# Secrets Management ## Principles - `.env` files are gitignored and never committed to any public repo - `.env.example` files are committed with placeholder values - Real `.env` files live only on the host at the stack directory - Secrets are generated with standard tools, never reused across services ## Generating Secrets ```bash # Database passwords openssl rand -hex 24 # JWT / session secrets openssl rand -hex 32 # API keys (where format allows) openssl rand -base64 32 ``` ## .env File Locations All `.env` files live alongside their `docker-compose.yaml`: ``` /mnt/docker-ssd/docker/compose//.env ``` ## Backing Up .env Files ### Short term: Private Gitea repo Create a private repo on Gitea (not GitHub) and push all .env files there: ```bash # In a separate directory, not the main stacks repo git init homelab-secrets cd homelab-secrets # Copy and add .env files git remote add origin https://gitea.paccoco.com/fizzlepoof/homelab-secrets.git git push -u origin main ``` ### Long term: Restic + offsite Include the compose directory (with .env files) in a restic backup: ```bash restic -r backup /mnt/docker-ssd/docker/compose --exclude="*.example" ``` ### Best long term: Vaultwarden Once deployed, store each service's .env as a secure note in Vaultwarden. Single source of truth, accessible from anywhere. ## Known Credentials Locations | Service | Where stored | |---------|-------------| | shared-postgres | `databases/.env` | | shared-mariadb | `databases/.env` | | OpenWebUI DB | `ai/.env` — user: openwebui, db: openwebui | | Donetick | `home/.env` + `selfhosted.yaml` | | Meshmonitor | `meshtastic/.env` | | Gitea | `dev/.env` | ## Security Reminders - Regenerate Wings token on N.O.M.A.D. (was exposed in chat — TODO) - Regenerate N.O.M.A.D. Newt secret (was exposed in chat — TODO) - Disable signups in OpenWebUI after creating initial account