beatz174-bit
50 lines
1.3 KiB
Markdown
50 lines
1.3 KiB
Markdown
# Deployment Prerequisites
|
|
|
|
Before running compose operations, provision local secret material.
|
|
|
|
## 1) Create non-committed secret env file
|
|
|
|
```bash
|
|
cp secrets/.env.secrets.example secrets/stack-secrets.env
|
|
chmod 600 secrets/stack-secrets.env
|
|
```
|
|
|
|
## 2) Create required Docker secret files
|
|
|
|
All files below are expected locally and are gitignored:
|
|
|
|
- `secrets/nextcloud_db_root_password.txt`
|
|
- `secrets/nextcloud_db_password.txt`
|
|
- `secrets/nextcloud_admin_password.txt`
|
|
- `secrets/nextcloud_smtp_password.txt`
|
|
- `secrets/nextcloud_redis_password.txt`
|
|
- `secrets/passbolt_db_password.txt`
|
|
- `secrets/influxdb_init_password.txt`
|
|
- `secrets/prometheus_kuma_basic_auth_password.txt`
|
|
|
|
Recommended permissions:
|
|
|
|
```bash
|
|
chmod 600 secrets/*.txt
|
|
```
|
|
|
|
## 3) Validate composed configuration
|
|
|
|
Use the repository composition entrypoint:
|
|
|
|
```bash
|
|
./services-up.sh --profile all config
|
|
```
|
|
|
|
This confirms compose rendering with shared env/network inputs before any runtime operation.
|
|
|
|
## 4) Rotate previously committed credentials
|
|
|
|
If migrating from older states where secrets were committed, rotate upstream values immediately (DB credentials, app passwords, auth keys, and API tokens).
|
|
|
|
## Related docs
|
|
|
|
- [SECURITY_SECRETS_INVENTORY.md](SECURITY_SECRETS_INVENTORY.md)
|
|
- [docs/docker-environment.md](docs/docker-environment.md)
|
|
- [docs/source-of-truth.md](docs/source-of-truth.md)
|