Files
truenas-stacks/docs/operations/SECRETS_MANAGEMENT.md
2026-05-05 14:43:09 -05:00

65 lines
1.9 KiB
Markdown

# Secrets Management
## Principles
- `.env` files are gitignored and never committed to any public repo
- `.env.example` files are committed with placeholder values
- Real `.env` files live only on the host at the stack directory
- Secrets are generated with standard tools, never reused across services
## Generating Secrets
```bash
# Database passwords
openssl rand -hex 24
# JWT / session secrets
openssl rand -hex 32
# API keys (where format allows)
openssl rand -base64 32
```
## .env File Locations
All `.env` files live alongside their `docker-compose.yaml`:
```
/mnt/docker-ssd/docker/compose/<stack>/.env
```
## Backing Up .env Files
### Short term: Private Gitea repo
Create a private repo on Gitea (not GitHub) and push all .env files there:
```bash
# In a separate directory, not the main stacks repo
git init homelab-secrets
cd homelab-secrets
# Copy and add .env files
git remote add origin https://gitea.paccoco.com/fizzlepoof/homelab-secrets.git
git push -u origin main
```
### Long term: Restic + offsite
Include the compose directory (with .env files) in a restic backup:
```bash
restic -r <repo> backup /mnt/docker-ssd/docker/compose --exclude="*.example"
```
### Best long term: Vaultwarden
Once deployed, store each service's .env as a secure note in Vaultwarden. Single source of truth, accessible from anywhere.
## Known Credentials Locations
| Service | Where stored |
|---------|-------------|
| shared-postgres | `databases/.env` |
| shared-mariadb | `databases/.env` |
| OpenWebUI DB | `ai/.env` — user: openwebui, db: openwebui |
| Donetick | `home/.env` + `selfhosted.yaml` |
| Meshmonitor | `meshtastic/.env` |
| Gitea | `dev/.env` |
## Security Reminders
- Regenerate Wings token on N.O.M.A.D. (was exposed in chat — TODO)
- Regenerate N.O.M.A.D. Newt secret (was exposed in chat — TODO)
- Disable signups in OpenWebUI after creating initial account