homelab/docs/Secrets.md
Joey Hafner ca3b7d83a2 #110 Init Secrets.md
Update DDClient readme for new hostname
2023-12-15 11:48:44 -08:00

16 lines
1.1 KiB
Markdown

# Secrets
Our repository contains as many configuration details as reasonable. But we must secure our secrets: passwords, API keys, encryption seeds, etc..
## Docker Env Vars
1. We store our Docker env vars in a file named after the service. For example `keycloak.env`.
2. We separate our secrets from non-secret env vars by placing them in a file with a similar name, but with `_secrets` appended to the service name. For example `keycloak_secrets.env`. These files exist only on the host for which they are necessary, and must be created manually on the host.
3. Our repository `.gitignore` excludes all files matching `*.secret`, and `*_secrets.env`.
Note: This makes secrets very fragile. Accidental deletion or other data loss can destroy the secret permanently.
## Generating Secrets
We use the password manager's generator to create secrets with the desired parameters, preferring the following parameters:
- 64 characters
- Capital letters, lowercase letters, numbers, and standard symbols (`^*@#!&$%`)
If necessary, we will reduce characterset by cutting out symbols before reducing string length.