feat(security): implement template-based credential management for sensitive configurations

Introduce template-based approach to prevent credential exposure in version control. This security enhancement establishes a standard pattern for managing sensitive data across the homelab repository. Changes: - Create services/homepage/services.yaml.template with env var placeholders * Replace 7 hardcoded credentials with ${VARIABLE_NAME} format * Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders - Create scripts/fix_n8n_db_c_locale.sh.template with env var validation * Remove hardcoded PostgreSQL password * Add N8N_DB_PASSWORD environment variable requirement * Include security reminder to shred script after use - Update .gitignore with explicit exclusions for sensitive files * Add services/homepage/services.yaml exclusion * Add scripts/fix_n8n_db_c_locale.sh exclusion - Create services/homepage/README.md with comprehensive setup guide * Document environment variable usage (recommended method) * Provide API key acquisition instructions for all services * Include troubleshooting and security best practices - Update scripts/README.md with template pattern documentation * Add fix_n8n_db_c_locale.sh template usage instructions * Create "Template-Based Script Pattern" section * Enhance security guidelines with shred usage Template Pattern Benefits: - Repository remains credential-free - Templates serve as documentation - Easy to recreate configs on new systems - Supports CI/CD pipelines with secret injection Security Validation: - No API keys in staged files (verified) - No passwords in staged files (verified) - .gitignore properly excludes sensitive files - Templates contain clear usage instructions Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-02 19:49:28 -07:00
parent 3eea6b1b4e
commit eec4c4b298
13 changed files with 870 additions and 2 deletions
--- a/services/homepage/services.yaml.template
+++ b/services/homepage/services.yaml.template
@@ -0,0 +1,88 @@
+---
+# Homepage Services Configuration Template
+# =========================================
+# This is a TEMPLATE file. To use it:
+# 1. Copy this file to services.yaml: cp services.yaml.template services.yaml
+# 2. Replace all ${VARIABLE_NAME} placeholders with actual values
+# 3. Or use environment variables by sourcing a .env file
+#
+# SECURITY: services.yaml is excluded from git via .gitignore
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/services/
+
+- Networking:
+    - OPNSense:
+        href: https://192.168.50.1/
+        description: Firewall - Router
+        widget:
+          type: opnsense
+          url: https://192.168.50.1
+          username: ${OPNSENSE_API_USERNAME}
+          password: ${OPNSENSE_API_PASSWORD}
+          #wan: re1 # optional, defaults to wan
+
+- Home Lab:
+    - Homeramoslab:
+        href: http://192.168.50.230:8006
+        description: AMD Game/Media Server
+        widget:
+          type: proxmox
+          url: https://192.168.50.230:8006
+          username: api@pam!homepage
+          password: ${PROXMOX_HOMERAMOSLAB_API_TOKEN}
+          #node: pve-1 # optional
+    - PVE:
+        href: https://192.168.50.240:8006
+        description: Poweredge R610
+        widget:
+          type: proxmox
+          url: https://192.168.50.240:8006
+          username: api@pam!homepage
+          password: ${PROXMOX_PVE_API_TOKEN}
+
+- Utilities:
+    - PlaceHolder:
+        href: http://localhost/
+        description: Homepage is 😎
+
+- Media:
+    - Plex:
+        href: http://192.168.50.231:32400
+        icon: plex.png
+        description: Media Server
+        widget:
+          type: plex
+          url: http://192.168.50.231:32400
+          key: ${PLEX_API_KEY}
+
+    - Radarr:
+        href: http://192.168.50.231:7878
+        icon: radarr.png
+        description: Movie Management
+        widget:
+          type: radarr
+          url: http://192.168.50.231:7878
+          key: ${RADARR_API_KEY}
+          enableQueue: true # optional, defaults to false
+
+    - Sonar:
+        href: http://192.168.50.231:8989
+        icon: sonarr.png
+        description: Series Management
+        widget:
+          type: sonarr
+          url: http://192.168.50.231:8989
+          key: ${SONARR_API_KEY}
+          enableQueue: true # optional, defaults to false
+
+    - Deulge:
+        href: http://192.168.50.231:8112
+        icon: deluge.png
+        description: Media collector
+        widget:
+          type: deluge
+          url: http://192.168.50.231:8112
+          password: ${DELUGE_WEBUI_PASSWORD}
+          enableLeechProgress: true # optional, defaults to false
+
+