Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Update Doku

Browse Source 
Update Docu
This commit is contained in:
Micha
2026-04-17 11:29:38 +02:00
parent cbb4dfed3d
commit 718305cb98
6 changed files with 85 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/SECRETS_MAP.md
+33 -15
View File
@@ -1,13 +1,14 @@
# Secrets Map - Homelab
# Secrets Map - Homelab
Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einbindungsart.
## Grundregeln
- Secrets liegen **niemals im Git-Repository**
- Standardspeicherort: `/mnt/user/appdata/secrets/`
- Standardspeicherort ist `/mnt/user/appdata/secrets/`
- dokumentierte Ausnahmen mit dienstspezifischen Pfaden sind erlaubt
- Berechtigungen: `chmod 600`
- Nutzung in Docker ueber `_FILE` Variablen oder Komodo Stack Environment Variables
- Nutzung in Docker ueber `_FILE`, direkte Secret-Datei-Mounts oder Komodo Stack Environment Variables
---
@@ -15,16 +16,27 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
| Service | Secret | Datei / Methode | Status |
|---|---|---|---|
| Vaultwarden | ADMIN_TOKEN | `vaultwarden_admin_token.txt` -> `ADMIN_TOKEN_FILE` | aktiv |
| PostgreSQL 17 | DB Password | `postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| Redis | Passwort | `redis_password.txt` -> Datei-Mount in `infra/redis/docker-compose.yml` | aktiv |
| Mealie | DB Password | Stack ENV `${MEALIE_DB_PASSWORD}` | aktiv |
| mealie-postgres | DB Password | Stack ENV `${POSTGRES_PASSWORD}` | aktiv |
| Vaultwarden | `ADMIN_TOKEN` | `/mnt/user/appdata/secrets/vaultwarden_admin_token.txt` -> `ADMIN_TOKEN_FILE` | aktiv |
| Traefik | Cloudflare DNS API Token | `/mnt/user/appdata/traefik/secrets/cloudflare_dns_api_token` -> Docker Secret `cloudflare_dns_api_token` | aktiv |
| PostgreSQL 17 | DB Password | `/mnt/user/appdata/secrets/postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| Redis | Passwort | `/mnt/user/appdata/secrets/redis_password.txt` -> Datei-Mount + Startkommando in `infra/redis/docker-compose.yml` | aktiv |
| Mealie | DB Password | `/mnt/user/appdata/secrets/mealie_postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| mealie-postgres | DB Password | `/mnt/user/appdata/secrets/mealie_postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| Paperless-ngx | DB Password | Stack ENV `${PAPERLESS_DBPASS}` | aktiv |
| code-server | Passwort | `code_server_password.txt` -> `PASSWORD_FILE` | aktiv |
| Paperless-ngx | Redis URL | Stack ENV `${PAPERLESS_REDIS}` | aktiv |
| code-server | Passwort | `/mnt/user/appdata/code-server/secrets/password` -> `PASSWORD_FILE` | aktiv |
| Immich (server) | DB Password | Stack ENV `${IMMICH_DB_PASSWORD}` | aktiv |
| immich-postgres | DB Password | `immich_db.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| immich-postgres | DB Password | `/mnt/user/appdata/secrets/immich_postgres_password.txt` -> `POSTGRES_PASSWORD_FILE` | aktiv |
| mail-archiver | DB Connection | Stack ENV `${MAILARCHIVER_DB_CONNECTION}` | aktiv |
| mail-archiver | Auth Password | Stack ENV `${MAILARCHIVER_AUTH_PASSWORD}` | aktiv |
| Authelia | JWT Secret | `/mnt/user/appdata/secrets/authelia_jwt_secret.txt` -> `AUTHELIA_JWT_SECRET_FILE` | aktiv |
| Authelia | Session Secret | `/mnt/user/appdata/secrets/authelia_session_secret.txt` -> `AUTHELIA_SESSION_SECRET_FILE` | aktiv |
| Authelia | Storage Encryption Key | `/mnt/user/appdata/secrets/authelia_storage_encryption_key.txt` -> `AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE` | aktiv |
| Authelia | Postgres Password | `/mnt/user/appdata/secrets/authelia_postgres_password.txt` -> `AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE` | aktiv |
| Komodo Mongo | Root Password | `/mnt/user/appdata/secrets/komodo_mongo_password.txt` -> `MONGO_INITDB_ROOT_PASSWORD_FILE` | aktiv |
| Komodo Core | App Secrets | Stack ENV `${KOMODO_SECRET_KEY}`, `${KOMODO_JWT_SECRET}`, `${KOMODO_MONGO_PASSWORD}`, `${KOMODO_PERIPHERY_PASSKEY}` | aktiv |
| Homepage | API Tokens / Zugangsdaten | Stack ENV `HOMEPAGE_VAR_*` | aktiv |
| speedtest-tracker | App Key / Admin-Zugang | Stack ENV `${APP_KEY}`, `${ADMIN_PASSWORD}` | aktiv |
| Borg UI / Borg | Admin-Login, `SECRET_KEY`, SSH-Keys, Repo-Credentials | persistent unter `/mnt/user/appdata/borg-ui/data/` | aktiv |
---
@@ -42,16 +54,22 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
```text
/mnt/user/appdata/secrets/
|-- vaultwarden_admin_token.txt
|-- authelia_jwt_secret.txt
|-- authelia_postgres_password.txt
|-- authelia_session_secret.txt
|-- authelia_storage_encryption_key.txt
|-- immich_postgres_password.txt
|-- komodo_mongo_password.txt
|-- mealie_postgres_password.txt
|-- postgres_password.txt
|-- redis_password.txt
|-- code_server_password.txt
`-- immich_db.txt
`-- vaultwarden_admin_token.txt
```
Hinweise:
Weitere dokumentierte Secret-Pfade:
- Mealie, Paperless, mail-archiver und der Immich-Server nutzen Stack Environment Variables statt Datei-Mounts.
- `/mnt/user/appdata/code-server/secrets/password`
- `/mnt/user/appdata/traefik/secrets/cloudflare_dns_api_token`
- Borg UI verwaltet Session-Secret, Admin-Login, SSH-Keys und Repo-Credentials in seiner persistenten `/data`-Struktur. Diese Daten liegen nicht im Git, muessen aber gesichert werden.
---