Jafner.net/homelab/docs/Secrets.md
Joey Hafner f62344049a #110 Init Secrets.md
Update DDClient readme for new hostname
2023-12-15 11:48:44 -08:00

1.1 KiB

Secrets

Our repository contains as many configuration details as reasonable. But we must secure our secrets: passwords, API keys, encryption seeds, etc..

Docker Env Vars

  1. We store our Docker env vars in a file named after the service. For example keycloak.env.
  2. We separate our secrets from non-secret env vars by placing them in a file with a similar name, but with _secrets appended to the service name. For example keycloak_secrets.env. These files exist only on the host for which they are necessary, and must be created manually on the host.
  3. Our repository .gitignore excludes all files matching *.secret, and *_secrets.env.

Note: This makes secrets very fragile. Accidental deletion or other data loss can destroy the secret permanently.

Generating Secrets

We use the password manager's generator to create secrets with the desired parameters, preferring the following parameters: - 64 characters - Capital letters, lowercase letters, numbers, and standard symbols (^*@#!&$%) If necessary, we will reduce characterset by cutting out symbols before reducing string length.