65 lines
1.9 KiB
Markdown
65 lines
1.9 KiB
Markdown
# Secrets Management
|
|
|
|
## Principles
|
|
- `.env` files are gitignored and never committed to any public repo
|
|
- `.env.example` files are committed with placeholder values
|
|
- Real `.env` files live only on the host at the stack directory
|
|
- Secrets are generated with standard tools, never reused across services
|
|
|
|
## Generating Secrets
|
|
|
|
```bash
|
|
# Database passwords
|
|
openssl rand -hex 24
|
|
|
|
# JWT / session secrets
|
|
openssl rand -hex 32
|
|
|
|
# API keys (where format allows)
|
|
openssl rand -base64 32
|
|
```
|
|
|
|
## .env File Locations
|
|
All `.env` files live alongside their `docker-compose.yaml`:
|
|
```
|
|
/mnt/docker-ssd/docker/compose/<stack>/.env
|
|
```
|
|
|
|
## Backing Up .env Files
|
|
|
|
### Short term: Private Gitea repo
|
|
Create a private repo on Gitea (not GitHub) and push all .env files there:
|
|
```bash
|
|
# In a separate directory, not the main stacks repo
|
|
git init homelab-secrets
|
|
cd homelab-secrets
|
|
# Copy and add .env files
|
|
git remote add origin https://gitea.paccoco.com/fizzlepoof/homelab-secrets.git
|
|
git push -u origin main
|
|
```
|
|
|
|
### Long term: Restic + offsite
|
|
Include the compose directory (with .env files) in a restic backup:
|
|
```bash
|
|
restic -r <repo> backup /mnt/docker-ssd/docker/compose --exclude="*.example"
|
|
```
|
|
|
|
### Best long term: Vaultwarden
|
|
Once deployed, store each service's .env as a secure note in Vaultwarden. Single source of truth, accessible from anywhere.
|
|
|
|
## Known Credentials Locations
|
|
|
|
| Service | Where stored |
|
|
|---------|-------------|
|
|
| shared-postgres | `databases/.env` |
|
|
| shared-mariadb | `databases/.env` |
|
|
| OpenWebUI DB | `ai/.env` — user: openwebui, db: openwebui |
|
|
| Donetick | `home/.env` + `selfhosted.yaml` |
|
|
| Meshmonitor | `meshtastic/.env` |
|
|
| Gitea | `dev/.env` |
|
|
|
|
## Security Reminders
|
|
- Regenerate Wings token on N.O.M.A.D. (was exposed in chat — TODO)
|
|
- Regenerate N.O.M.A.D. Newt secret (was exposed in chat — TODO)
|
|
- Disable signups in OpenWebUI after creating initial account
|