beatz174-bit
2.7 KiB
2.7 KiB
Security Secrets Inventory
This inventory is aligned with secrets/.env.secrets.example and documents only the values that are expected to be set in the non-committed secrets env file (secrets/stack-secrets.env).
Secrets expected in secrets/.env.secrets.example
| Variable | Used by | Purpose / Notes |
|---|---|---|
NEXTCLOUD_DB_USER |
apps/nextcloud/docker-compose.yml |
Nextcloud database username (non-secret identifier but environment-specific). |
NEXTCLOUD_ADMIN_USER |
apps/nextcloud/docker-compose.yml |
Initial Nextcloud admin username. |
NEXTCLOUD_SMTP_FROM_ADDRESS |
apps/nextcloud/docker-compose.yml |
SMTP sender local-part for outbound mail configuration. |
NEXTCLOUD_SMTP_DOMAIN |
apps/nextcloud/docker-compose.yml |
SMTP sender domain for outbound mail configuration. |
NEXTCLOUD_SMTP_NAME |
apps/nextcloud/docker-compose.yml |
Derived from address + domain in the example file. |
PASSBOLT_DB_NAME |
apps/passbolt/docker-compose.yml |
Passbolt database name. |
PASSBOLT_DB_USER |
apps/passbolt/docker-compose.yml |
Passbolt database username. |
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT |
apps/passbolt/docker-compose.yml |
Passbolt server GPG key fingerprint. |
GRAMPSWEB_SECRET_KEY |
apps/gramps/docker-compose.yml |
Secret key used by Gramps Web for session/security signing. |
GRAMPSWEB_EMAIL_HOST_USER |
apps/gramps/docker-compose.yml |
SMTP username for Gramps outbound email. |
GRAMPSWEB_EMAIL_HOST_PASSWORD |
apps/gramps/docker-compose.yml |
SMTP password for Gramps outbound email. |
GOTIFY_DEFAULTUSER_NAME |
monitoring/gotify/docker-compose.yml |
Gotify default username. |
GOTIFY_DEFAULTUSER_PASS |
monitoring/gotify/docker-compose.yml |
Gotify default user password. |
INFLUXDB_INIT_USERNAME |
monitoring/prometheus/docker-compose.yml |
InfluxDB initial username. |
PIHOLE_PASSWORD |
monitoring/prometheus/docker-compose.yml |
Exporter auth / Pi-hole integration password. |
Managed outside .env.secrets.example
The following sensitive values are intentionally not duplicated in secrets/.env.secrets.example because they are provided via Docker secrets (*_FILE) or other mounted secret files:
- Database/root passwords for Nextcloud, Passbolt, and supporting services that are wired through Docker secrets.
- Redis runtime password (
--requirepass) loaded from a Docker secret. DOCKER_INFLUXDB_INIT_PASSWORDloaded from Docker secret in monitoring.- Uptime Kuma basic auth password loaded via
password_filein Prometheus config. - Core stack secrets injected via env substitution in committed config files, such as:
AUTHELIA_JWT_SECRETAUTHELIA_SESSION_SECRETAUTHELIA_STORAGE_ENCRYPTION_KEYCROWDSEC_LAPI_KEY