beatz174-bit
3.0 KiB
3.0 KiB
Security Secrets Inventory
This inventory tracks values expected in local secret material and where they are consumed.
Scope and authority
- Canonical example template:
secrets/.env.secrets.example - Runtime-loaded secret env file:
secrets/stack-secrets.env(local, non-committed) - Docker secret files:
secrets/*.txt(local, non-committed)
For setup steps, see DEPLOYMENT.md.
Secrets expected in secrets/.env.secrets.example
| Variable | Used by | Purpose / Notes |
|---|---|---|
NEXTCLOUD_DB_USER |
apps/nextcloud/docker-compose.yml |
Nextcloud database username (non-secret identifier but environment-specific). |
NEXTCLOUD_ADMIN_USER |
apps/nextcloud/docker-compose.yml |
Initial Nextcloud admin username. |
NEXTCLOUD_SMTP_FROM_ADDRESS |
apps/nextcloud/docker-compose.yml |
SMTP sender local-part for outbound mail configuration. |
NEXTCLOUD_SMTP_DOMAIN |
apps/nextcloud/docker-compose.yml |
SMTP sender domain for outbound mail configuration. |
NEXTCLOUD_SMTP_NAME |
apps/nextcloud/docker-compose.yml |
Derived from address + domain in the example file. |
PASSBOLT_DB_NAME |
apps/passbolt/docker-compose.yml |
Passbolt database name. |
PASSBOLT_DB_USER |
apps/passbolt/docker-compose.yml |
Passbolt database username. |
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT |
apps/passbolt/docker-compose.yml |
Passbolt server GPG key fingerprint. |
GRAMPSWEB_SECRET_KEY |
apps/gramps/docker-compose.yml |
Secret key used by Gramps Web for session/security signing. |
GRAMPSWEB_EMAIL_HOST_USER |
apps/gramps/docker-compose.yml |
SMTP username for Gramps outbound email. |
GRAMPSWEB_EMAIL_HOST_PASSWORD |
apps/gramps/docker-compose.yml |
SMTP password for Gramps outbound email. |
GOTIFY_DEFAULTUSER_NAME |
monitoring/gotify/docker-compose.yml |
Gotify default username. |
GOTIFY_DEFAULTUSER_PASS |
monitoring/gotify/docker-compose.yml |
Gotify default user password. |
INFLUXDB_INIT_USERNAME |
monitoring/prometheus/docker-compose.yml |
InfluxDB initial username. |
PIHOLE_PASSWORD |
monitoring/prometheus/docker-compose.yml |
Exporter auth / Pi-hole integration password. |
Secrets managed outside .env.secrets.example
The following sensitive values are intentionally provided via Docker secret files (*_FILE) or other mounted secret files instead of the shared .env template:
- Database/root passwords for Nextcloud, Passbolt, and supporting services.
- Redis runtime password loaded from a Docker secret.
DOCKER_INFLUXDB_INIT_PASSWORDloaded from Docker secret in monitoring.- Uptime Kuma basic-auth password loaded via
password_filein Prometheus config. - Core stack secret values injected via env substitution (for example Authelia and CrowdSec values).
Commit safety rules
Never commit:
secrets/stack-secrets.envsecrets/*.txtreal secret files- real Terraform
.tfvarscontaining credentials - Terraform state files with sensitive runtime metadata