|
|
|
|
@@ -4,10 +4,10 @@
|
|
|
|
|
|
|
|
|
|
Secrets are managed in two layers:
|
|
|
|
|
|
|
|
|
|
1. **Live secrets** — `.env` files on PD at `/mnt/docker-ssd/docker/compose/<stack>/.env`, gitignored and never committed to the main repo
|
|
|
|
|
2. **Encrypted backup** — all `.env` files are synced to a private git-crypt encrypted Gitea repo at `/mnt/docker-ssd/docker/secrets/`
|
|
|
|
|
1. **Live secrets** — `.env` files in the active deployment trees on PD, N.O.M.A.D., and Serenity; gitignored and never committed to the main repo
|
|
|
|
|
2. **Encrypted backup** — those live `.env` files are backed up into the private git-crypt encrypted Gitea repo at `/mnt/docker-ssd/docker/secrets/` on PD
|
|
|
|
|
|
|
|
|
|
The sync is a one-command operation and is safe to re-run at any time.
|
|
|
|
|
PD is the secrets-backup hub. PD-origin `.env` files sync locally into the encrypted repo, and standalone `.env` files from N.O.M.A.D. or Serenity must also be copied into that same encrypted repo so the backup set is not PD-only.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
@@ -37,7 +37,9 @@ openssl rand -base64 32
|
|
|
|
|
|
|
|
|
|
## Live .env File Locations
|
|
|
|
|
|
|
|
|
|
All `.env` files live alongside their `docker-compose.yaml`:
|
|
|
|
|
### PD compose tree
|
|
|
|
|
|
|
|
|
|
PD stack `.env` files live alongside their `docker-compose.yaml`:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
/mnt/docker-ssd/docker/compose/
|
|
|
|
|
@@ -56,6 +58,31 @@ All `.env` files live alongside their `docker-compose.yaml`:
|
|
|
|
|
photos/.env
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### N.O.M.A.D. standalone service roots
|
|
|
|
|
|
|
|
|
|
N.O.M.A.D. keeps standalone service deployments under `/opt/<service>`. Any service-local `.env` there is also part of the secrets backup scope.
|
|
|
|
|
|
|
|
|
|
Backed-up examples currently include:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
/opt/doris-kitchen/.env
|
|
|
|
|
/opt/doris-schoolhouse/.env
|
|
|
|
|
/opt/hawser-nomad/.env
|
|
|
|
|
/opt/honcho/.env
|
|
|
|
|
/opt/pihole-nomad/.env
|
|
|
|
|
/opt/technitium-nomad/.env
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Serenity appdata roots
|
|
|
|
|
|
|
|
|
|
Serenity service-local `.env` files under `/mnt/user/appdata/<service>/.env` are also in scope for encrypted backup.
|
|
|
|
|
|
|
|
|
|
Current verified example:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
/mnt/user/appdata/technitium-serenity/.env
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Secrets Repo (git-crypt)
|
|
|
|
|
@@ -72,7 +99,7 @@ All `.env` files live alongside their `docker-compose.yaml`:
|
|
|
|
|
|
|
|
|
|
| Directory | Contents |
|
|
|
|
|
|-----------|----------|
|
|
|
|
|
| `env/` | `.env` files for each stack, named `<stack>.env` |
|
|
|
|
|
| `env/` | `.env` files for PD stacks and standalone service roots, named with stable service-oriented filenames such as `<stack>.env`, `<service>-nomad.env`, or `<service>-serenity.env` |
|
|
|
|
|
| `keys/` | API keys and tokens |
|
|
|
|
|
| `certs/` | TLS certificates |
|
|
|
|
|
| `tokens/` | Service tokens (Paperless, LiteLLM, etc.) |
|
|
|
|
|
@@ -84,9 +111,12 @@ All files except `README.md` and `.gitattributes` are encrypted by git-crypt on
|
|
|
|
|
|
|
|
|
|
## Syncing .env Files to the Secrets Repo
|
|
|
|
|
|
|
|
|
|
Use the sync script — no root required, safe to re-run:
|
|
|
|
|
### PD-native compose env sync
|
|
|
|
|
|
|
|
|
|
Use the sync script from PD after any live PD `.env` change. Run it in a root-capable context and make sure `git-crypt` is on `PATH`:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
export PATH="/mnt/docker-ssd/bin:/root/bin:$PATH"
|
|
|
|
|
bash /mnt/docker-ssd/docker/compose/scripts/sync-envs-to-secrets.sh
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
@@ -96,10 +126,35 @@ What it does:
|
|
|
|
|
- Skips unchanged files
|
|
|
|
|
- Commits and pushes to Gitea automatically
|
|
|
|
|
|
|
|
|
|
Run this any time you create or update a stack's `.env` file.
|
|
|
|
|
Run this any time you create or update a PD stack `.env` file.
|
|
|
|
|
|
|
|
|
|
**Operational rule:** after any live `.env` change on PD, Doris or the operator must run the sync script and confirm whether it committed/pushed changes or reported the secrets repo already up to date. Do not treat live `.env` edits as complete until this sync step is checked.
|
|
|
|
|
|
|
|
|
|
### N.O.M.A.D. and Serenity standalone env backup rule
|
|
|
|
|
|
|
|
|
|
Not every important `.env` lives under PD's compose tree.
|
|
|
|
|
|
|
|
|
|
For N.O.M.A.D. `/opt/<service>/.env` files and Serenity `/mnt/user/appdata/<service>/.env` files:
|
|
|
|
|
|
|
|
|
|
1. pull or copy the live file contents to PD through an approved host path
|
|
|
|
|
2. store them in `/mnt/docker-ssd/docker/secrets/env/` using a stable name like `<service>-nomad.env` or `<service>-serenity.env`
|
|
|
|
|
3. `git add`, `git commit`, and `git push` from the encrypted secrets repo on PD
|
|
|
|
|
4. verify the backed-up file hash matches the live source before declaring the backup complete
|
|
|
|
|
|
|
|
|
|
Current naming examples:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
env/doris-kitchen.env
|
|
|
|
|
env/doris-schoolhouse.env
|
|
|
|
|
env/hawser-nomad.env
|
|
|
|
|
env/honcho.env
|
|
|
|
|
env/pihole-nomad.env
|
|
|
|
|
env/technitium-nomad.env
|
|
|
|
|
env/technitium-serenity.env
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Operationally, treat these non-PD env files as first-class backup scope. The homelab secrets backup is not complete if only PD compose env files are protected.
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## git-crypt on TrueNAS
|
|
|
|
|
|