beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c10b834be0b4cfcc5c4ebfea010981073404dd3b
docker/SECURITY_SECRETS_INVENTORY.md
T
beatz174-bit 3b3f06a727 docs: align secrets inventory with example env keys
2026-04-13 09:55:14 +10:00

41 lines
2.9 KiB
Markdown
Raw Blame History

# Security Secrets Inventory
This inventory is aligned with `secrets/.env.secrets.example` and documents only the values that are expected to be set in the non-committed secrets env file (`secrets/stack-secrets.env`).
## Secrets expected in `secrets/.env.secrets.example`
| Variable | Used by | Purpose / Notes |
|---|---|---|
| `NEXTCLOUD_DB_USER` | `apps/nextcloud/docker-compose.yml` | Nextcloud database username (non-secret identifier but environment-specific). |
| `NEXTCLOUD_ADMIN_USER` | `apps/nextcloud/docker-compose.yml` | Initial Nextcloud admin username. |
| `NEXTCLOUD_SMTP_FROM_ADDRESS` | `apps/nextcloud/docker-compose.yml` | SMTP sender local-part for outbound mail configuration. |
| `NEXTCLOUD_SMTP_DOMAIN` | `apps/nextcloud/docker-compose.yml` | SMTP sender domain for outbound mail configuration. |
| `NEXTCLOUD_SMTP_NAME` | `apps/nextcloud/docker-compose.yml` | Derived from address + domain in the example file. |
| `PASSBOLT_DB_NAME` | `apps/passbolt/docker-compose.yml` | Passbolt database name. |
| `PASSBOLT_DB_USER` | `apps/passbolt/docker-compose.yml` | Passbolt database username. |
| `PASSBOLT_GPG_SERVER_KEY_FINGERPRINT` | `apps/passbolt/docker-compose.yml` | Passbolt server GPG key fingerprint. |
| `GRAMPS_DB_NAME` | `apps/gramps/docker-compose.yml` | Gramps database name. |
| `GRAMPS_DB_USER` | `apps/gramps/docker-compose.yml` | Gramps database username. |
| `GRAMPS_DB_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps database password. |
| `GRAMPS_INITIAL_ADMIN` | `apps/gramps/docker-compose.yml` | Gramps initial admin username/email (deployment-specific). |
| `GRAMPS_INITIAL_ADMIN_PASSWORD` | `apps/gramps/docker-compose.yml` | Gramps initial admin password. |
| `GRAMPS_DB_URI` | `apps/gramps/docker-compose.yml` | Derived connection string in the example file. |
| `GOTIFY_DEFAULTUSER_NAME` | `monitoring/gotify/docker-compose.yml` | Gotify default username. |
| `GOTIFY_DEFAULTUSER_PASS` | `monitoring/gotify/docker-compose.yml` | Gotify default user password. |
| `INFLUXDB_INIT_USERNAME` | `monitoring/prometheus/docker-compose.yml` | InfluxDB initial username. |
| `PIHOLE_PASSWORD` | `monitoring/prometheus/docker-compose.yml` | Exporter auth / Pi-hole integration password. |
## Managed outside `.env.secrets.example`
The following sensitive values are intentionally not duplicated in `secrets/.env.secrets.example` because they are provided via Docker secrets (`*_FILE`) or other mounted secret files:
- Database/root passwords for Nextcloud, Passbolt, and supporting services that are wired through Docker secrets.
- Redis runtime password (`--requirepass`) loaded from a Docker secret.
- `DOCKER_INFLUXDB_INIT_PASSWORD` loaded from Docker secret in monitoring.
- Uptime Kuma basic auth password loaded via `password_file` in Prometheus config.
- Core stack secrets injected via env substitution in committed config files, such as:
- `AUTHELIA_JWT_SECRET`
- `AUTHELIA_SESSION_SECRET`
- `AUTHELIA_STORAGE_ENCRYPTION_KEY`
- `CROWDSEC_LAPI_KEY`
Reference in New Issue View Git Blame Copy Permalink