beatz174-bit/docker
2026-04-07 21:57:22 +10:00 · 2026-04-07 19:40:06 +10:00 · 2026-04-07 19:39:48 +10:00 · 2026-04-07 19:38:51 +10:00 · 2026-04-07 16:18:16 +10:00 · 2026-04-07 16:18:03 +10:00
19 changed files with 333 additions and 120 deletions
@@ -0,0 +1,9 @@
+# Copy this file to default-environment.env (non-secret defaults) and update values.
+PROJECT_ROOT=/path/to/docker
+DOMAIN=example.com
+TZ=Etc/UTC
+EMAIL=admin@example.com
+
+# Required secret file path used by compose services.
+# Create this file from secrets/.env.secrets.example and keep it out of git.
+SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env
@@ -21,4 +21,6 @@ apps/searxng/*
 venv/
 core/authelia/users_database.yml
 monitoring/influxdb/*
-
+secrets/*
+!secrets/.env.secrets.example
+!.env.example
@@ -0,0 +1,49 @@
+# Deployment prerequisites (required)
+
+Before running `docker compose up`, you **must** provision runtime secrets.
+
+## 1) Create non-committed secret files
+
+```bash
+cp secrets/.env.secrets.example secrets/stack-secrets.env
+chmod 600 secrets/stack-secrets.env
+```
+
+Create these Docker secret files (all ignored by git):
+
+- `secrets/nextcloud_db_root_password.txt`
+- `secrets/nextcloud_db_password.txt`
+- `secrets/nextcloud_admin_password.txt`
+- `secrets/nextcloud_smtp_password.txt`
+- `secrets/nextcloud_redis_password.txt`
+- `secrets/passbolt_db_password.txt`
+- `secrets/gramps_db_password.txt`
+- `secrets/influxdb_init_password.txt`
+- `secrets/prometheus_kuma_basic_auth_password.txt`
+
+Recommended permissions:
+
+```bash
+chmod 600 secrets/*.txt
+```
+
+## 2) Rotate previously committed credentials
+
+These values were previously hardcoded and must be rotated in upstream systems immediately:
+
+- Database credentials (Nextcloud, Passbolt, Gramps, InfluxDB).
+- Nextcloud SMTP app password.
+- Authelia reset JWT secret, session secret, storage encryption key.
+- Traefik CrowdSec LAPI key.
+- Gotify admin password.
+- Prometheus Uptime Kuma basic-auth password.
+
+## 3) Start stack
+
+After secrets are provisioned:
+
+```bash
+docker compose -f core/docker-compose.yml up -d
+docker compose -f monitoring/prometheus/docker-compose.yml up -d
+docker compose -f apps/nextcloud/docker-compose.yml up -d
+```
@@ -0,0 +1,31 @@
+# Credential Inventory (apps/, core/, monitoring/)
+
+## apps/
+- `apps/nextcloud/docker-compose.yml`
+  - `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
+  - `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
+  - `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
+  - `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
+  - Redis `--requirepass` inline value -> read from Docker secret at runtime.
+- `apps/passbolt/docker-compose.yml`
+  - `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
+- `apps/gramps/docker-compose.yml`
+  - `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
+  - `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
+
+## core/
+- `core/authelia/configuration.yml`
+  - `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
+  - `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
+  - `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
+- `core/traefik/dynamic.yml`
+  - `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
+
+## monitoring/
+- `monitoring/gotify/docker-compose.yml`
+  - `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
+- `monitoring/prometheus/docker-compose.yml`
+  - `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
+  - `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
+- `monitoring/prometheus/prometheus.yml`
+  - Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.
@@ -5,10 +5,10 @@ services:
    image: gitea/gitea:latest # change to 1-rootless once find out how to move data. 
    restart: always
    environment:
-      - USER_UID=1000
-      - USER_GID=1000
-      - GITEA__database__DB_TYPE=sqlite3
-      - GITEA__server__ROOT_URL=https://gitea.lan.ddnsgeek.com/
+      - USER_UID=${GITEA_USER_UID}
+      - USER_GID=${GITEA_USER_GID}
+      - GITEA__database__DB_TYPE=${GITEA_DB_TYPE}
+      - GITEA__server__ROOT_URL=${GITEA_ROOT_URL}
    volumes:
      - ${PROJECT_ROOT}/apps/gitea/data:/data
    networks:
@@ -4,22 +4,25 @@ services:
    image: postgres:13
    container_name: gramps-db
    restart: always
+    env_file:
+      - ${SECRETS_ENV_FILE}
    environment:
-      POSTGRES_USER: gramps
-      POSTGRES_PASSWORD: grampspassword
-      POSTGRES_DB: gramps
+      POSTGRES_USER: ${GRAMPS_DB_USER}
+      POSTGRES_PASSWORD_FILE: /run/secrets/gramps_db_password
+      POSTGRES_DB: ${GRAMPS_DB_NAME}
+    secrets:
+      - gramps_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/gramps/db:/var/lib/postgresql
    networks:
      - gramps
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -h db -p 5432 -U gramps -d gramps"]
+      test: ["CMD-SHELL", "pg_isready -h gramps-db -p 5432 -U $$POSTGRES_USER -d $$POSTGRES_DB"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 30s

-
  grampsweb:
    profiles: ["apps","all","gramps"]
    image: ghcr.io/gramps-project/grampsweb:latest
@@ -27,17 +30,17 @@ services:
    depends_on:
      - gramps-db
    restart: always
-#    ports:
-#      - "5000:5000"          # access via http://localhost:5000
+    env_file:
+      - ${SECRETS_ENV_FILE}
    environment:
-      DB_URI: postgresql://gramps:grampspassword@db:5432/gramps
-      GRAMPSWEB_LOGLEVEL: INFO
+      DB_URI: ${GRAMPS_DB_URI}
+      GRAMPSWEB_LOGLEVEL: ${GRAMPSWEB_LOGLEVEL}
      # default admin user created on first run:
-      INITIAL_ADMIN: admin
-      INITIAL_ADMIN_PASSWORD: admin
+      INITIAL_ADMIN: ${GRAMPS_INITIAL_ADMIN}
+      INITIAL_ADMIN_PASSWORD: ${GRAMPS_INITIAL_ADMIN_PASSWORD}
      # optional: storage paths inside container
-      GRAMPSWEB_MEDIAPATH: /app/media
-      GRAMPSWEB_TREE: "main"
+      GRAMPSWEB_MEDIAPATH: ${GRAMPSWEB_MEDIAPATH}
+      GRAMPSWEB_TREE: "${GRAMPSWEB_TREE}"
    volumes:
      - ${PROJECT_ROOT}/apps/gramps/data/users:/app/users
      - ${PROJECT_ROOT}/apps/gramps/data/media:/app/media
@@ -62,10 +65,9 @@ services:
      retries: 6
      start_period: 60s

-
-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
  gramps:
-#    driver: bridge
+
+secrets:
+  gramps_db_password:
+    file: ${PROJECT_ROOT}/secrets/gramps_db_password.txt
@@ -1,12 +1,13 @@
 services:
  nextcloud-webapp:
-#    image: nextcloud:production
    profiles: ["apps","all","nextcloud"]
    build:
      context: ${PROJECT_ROOT}/apps/nextcloud
    container_name: nextcloud-webapp
    restart: always
-    hostname: nextcloud.lan.ddnsgeek.com
+    hostname: ${NEXTCLOUD_TRUSTED_DOMAINS}
+#    env_file:
+#      - ${SECRETS_ENV_FILE}
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data:/var/www/html/data:rw
      - ${PROJECT_ROOT}/apps/nextcloud/config:/var/www/html/config:rw
@@ -16,31 +17,33 @@ services:
      - nextcloud-db
      - nextcloud-redis
    environment:
-      - MYSQL_PASSWORD=R1m@dmin
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MYSQL_HOST=nextcloud_db:3306
-      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
-      - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://nextcloud.lan.ddnsgeek.com
-
-      - SMTP_HOST=smtp.gmail.com
-      - SMTP_SECURE=tls
-      - SMTP_PORT=587
-      - SMTP_AUTHTYPE=login
-      - MAIL_FROM_ADDRESS=beatz174
-      - MAIL_DOMAIN=gmail.com
-      - SMTP_NAME=beatz174@gmail.com
-      - SMTP_PASSWORD=kqdw fvml wlag ldgv
-
-      - REDIS_HOST=redis
-      - REDIS_HOST_PORT=6379
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
+      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
+      - MYSQL_HOST=${NEXTCLOUD_MYSQL_HOST}
+      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
+      - OVERWRITEPROTOCOL=${NEXTCLOUD_OVERWRITEPROTOCOL}
+      - OVERWRITECLIURL=${NEXTCLOUD_OVERWRITECLIURL}
+      - SMTP_HOST=${NEXTCLOUD_SMTP_HOST}
+      - SMTP_SECURE=${NEXTCLOUD_SMTP_SECURE}
+      - SMTP_PORT=${NEXTCLOUD_SMTP_PORT}
+      - SMTP_AUTHTYPE=${NEXTCLOUD_SMTP_AUTHTYPE}
+      - MAIL_FROM_ADDRESS=${NEXTCLOUD_SMTP_FROM_ADDRESS}
+      - MAIL_DOMAIN=${NEXTCLOUD_SMTP_DOMAIN}
+      - SMTP_NAME=${NEXTCLOUD_SMTP_NAME}
+      - SMTP_PASSWORD_FILE=/run/secrets/nextcloud_smtp_password
+      - REDIS_HOST=${NEXTCLOUD_REDIS_HOST}
+      - REDIS_HOST_PORT=${NEXTCLOUD_REDIS_HOST_PORT}
+      - REDIS_HOST_PASSWORD_FILE=/run/secrets/nextcloud_redis_password
+    secrets:
+      - nextcloud_db_password
+      - nextcloud_smtp_password
+      - nextcloud_redis_password
    networks:
      - traefik
      - nextcloud
    labels:
-      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lan.ddnsgeek.com`)"
+      - "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_TRUSTED_DOMAINS}`)"
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
@@ -54,7 +57,6 @@ services:
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.regex=https://(.*)/.well-known/webfinger"
      - "traefik.http.middlewares.nextcloud-webfinger.redirectregex.replacement=https://$${1}/nextcloud/index.php/.well-known/webfinger"
      - "traefik.docker.network=core_traefik"
-
    healthcheck:
      test:
        - CMD-SHELL
@@ -68,9 +70,6 @@ services:
      retries: 6
      start_period: 180s

-
-
-
  nextcloud-db:
    image: mariadb:11.4
    restart: always
@@ -78,36 +77,41 @@ services:
    container_name: nextcloud-db
    hostname: nextcloud_db
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/database:/var/lib/mysql:rw
    environment:
-      - MYSQL_ROOT_PASSWORD=R1m@dmin
-      - MYSQL_PASSWORD=R1m@dmin
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-      - MARIADB_AUTO_UPGRADE=1
-      - NEXTCLOUD_ADMIN_USER=admin
-      - NEXTCLOUD_ADMIN_PASSWORD=R1m@dmin
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/nextcloud_db_root_password
+      - MYSQL_PASSWORD_FILE=/run/secrets/nextcloud_db_password
+      - MYSQL_DATABASE=${NEXTCLOUD_MYSQL_DATABASE}
+      - MYSQL_USER=${NEXTCLOUD_DB_USER}
+      - MARIADB_AUTO_UPGRADE=${NEXTCLOUD_MARIADB_AUTO_UPGRADE}
+      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
+      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
+    secrets:
+      - nextcloud_db_root_password
+      - nextcloud_db_password
+      - nextcloud_admin_password
    networks:
      - nextcloud
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -u nextcloud --password=R1m@dmin --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -u $$MYSQL_USER --password=$$(cat /run/secrets/nextcloud_db_password) --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
      start_period: 60s

-
  nextcloud-redis:
    image: "redis"
    profiles: ["apps","all","nextcloud"]
-    command: ["redis-server", "--requirepass", "TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n", "--appendonly", "yes", "--save", "60", "1000"]
+    command: ["sh", "-c", "redis-server --requirepass \"$$(cat /run/secrets/nextcloud_redis_password)\" --appendonly yes --save 60 1000"]
    hostname: redis
    container_name: nextcloud-redis
-    environment:
-      - REDIS_HOST_PASSWORD=TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n
+    secrets:
+      - nextcloud_redis_password
    volumes:
      - ${PROJECT_ROOT}/apps/nextcloud/data/redis:/data:rw
    restart: always
@@ -116,15 +120,23 @@ services:
    labels:
      - "io.portainer.accesscontrol.public"
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli -a TzBF8wcJNmVd9p2CTmBejPS9dpye6kWQeH3DmrQS9TPfTRriSHFN5VqH4CgzcuVZYWH2GBb7QU5GuEpNDGYdKjM6hjmLyjSgCFMiPms3Hv9n PING | grep -q PONG"]
+      test: ["CMD-SHELL", "redis-cli -a \"$$(cat /run/secrets/nextcloud_redis_password)\" PING | grep -q PONG"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 10s

-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
  nextcloud:
-#    driver: bridge
+
+secrets:
+  nextcloud_db_root_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_db_root_password.txt
+  nextcloud_db_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_db_password.txt
+  nextcloud_admin_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_admin_password.txt
+  nextcloud_smtp_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_smtp_password.txt
+  nextcloud_redis_password:
+    file: ${PROJECT_ROOT}/secrets/nextcloud_redis_password.txt
@@ -4,17 +4,21 @@ services:
    container_name: passbolt-db
    image: mariadb:12
    restart: always
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      MYSQL_RANDOM_ROOT_PASSWORD: "true"
-      MYSQL_DATABASE: "passbolt"
-      MYSQL_USER: "passbolt"
-      MYSQL_PASSWORD: "P4ssb0lt"
+      MYSQL_RANDOM_ROOT_PASSWORD: ${PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD}
+      MYSQL_DATABASE: ${PASSBOLT_DB_NAME}
+      MYSQL_USER: ${PASSBOLT_DB_USER}
+      MYSQL_PASSWORD_FILE: /run/secrets/passbolt_db_password
+    secrets:
+      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/database:/var/lib/mysql
    networks:
      - passbolt
    healthcheck:
-      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MARIADB_USER\" -p\"$$MARIADB_PASSWORD\" --silent"]
+      test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u\"$$MYSQL_USER\" -p\"$$(cat /run/secrets/passbolt_db_password)\" --silent"]
      interval: 10s
      timeout: 5s
      retries: 12
@@ -22,22 +26,24 @@ services:
    labels:
       - "io.portainer.accesscontrol.public"

-
  passbolt-webapp:
    image: passbolt/passbolt:latest-ce
    profiles: ["apps","all","passbolt"]
    container_name: passbolt-webapp
-    #Alternatively you can use rootless:
    restart: always
    depends_on:
      - passbolt-db
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      APP_FULL_BASE_URL: https://passbolt.lan.ddnsgeek.com
-      DATASOURCES_DEFAULT_HOST: "passbolt-db"
-      DATASOURCES_DEFAULT_USERNAME: "passbolt"
-      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
-      DATASOURCES_DEFAULT_DATABASE: "passbolt"
-      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "CBBB2B8F3E9FACA114537ACB8965B750F7363586"
+      APP_FULL_BASE_URL: ${PASSBOLT_APP_FULL_BASE_URL}
+      DATASOURCES_DEFAULT_HOST: ${PASSBOLT_DATASOURCES_DEFAULT_HOST}
+      DATASOURCES_DEFAULT_USERNAME: ${PASSBOLT_DB_USER}
+      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/passbolt_db_password
+      DATASOURCES_DEFAULT_DATABASE: ${PASSBOLT_DB_NAME}
+      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: ${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}
+    secrets:
+      - passbolt_db_password
    volumes:
      - ${PROJECT_ROOT}/apps/passbolt/data/gpg:/etc/passbolt/gpg
      - ${PROJECT_ROOT}/apps/passbolt/data/jwt:/etc/passbolt/jwt
@@ -60,20 +66,16 @@ services:
      - "traefik.http.routers.passbolt.tls.certresolver=myresolver"
      - "io.portainer.accesscontrol.public"
      - "traefik.docker.network=core_traefik"
-
    healthcheck:
      test: ["CMD-SHELL", "curl -fsS http://localhost/healthcheck/status | grep -qx OK"]
-#        su -s /bin/sh -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
-#        | grep -q "No error found"
      interval: 30s
      timeout: 10s
      retries: 6
      start_period: 120s

-
 networks:
-#  traefik_reverse_proxy:
-#    external: true
-#  internal:
-#    driver: bridge
  passbolt:
+
+secrets:
+  passbolt_db_password:
+    file: ${PROJECT_ROOT}/secrets/passbolt_db_password.txt
@@ -23,8 +23,6 @@ authentication_backend:
 access_control:
  default_policy: deny
  rules:
-#    - domain: "*.lan.ddnsgeek.com"
-#      policy: two_factor
    - domain: alertmanager.lan.ddnsgeek.com
      resources:
        - "^/api/.*"
@@ -52,7 +50,6 @@ access_control:
        - "^/metrics"
      policy: bypass

-
    - domain: "*.lan.ddnsgeek.com"
      policy: two_factor

@@ -17,6 +17,8 @@ services:

    build:
      context: ${PROJECT_ROOT}/core
+ #   env_file:
+ #     - ${PROJECT_ROOT}/secrets/stack-secrets.env

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -52,6 +54,7 @@ services:
    restart: always
    environment:
      - COLLECTIONS=crowdsecurity/traefik
+#      - CROWDSEC_LAPI_KEY=${CROWDSEC_LAPI_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/crowdsec/logs:/logs:ro
      - ${PROJECT_ROOT}/core/crowdsec/data:/var/lib/crowdsec/data
@@ -73,7 +76,7 @@ services:
    container_name: error-pages
    read_only: true
    environment:
-      TEMPLATE_NAME: app-down
+      TEMPLATE_NAME: ${ERROR_PAGES_TEMPLATE_NAME}
    networks:
 #      - reverse_proxy
      - traefik
@@ -99,6 +102,12 @@ services:
    restart: always
    build:
      context: ${PROJECT_ROOT}/core/authelia
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
+#    environment:
+#      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:${AUTHELIA_JWT_SECRET}
+#      - AUTHELIA_SESSION_SECRET:${AUTHELIA_SESSION_SECRET}
+#      - AUTHELIA_STORAGE_ENCRYPTION_KEY:${AUTHELIA_STORAGE_ENCRYPTION_KEY}
    volumes:
      - ${PROJECT_ROOT}/core/authelia:/config
    networks:
@@ -4,7 +4,7 @@ http:
      plugin:
        crowdsec-bouncer:
          crowdsecMode: live
-          crowdsecLapiKey: HeneLa2mazFVzl5+DQRKOdchBuJxKdjrHsHBE/03Acs
+          crowdsecLapiKey: ${CROWDSEC_LAPI_KEY}
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http

@@ -2,3 +2,59 @@ PROJECT_ROOT=/home/nixos/docker
 DOMAIN=lan.ddnsgeek.com
 TZ=Australia/Brisbane
 EMAIL=wayne.bennett@live.com
+SECRETS_ENV_FILE=${PROJECT_ROOT}/secrets/stack-secrets.env
+
+# Core
+CROWDSEC_COLLECTIONS=crowdsecurity/traefik
+ERROR_PAGES_TEMPLATE_NAME=app-down
+
+# Gitea
+GITEA_USER_UID=1000
+GITEA_USER_GID=1000
+GITEA_DB_TYPE=sqlite3
+GITEA_ROOT_URL=https://gitea.lan.ddnsgeek.com/
+
+# Grafana
+GRAFANA_ROOT_URL=https://grafana.lan.ddnsgeek.com/
+
+# Nextcloud
+NEXTCLOUD_MYSQL_DATABASE=nextcloud
+NEXTCLOUD_MYSQL_HOST=nextcloud_db:3306
+NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.lan.ddnsgeek.com
+NEXTCLOUD_OVERWRITEPROTOCOL=https
+NEXTCLOUD_OVERWRITECLIURL=https://${NEXTCLOUD_TRUSTED_DOMAINS}
+NEXTCLOUD_SMTP_HOST=smtp.gmail.com
+NEXTCLOUD_SMTP_SECURE=tls
+NEXTCLOUD_SMTP_PORT=587
+NEXTCLOUD_SMTP_AUTHTYPE=login
+NEXTCLOUD_REDIS_HOST=redis
+NEXTCLOUD_REDIS_HOST_PORT=6379
+NEXTCLOUD_MARIADB_AUTO_UPGRADE=1
+
+# Passbolt
+PASSBOLT_MYSQL_RANDOM_ROOT_PASSWORD=true
+PASSBOLT_MYSQL_DATABASE=passbolt
+PASSBOLT_MYSQL_USER=passbolt
+PASSBOLT_APP_FULL_BASE_URL=https://passbolt.lan.ddnsgeek.com
+PASSBOLT_DATASOURCES_DEFAULT_HOST=passbolt-db
+
+# Gramps
+GRAMPSWEB_LOGLEVEL=INFO
+GRAMPSWEB_MEDIAPATH=/app/media
+GRAMPSWEB_TREE=main
+
+# Prometheus stack
+INFLUXDB_INIT_MODE=setup
+INFLUXDB_INIT_ORG=pbs
+INFLUXDB_INIT_BUCKET=telemetry
+
+DOCKER_EXPORTER_LOG_LEVEL=INFO
+
+PIHOLE_HOSTNAME=pihole.sweet.home
+PIHOLE_EXPORTER_PORT=9617
+
+# Gotify
+GOTIFY_REGISTRATION=false
+
+# Portainer
+PORTAINER_GODEBUG=netdns=cgo
@@ -4,20 +4,18 @@ services:
    image: gotify/server:latest
    container_name: gotify
    restart: always
-
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
-
    environment:
      - TZ=${TZ}
-      - GOTIFY_DEFAULTUSER_NAME=admin
-      - GOTIFY_DEFAULTUSER_PASS=R1m@dmin
-      - GOTIFY_REGISTRATION=false
+      - GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
+      - GOTIFY_DEFAULTUSER_PASS=${GOTIFY_DEFAULTUSER_PASS}
+      - GOTIFY_REGISTRATION=${GOTIFY_REGISTRATION}

    networks:
-#      - traefik_reverse_proxy
      - traefik
-
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=core_traefik"
@@ -26,7 +24,3 @@ services:
      - "traefik.http.routers.gotify.entrypoints=websecure"
      - "traefik.http.routers.gotify.tls.certresolver=myresolver"
      - "traefik.http.services.gotify.loadbalancer.server.port=80"
-
-#networks:
-#  traefik_reverse_proxy:
-#    external: true
@@ -5,7 +5,7 @@ services:
    container_name: grafana
    restart: unless-stopped
    environment:
-      - GF_SERVER_ROOT_URL=https://grafana.lan.ddnsgeek.com/
+      - GF_SERVER_ROOT_URL=${GRAFANA_ROOT_URL}
    volumes:
      - ${PROJECT_ROOT}/monitoring/grafana/data:/var/lib/grafana
    networks:
@@ -24,7 +24,7 @@ services:
      - traefik.http.services.portainer.loadbalancer.server.port=9000

    environment:
-      - GODEBUG=netdns=cgo
+      - GODEBUG=${PORTAINER_GODEBUG}
 #    healthcheck:
 #      test: ["CMD", "wget", "--spider", "-q", "https://portainer.lan.ddnsgeek.com/api/status"]
 #      interval: 30s
@@ -4,6 +4,8 @@ services:
  prometheus:
    profiles: ["monitoring","all","prometheus"]
    image: prom/prometheus:latest
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    container_name: prometheus
    depends_on:
 #      - alertmanager
@@ -22,6 +24,7 @@ services:
      - ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
      - ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
+      - ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro

    restart: unless-stopped
    labels:
@@ -53,7 +56,7 @@ services:
 #    volumes:
 #      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 #    restart: unless-stopped
-#    networks:
+#    secrets:
 #      - edge
 #      - traefik_reverse_proxy
 #    healthcheck:
@@ -101,14 +104,18 @@ services:
    image: influxdb:2.7
    container_name: influxdb
    restart: unless-stopped
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
    environment:
-      DOCKER_INFLUXDB_INIT_MODE: setup
-      DOCKER_INFLUXDB_INIT_USERNAME: admin
-      DOCKER_INFLUXDB_INIT_PASSWORD: adminpassword
-      DOCKER_INFLUXDB_INIT_ORG: pbs
-      DOCKER_INFLUXDB_INIT_BUCKET: telemetry
+      DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE}
+      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
+      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
+      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
+      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
+    secrets:
+      - influxdb_init_password
    networks:
 #      - edge
 #      - traefik_reverse_proxy
@@ -162,7 +169,7 @@ services:
 #      - ${PROJECT_ROOT}/monitoring/docker-exporter/data:/data:rw
 #      - ${PROJECT_ROOT}/services-up.sh:/app/services-up.sh:ro
    environment:
-      LOG_LEVEL: INFO
+      LOG_LEVEL: ${DOCKER_EXPORTER_LOG_LEVEL}

    volumes:
      - ~/.docker/config.json:/root/.docker/config.json:ro
@@ -205,12 +212,14 @@ services:
    profiles: ["monitoring","all","prometheus-exporters"]
    image: ekofr/pihole-exporter:latest
    container_name: pihole-exporter
+#    env_file:
+#      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
-      PIHOLE_HOSTNAME: pihole.sweet.home
-      PIHOLE_PASSWORD: ""
-      PORT: 9617
+      PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
+      PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
+      PORT: ${PIHOLE_EXPORTER_PORT}
    ports:
-      - "9617:9617"
+      - "${PIHOLE_EXPORTER_PORT}:${PIHOLE_EXPORTER_PORT}"
    restart: unless-stopped
    networks:
 #      - edge
@@ -228,3 +237,8 @@ services:
 #    external: true


+
+
+secrets:
+  influxdb_init_password:
+    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt
@@ -97,8 +97,8 @@ scrape_configs:

    basic_auth:
      username: wayne.bennett@live.com
-      password: '4vjCco?[%{=+,t`):C'
-
+      password_file: /run/secrets/prometheus_kuma_basic_auth_password
+#      password: '4vjCco?[%{=+,t`):C'
    static_configs:
      - targets:
          - monitor-kuma:3001
@@ -0,0 +1,35 @@
+# Copy to secrets/stack-secrets.env and set real values.
+# Do NOT commit secrets/stack-secrets.env.
+
+NEXTCLOUD_DB_NAME=nextcloud
+NEXTCLOUD_DB_USER=nextcloud
+NEXTCLOUD_ADMIN_USER=admin
+NEXTCLOUD_SMTP_FROM_ADDRESS=mailuser
+NEXTCLOUD_SMTP_DOMAIN=example.com
+NEXTCLOUD_SMTP_NAME=mailuser@example.com
+
+PASSBOLT_DB_NAME=passbolt
+PASSBOLT_DB_USER=passbolt
+
+GRAMPS_DB_NAME=gramps
+GRAMPS_DB_USER=gramps
+GRAMPS_DB_PASSWORD=CHANGE_ME
+GRAMPS_INITIAL_ADMIN=admin
+GRAMPS_INITIAL_ADMIN_PASSWORD=CHANGE_ME
+
+GOTIFY_DEFAULTUSER_NAME=admin
+GOTIFY_DEFAULTUSER_PASS=CHANGE_ME
+
+INFLUXDB_INIT_USERNAME=admin
+INFLUXDB_INIT_ORG=homelab
+INFLUXDB_INIT_BUCKET=telemetry
+
+PIHOLE_HOSTNAME=pihole.example.com
+PIHOLE_PASSWORD=CHANGE_ME
+
+PROMETHEUS_KUMA_BASIC_AUTH_USERNAME=monitoring@example.com
+
+AUTHELIA_JWT_SECRET=CHANGE_ME
+AUTHELIA_SESSION_SECRET=CHANGE_ME
+AUTHELIA_STORAGE_ENCRYPTION_KEY=CHANGE_ME
+CROWDSEC_LAPI_KEY=CHANGE_ME
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash

 ENV="default-environment.env"
+SECRETS="secrets/stack-secrets.env"
 PROJECT="core"
 FILES=(
  -f default-network.yml
@@ -21,4 +22,4 @@ FILES=(
  -f core/test/docker-compose.yml
 )

-docker compose -p $PROJECT --env-file $ENV  "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9
+docker compose -p $PROJECT --env-file $ENV --env-file $SECRETS  "${FILES[@]}" $1 $2 $3 $4 $5 $6 $7 $8 $9
Author	SHA1	Message	Date
git	f221b12f8d	modified: apps/gramps/docker-compose.yml modified: apps/nextcloud/docker-compose.yml modified: apps/passbolt/docker-compose.yml modified: core/authelia/configuration.yml modified: core/docker-compose.yml modified: default-environment.env modified: monitoring/gotify/docker-compose.yml modified: monitoring/prometheus/docker-compose.yml modified: monitoring/prometheus/prometheus.yml modified: services-up.sh	2026-04-07 21:57:22 +10:00
git	39debaf4b4	Merge branch 'main' of https://github.com/beatz174-bit/docker	2026-04-07 19:40:06 +10:00
git	8bed8fdcb2	new file: .env.example new file: DEPLOYMENT.md new file: SECURITY_SECRETS_INVENTORY.md new file: secrets/.env.secrets.example	2026-04-07 19:39:48 +10:00
git	3b1e0efa19	modified: .gitignore modified: apps/gramps/docker-compose.yml modified: apps/nextcloud/docker-compose.yml modified: apps/passbolt/docker-compose.yml modified: core/docker-compose.yml modified: monitoring/gotify/docker-compose.yml modified: monitoring/prometheus/docker-compose.yml modified: monitoring/prometheus/prometheus.yml .env.example DEPLOYMENT.md SECURITY_SECRETS_INVENTORY.md secrets/	2026-04-07 19:38:51 +10:00
beatz174-bit	cf45a16c67	Merge pull request #8 from beatz174-bit/codex/refactor-credential-management-for-docker Harden compose secret handling and require secret provisioning	2026-04-07 16:18:16 +10:00
beatz174-bit	698fc19e82	Merge branch 'main' into codex/refactor-credential-management-for-docker	2026-04-07 16:18:03 +10:00
beatz174-bit	3c2d28c763	Harden compose secrets and add required provisioning docs	2026-04-07 16:12:50 +10:00
git	8d0ecf0adf	modified: default-environment.env modified: monitoring/gotify/docker-health-to-gotify.sh	2026-04-07 15:34:41 +10:00
git	f7b4cc22b9	Merge branch 'main' of https://github.com/beatz174-bit/docker	2026-04-07 15:15:33 +10:00
git	b7983b30d3	modified: apps/gitea/docker-compose.yml modified: apps/gramps/docker-compose.yml modified: apps/nextcloud/docker-compose.yml modified: apps/passbolt/docker-compose.yml modified: core/docker-compose.yml modified: default-environment.env modified: monitoring/prometheus/docker-compose.yml	2026-04-07 15:12:42 +10:00
beatz174-bit	1d395287dc	Merge pull request #7 from beatz174-bit/codex/move-hard-coded-environment-variables Move hard-coded compose environment values into default-environment.env	2026-04-07 15:09:26 +10:00
beatz174-bit	634abe4b39	Move hard-coded env values into default-environment.env	2026-04-07 15:08:59 +10:00