feat(security): implement template-based credential management for sensitive configurations

Introduce template-based approach to prevent credential exposure in version control.
This security enhancement establishes a standard pattern for managing sensitive data
across the homelab repository.

Changes:
- Create services/homepage/services.yaml.template with env var placeholders
  * Replace 7 hardcoded credentials with ${VARIABLE_NAME} format
  * Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders
- Create scripts/fix_n8n_db_c_locale.sh.template with env var validation
  * Remove hardcoded PostgreSQL password
  * Add N8N_DB_PASSWORD environment variable requirement
  * Include security reminder to shred script after use
- Update .gitignore with explicit exclusions for sensitive files
  * Add services/homepage/services.yaml exclusion
  * Add scripts/fix_n8n_db_c_locale.sh exclusion
- Create services/homepage/README.md with comprehensive setup guide
  * Document environment variable usage (recommended method)
  * Provide API key acquisition instructions for all services
  * Include troubleshooting and security best practices
- Update scripts/README.md with template pattern documentation
  * Add fix_n8n_db_c_locale.sh template usage instructions
  * Create "Template-Based Script Pattern" section
  * Enhance security guidelines with shred usage

Template Pattern Benefits:
- Repository remains credential-free
- Templates serve as documentation
- Easy to recreate configs on new systems
- Supports CI/CD pipelines with secret injection

Security Validation:
- No API keys in staged files (verified)
- No passwords in staged files (verified)
- .gitignore properly excludes sensitive files
- Templates contain clear usage instructions

Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/fix_n8n_db_c_locale.sh.template

@@ -0,0 +1,164 @@
+#!/bin/bash
+################################################################################
+# n8n PostgreSQL Permission Fix Script - C.utf8 Locale Version (TEMPLATE)
+#
+# Purpose: Fix PostgreSQL 15+ permission issues for n8n database
+# Root Cause: 1) PostgreSQL 15+ removed default CREATE permission from PUBLIC
+#             2) Debian 12 minimal system only has C.utf8 locale available
+# Solution: Create database with C.utf8 locale and proper ownership
+#
+# Environment: Debian 12, PostgreSQL 16, n8n LXC Container (CT 113)
+#
+# USAGE:
+#   1. Copy this template: cp fix_n8n_db_c_locale.sh.template fix_n8n_db_c_locale.sh
+#   2. Set environment variable: export N8N_DB_PASSWORD="your_secure_password"
+#   3. Run the script: bash fix_n8n_db_c_locale.sh
+#   4. Delete the script after use: shred -u fix_n8n_db_c_locale.sh
+#
+# SECURITY NOTE: This template uses environment variables to avoid hardcoding
+#                credentials in the repository. The actual script with embedded
+#                credentials is excluded from git via .gitignore
+################################################################################
+
+set -euo pipefail
+
+DB_NAME="n8n_db"
+DB_USER="n8n_user"
+
+# IMPORTANT: Set this environment variable before running the script
+# Example: export N8N_DB_PASSWORD="your_secure_password_here"
+DB_PASSWORD="${N8N_DB_PASSWORD:-}"
+
+if [[ -z "$DB_PASSWORD" ]]; then
+    echo "ERROR: N8N_DB_PASSWORD environment variable is not set"
+    echo "Please set it before running this script:"
+    echo "  export N8N_DB_PASSWORD='your_secure_password'"
+    exit 1
+fi
+
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+LOG_FILE="/var/log/n8n_db_fix_${TIMESTAMP}.log"
+
+# Color codes
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log() {
+    echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE"
+}
+
+log_success() {
+    echo -e "${GREEN}[✓]${NC} $1" | tee -a "$LOG_FILE"
+}
+
+log_error() {
+    echo -e "${RED}[✗]${NC} $1" | tee -a "$LOG_FILE"
+}
+
+echo "================================================================================"
+echo "n8n PostgreSQL Permission Fix - C.utf8 Locale Version"
+echo "================================================================================"
+echo ""
+
+log "Stopping n8n service..."
+systemctl stop n8n || true
+sleep 3
+log_success "n8n service stopped"
+
+log "Dropping existing database (if any) and recreating with C.UTF-8 locale..."
+sudo -u postgres psql <<SQL 2>&1 | tee -a "$LOG_FILE"
+-- Terminate any existing connections
+SELECT pg_terminate_backend(pg_stat_activity.pid)
+FROM pg_stat_activity
+WHERE pg_stat_activity.datname = '$DB_NAME'
+  AND pid <> pg_backend_pid();
+
+-- Drop database if exists
+DROP DATABASE IF EXISTS $DB_NAME;
+
+-- Create database with C.utf8 locale (Debian 12 system locale)
+CREATE DATABASE $DB_NAME
+    OWNER $DB_USER
+    ENCODING 'UTF8'
+    LC_COLLATE = 'C.utf8'
+    LC_CTYPE = 'C.utf8'
+    TEMPLATE template0;
+
+-- Connect to the database
+\c $DB_NAME
+
+-- Grant all privileges on the public schema (PostgreSQL 15+ fix)
+GRANT ALL ON SCHEMA public TO $DB_USER;
+
+-- Grant all privileges on all current and future objects
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $DB_USER;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO $DB_USER;
+GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO $DB_USER;
+
+-- Set default privileges for future objects
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $DB_USER;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO $DB_USER;
+
+-- Verify database settings
+SELECT datname, datcollate, datctype, pg_get_userbyid(datdba) as owner
+FROM pg_database
+WHERE datname = '$DB_NAME';
+SQL
+
+log_success "Database recreated with C.utf8 locale and proper permissions"
+
+log "Testing database permissions..."
+PGPASSWORD="$DB_PASSWORD" psql -h localhost -U $DB_USER -d $DB_NAME <<SQL 2>&1 | tee -a "$LOG_FILE"
+-- Test table creation (this is what was failing before)
+CREATE TABLE test_table (id SERIAL PRIMARY KEY, test_data VARCHAR(100));
+INSERT INTO test_table (test_data) VALUES ('Permission test successful');
+SELECT * FROM test_table;
+DROP TABLE test_table;
+
+-- Display current user and database
+SELECT current_user, current_database();
+SQL
+
+if [[ $? -eq 0 ]]; then
+    log_success "Permission test PASSED - n8n_user can create tables"
+else
+    log_error "Permission test FAILED"
+    exit 1
+fi
+
+log "Starting n8n service..."
+systemctl start n8n
+sleep 10
+
+if systemctl is-active --quiet n8n; then
+    log_success "n8n service started successfully"
+else
+    log_error "n8n service failed to start - check logs"
+    journalctl -u n8n -n 30
+    exit 1
+fi
+
+echo ""
+echo "================================================================================"
+log_success "n8n DATABASE FIX COMPLETED SUCCESSFULLY"
+echo "================================================================================"
+echo ""
+echo "✅ Database created with:"
+echo "   - Locale: C.utf8 (Debian 12 system locale)"
+echo "   - Owner: n8n_user"
+echo "   - Permissions: Full CREATE access on public schema"
+echo ""
+echo "📋 Next Steps:"
+echo "   1. Monitor service: systemctl status n8n"
+echo "   2. Watch logs: journalctl -u n8n -f"
+echo "   3. Test access: https://n8n.apophisnetworking.net"
+echo ""
+echo "📄 Log file: $LOG_FILE"
+echo ""
+echo "🔒 SECURITY: Remember to delete this script after use:"
+echo "   shred -u $(readlink -f "$0")"
+echo "================================================================================"