docker/SECURITY_SECRETS_INVENTORY.md

Credential Inventory (apps/, core/, monitoring/)

apps/

• apps/nextcloud/docker-compose.yml
  • MYSQL_PASSWORD (nextcloud-webapp) -> MYSQL_PASSWORD_FILE + Docker secret.
  • SMTP_PASSWORD -> SMTP_PASSWORD_FILE + Docker secret.
  • REDIS_HOST_PASSWORD -> REDIS_HOST_PASSWORD_FILE + Docker secret.
  • MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD, NEXTCLOUD_ADMIN_PASSWORD (nextcloud-db) -> _FILE variants + Docker secrets.
  • Redis --requirepass inline value -> read from Docker secret at runtime.
• apps/passbolt/docker-compose.yml
  • MYSQL_PASSWORD, DATASOURCES_DEFAULT_PASSWORD -> _FILE variants + Docker secret.
• apps/gramps/docker-compose.yml
  • POSTGRES_PASSWORD -> POSTGRES_PASSWORD_FILE + Docker secret.
  • DB_URI password + INITIAL_ADMIN_PASSWORD -> env references from non-committed secrets env file.

core/

• core/authelia/configuration.yml
  • identity_validation.reset_password.jwt_secret -> ${AUTHELIA_JWT_SECRET}.
  • session.secret -> ${AUTHELIA_SESSION_SECRET}.
  • storage.encryption_key -> ${AUTHELIA_STORAGE_ENCRYPTION_KEY}.
• core/traefik/dynamic.yml
  • crowdsecLapiKey -> ${CROWDSEC_LAPI_KEY}.

monitoring/

• monitoring/gotify/docker-compose.yml
  • GOTIFY_DEFAULTUSER_PASS -> ${GOTIFY_DEFAULTUSER_PASS} from non-committed secrets env file.
• monitoring/prometheus/docker-compose.yml
  • DOCKER_INFLUXDB_INIT_PASSWORD -> DOCKER_INFLUXDB_INIT_PASSWORD_FILE + Docker secret.
  • PIHOLE_PASSWORD -> ${PIHOLE_PASSWORD} from non-committed secrets env file.
• monitoring/prometheus/prometheus.yml
  • Uptime Kuma basic_auth password -> password_file mounted from non-committed secret file.