# Security Secrets Inventory

This inventory tracks values expected in local secret material and where they are consumed.

## Scope and authority

- Canonical example template: `secrets/.env.secrets.example`
- Runtime-loaded secret env file: `secrets/stack-secrets.env` (local, non-committed)
- Docker secret files: `secrets/*.txt` (local, non-committed)

For setup steps, see [DEPLOYMENT.md](DEPLOYMENT.md).

## Secrets expected in `secrets/.env.secrets.example`

| Variable | Used by | Purpose / Notes |
|---|---|---|
| `NEXTCLOUD_DB_USER` | `apps/nextcloud/docker-compose.yml` | Nextcloud database username (non-secret identifier but environment-specific). |
| `NEXTCLOUD_ADMIN_USER` | `apps/nextcloud/docker-compose.yml` | Initial Nextcloud admin username. |
| `NEXTCLOUD_SMTP_FROM_ADDRESS` | `apps/nextcloud/docker-compose.yml` | SMTP sender local-part for outbound mail configuration. |
| `NEXTCLOUD_SMTP_DOMAIN` | `apps/nextcloud/docker-compose.yml` | SMTP sender domain for outbound mail configuration. |
| `NEXTCLOUD_SMTP_NAME` | `apps/nextcloud/docker-compose.yml` | Derived from address + domain in the example file. |
| `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. |
| `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. |
| `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. |
| `GRAMPSWEB_SECRET_KEY` | `apps/gramps/docker-compose.yml` | Secret key used by Gramps Web for session/security signing. |
| `GRAMPSWEB_EMAIL_HOST_USER` | `apps/gramps/docker-compose.yml` | SMTP username for Gramps outbound email. |
| `GRAMPSWEB_EMAIL_HOST_PASSWORD` | `apps/gramps/docker-compose.yml` | SMTP password for Gramps outbound email. |
| `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. |
| `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. |
| `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |
| `PIHOLE_PASSWORD` | `monitoring/prometheus/docker-compose.yml` | Exporter auth / Pi-hole integration password. |

## Secrets managed outside `.env.secrets.example`

The following sensitive values are intentionally provided via Docker secret files (`*_FILE`) or other mounted secret files instead of the shared `.env` template:

- Database/root passwords for Nextcloud, Passbolt, and supporting services.
- Redis runtime password loaded from a Docker secret.
- `DOCKER_INFLUXDB_INIT_PASSWORD` loaded from Docker secret in monitoring.
- Uptime Kuma basic-auth password loaded via `password_file` in Prometheus config.
- Core stack secret values injected via env substitution (for example Authelia and CrowdSec values).

## Commit safety rules

Never commit:

- `secrets/stack-secrets.env`
- `secrets/*.txt` real secret files
- real Terraform `.tfvars` containing credentials
- Terraform state files with sensitive runtime metadata

## Related docs

- [DEPLOYMENT.md](DEPLOYMENT.md)
- [docs/source-of-truth.md](docs/source-of-truth.md)