Files
truenas-stacks/docs/operations/SECRETS_MANAGEMENT.md
2026-05-05 14:43:09 -05:00

1.9 KiB

Secrets Management

Principles

  • .env files are gitignored and never committed to any public repo
  • .env.example files are committed with placeholder values
  • Real .env files live only on the host at the stack directory
  • Secrets are generated with standard tools, never reused across services

Generating Secrets

# Database passwords
openssl rand -hex 24

# JWT / session secrets
openssl rand -hex 32

# API keys (where format allows)
openssl rand -base64 32

.env File Locations

All .env files live alongside their docker-compose.yaml:

/mnt/docker-ssd/docker/compose/<stack>/.env

Backing Up .env Files

Short term: Private Gitea repo

Create a private repo on Gitea (not GitHub) and push all .env files there:

# In a separate directory, not the main stacks repo
git init homelab-secrets
cd homelab-secrets
# Copy and add .env files
git remote add origin https://gitea.paccoco.com/fizzlepoof/homelab-secrets.git
git push -u origin main

Long term: Restic + offsite

Include the compose directory (with .env files) in a restic backup:

restic -r <repo> backup /mnt/docker-ssd/docker/compose --exclude="*.example"

Best long term: Vaultwarden

Once deployed, store each service's .env as a secure note in Vaultwarden. Single source of truth, accessible from anywhere.

Known Credentials Locations

Service Where stored
shared-postgres databases/.env
shared-mariadb databases/.env
OpenWebUI DB ai/.env — user: openwebui, db: openwebui
Donetick home/.env + selfhosted.yaml
Meshmonitor meshtastic/.env
Gitea dev/.env

Security Reminders

  • Regenerate Wings token on N.O.M.A.D. (was exposed in chat — TODO)
  • Regenerate N.O.M.A.D. Newt secret (was exposed in chat — TODO)
  • Disable signups in OpenWebUI after creating initial account