1.9 KiB
1.9 KiB
Secrets Management
Principles
.envfiles are gitignored and never committed to any public repo.env.examplefiles are committed with placeholder values- Real
.envfiles live only on the host at the stack directory - Secrets are generated with standard tools, never reused across services
Generating Secrets
# Database passwords
openssl rand -hex 24
# JWT / session secrets
openssl rand -hex 32
# API keys (where format allows)
openssl rand -base64 32
.env File Locations
All .env files live alongside their docker-compose.yaml:
/mnt/docker-ssd/docker/compose/<stack>/.env
Backing Up .env Files
Short term: Private Gitea repo
Create a private repo on Gitea (not GitHub) and push all .env files there:
# In a separate directory, not the main stacks repo
git init homelab-secrets
cd homelab-secrets
# Copy and add .env files
git remote add origin https://gitea.paccoco.com/fizzlepoof/homelab-secrets.git
git push -u origin main
Long term: Restic + offsite
Include the compose directory (with .env files) in a restic backup:
restic -r <repo> backup /mnt/docker-ssd/docker/compose --exclude="*.example"
Best long term: Vaultwarden
Once deployed, store each service's .env as a secure note in Vaultwarden. Single source of truth, accessible from anywhere.
Known Credentials Locations
| Service | Where stored |
|---|---|
| shared-postgres | databases/.env |
| shared-mariadb | databases/.env |
| OpenWebUI DB | ai/.env — user: openwebui, db: openwebui |
| Donetick | home/.env + selfhosted.yaml |
| Meshmonitor | meshtastic/.env |
| Gitea | dev/.env |
Security Reminders
- Regenerate Wings token on N.O.M.A.D. (was exposed in chat — TODO)
- Regenerate N.O.M.A.D. Newt secret (was exposed in chat — TODO)
- Disable signups in OpenWebUI after creating initial account