Jordan Ramos
eec4c4b298
Introduce template-based approach to prevent credential exposure in version control.
This security enhancement establishes a standard pattern for managing sensitive data
across the homelab repository.
Changes:
- Create services/homepage/services.yaml.template with env var placeholders
* Replace 7 hardcoded credentials with ${VARIABLE_NAME} format
* Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders
- Create scripts/fix_n8n_db_c_locale.sh.template with env var validation
* Remove hardcoded PostgreSQL password
* Add N8N_DB_PASSWORD environment variable requirement
* Include security reminder to shred script after use
- Update .gitignore with explicit exclusions for sensitive files
* Add services/homepage/services.yaml exclusion
* Add scripts/fix_n8n_db_c_locale.sh exclusion
- Create services/homepage/README.md with comprehensive setup guide
* Document environment variable usage (recommended method)
* Provide API key acquisition instructions for all services
* Include troubleshooting and security best practices
- Update scripts/README.md with template pattern documentation
* Add fix_n8n_db_c_locale.sh template usage instructions
* Create "Template-Based Script Pattern" section
* Enhance security guidelines with shred usage
Template Pattern Benefits:
- Repository remains credential-free
- Templates serve as documentation
- Easy to recreate configs on new systems
- Supports CI/CD pipelines with secret injection
Security Validation:
- No API keys in staged files (verified)
- No passwords in staged files (verified)
- .gitignore properly excludes sensitive files
- Templates contain clear usage instructions
Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
7.2 KiB
7.2 KiB
Homepage Service Configuration
This directory contains the configuration for the Homepage dashboard service - a modern, fully static, fast, secure fully self-hosted application dashboard with integrations for over 100 services.
Security Notice
⚠️ IMPORTANT: The services.yaml file contains sensitive API keys, tokens, and passwords. It is excluded from git via .gitignore to prevent credential exposure.
Setup Instructions
Option 1: Using Environment Variables (Recommended)
This is the most secure method as it keeps credentials separate from configuration files.
-
Create a
.envfile in this directory:cd /home/jramos/homelab/services/homepage cp .env.example .env # If example exists, or create manually -
Add your credentials to the
.envfile:# OPNSense OPNSENSE_API_USERNAME=your_opnsense_api_username OPNSENSE_API_PASSWORD=your_opnsense_api_password # Proxmox PROXMOX_HOMERAMOSLAB_API_TOKEN=your_proxmox_token_1 PROXMOX_PVE_API_TOKEN=your_proxmox_token_2 # Media Services PLEX_API_KEY=your_plex_api_key RADARR_API_KEY=your_radarr_api_key SONARR_API_KEY=your_sonarr_api_key DELUGE_WEBUI_PASSWORD=your_deluge_password -
Create the actual configuration from the template:
# Using envsubst (if available) envsubst < services.yaml.template > services.yaml # OR manually copy and edit cp services.yaml.template services.yaml nano services.yaml # Replace ${VARIABLE_NAME} with actual values -
Set proper permissions:
chmod 600 services.yaml # Owner read/write only chmod 600 .env # Owner read/write only
Option 2: Manual Configuration
If you prefer to manage credentials directly in the file:
-
Copy the template:
cp services.yaml.template services.yaml -
Edit the file and replace all
${VARIABLE_NAME}placeholders with actual values:nano services.yaml -
Set proper permissions:
chmod 600 services.yaml # Owner read/write only
Configuration Files
Tracked in Git (Templates & Non-Sensitive)
services.yaml.template- Template with environment variable placeholdersbookmarks.yaml- Browser bookmark links (no sensitive data)docker.yaml- Docker integration configurationsettings.yaml- General settings (may contain some preferences)widgets.yaml- Dashboard widgets configurationkubernetes.yaml- Kubernetes integration (if used)custom.css- Custom stylingcustom.js- Custom JavaScript
Excluded from Git (Sensitive)
services.yaml- Contains API keys and passwords (excluded via .gitignore).env- Contains environment variables with credentials (excluded via .gitignore)
Obtaining API Keys and Tokens
OPNSense API Credentials
- Log into OPNSense web UI (https://192.168.50.1/)
- Navigate to System → Access → Users
- Select your user or create a dedicated API user
- Scroll to "API keys" section
- Click "+" to generate a new API key
- Copy the Key (username) and Secret (password)
Proxmox API Tokens
- Log into Proxmox web UI (https://192.168.50.230:8006 or :240)
- Navigate to Datacenter → Permissions → API Tokens
- Click "Add" to create a new token
- User:
api@pam, Token ID:homepage - Uncheck "Privilege Separation" for full access
- Copy the generated token (format:
PVEAPIToken=api@pam!homepage=uuid-format-token) - Use only the UUID portion in the configuration
Plex API Key
- While playing any media in Plex Web App
- Click the settings icon → "Get Info" → "View XML"
- In the URL, look for
X-Plex-Token=parameter - Copy the token value after the equals sign
Radarr/Sonarr API Keys
- Log into Radarr/Sonarr web UI
- Navigate to Settings → General
- Scroll to "Security" section
- Copy the API Key
Deluge Web UI Password
This is the password you set when first accessing the Deluge Web UI at http://192.168.50.231:8112
Default is often deluge but should be changed for security.
Docker Compose Integration
If running Homepage in Docker, mount this directory as a volume:
services:
homepage:
image: ghcr.io/gethomepage/homepage:latest
container_name: homepage
ports:
- 3000:3000
volumes:
- /home/jramos/homelab/services/homepage:/app/config
- /var/run/docker.sock:/var/run/docker.sock:ro # For Docker widget
environment:
- PUID=1000
- PGID=1000
restart: unless-stopped
Troubleshooting
Service Widgets Not Loading
- Check API credentials: Ensure all API keys/tokens are correct
- Verify network connectivity: Can Homepage reach the service URLs?
- Review permissions: API tokens need appropriate permissions
- Check service status: Is the target service actually running?
- Enable debug logging: Add
LOG_LEVEL=debugto docker-compose environment
Configuration Syntax Errors
- Validate YAML: Use a YAML validator (yamllint, online validators)
- Check indentation: YAML is sensitive to spaces (use 2-space indentation)
- Review logs:
docker logs homepageor check homepage logs
Permission Denied Errors
# Fix file permissions
chmod 600 services.yaml
chown $(whoami):$(whoami) services.yaml
Security Best Practices
- Never commit
services.yaml- It's already in .gitignore, keep it that way - Use dedicated API users - Don't use admin accounts for integrations
- Rotate credentials regularly - Change API keys/tokens periodically
- Limit token permissions - Grant only necessary permissions to API tokens
- Use HTTPS - Access Homepage only over HTTPS in production
- Restrict access - Use firewall rules or reverse proxy authentication
- Back up securely - If backing up configs, encrypt the backup
Updating Configuration
After making changes to services.yaml:
-
Docker deployment: Restart the container
docker restart homepage # OR docker-compose restart -
Standalone deployment: Restart the Homepage service
systemctl restart homepage -
Verify changes: Check the Homepage UI to ensure widgets load correctly
Template Maintenance
When adding new services or widgets:
- Update the template (
services.yaml.template) with placeholders - Document the new environment variables in this README
- Update your local
services.yamlwith actual values - Commit the template to git (not the actual config)
Additional Resources
Support
For issues specific to this homelab configuration:
- Check the main repository documentation
- Review CLAUDE_STATUS.md for recent changes
- Consult the services/README.md for Docker Compose context
For general Homepage issues: