Jordan Ramos
eec4c4b298
Introduce template-based approach to prevent credential exposure in version control.
This security enhancement establishes a standard pattern for managing sensitive data
across the homelab repository.
Changes:
- Create services/homepage/services.yaml.template with env var placeholders
* Replace 7 hardcoded credentials with ${VARIABLE_NAME} format
* Add OPNSense, Proxmox, Plex, Radarr, Sonarr, Deluge placeholders
- Create scripts/fix_n8n_db_c_locale.sh.template with env var validation
* Remove hardcoded PostgreSQL password
* Add N8N_DB_PASSWORD environment variable requirement
* Include security reminder to shred script after use
- Update .gitignore with explicit exclusions for sensitive files
* Add services/homepage/services.yaml exclusion
* Add scripts/fix_n8n_db_c_locale.sh exclusion
- Create services/homepage/README.md with comprehensive setup guide
* Document environment variable usage (recommended method)
* Provide API key acquisition instructions for all services
* Include troubleshooting and security best practices
- Update scripts/README.md with template pattern documentation
* Add fix_n8n_db_c_locale.sh template usage instructions
* Create "Template-Based Script Pattern" section
* Enhance security guidelines with shred usage
Template Pattern Benefits:
- Repository remains credential-free
- Templates serve as documentation
- Easy to recreate configs on new systems
- Supports CI/CD pipelines with secret injection
Security Validation:
- No API keys in staged files (verified)
- No passwords in staged files (verified)
- .gitignore properly excludes sensitive files
- Templates contain clear usage instructions
Related: n8n troubleshooting (CLAUDE_STATUS.md), Docker Compose migration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
141 lines
5.6 KiB
Plaintext
141 lines
5.6 KiB
Plaintext
# Homelab Git Ignore Configuration
|
|
# =================================
|
|
# This file tells git which files to ignore (not track in version control)
|
|
|
|
# Environment Files (contain sensitive information)
|
|
# ------------------------------------------------
|
|
.env # Your actual environment configuration
|
|
*.env.local # Local environment overrides
|
|
*.env.production # Production environment files
|
|
*.env.*.local # Any local environment variations
|
|
|
|
# Secrets and Credentials
|
|
# ----------------------
|
|
secrets/ # Directory for any secret files
|
|
*.key # Private keys
|
|
*.pem # SSL certificates and keys
|
|
*.crt # Certificate files (unless you explicitly need them tracked)
|
|
*.pfx # Certificate files
|
|
*.p12 # Certificate files
|
|
credentials.json # Credential files
|
|
auth.json # Authentication files
|
|
*.token # Token files
|
|
*.secret # Secret files
|
|
|
|
# Proxmox & Virtual Machine Data
|
|
# -----------------------------
|
|
*.iso # ISO files (too large for git)
|
|
*.qcow2 # QEMU disk images
|
|
*.vmdk # VMware disk images
|
|
*.vdi # VirtualBox disk images
|
|
*.img # Raw disk images
|
|
*.ova # Virtual appliance packages
|
|
*.ovf # Open virtualization format
|
|
|
|
# Backup and Export Files
|
|
# ----------------------
|
|
*.tar.gz # Compressed archives
|
|
*.tgz # Compressed archives
|
|
*.zip # Zip archives
|
|
*.bak # Backup files
|
|
*.backup # Backup files
|
|
backups/ # Backup directory
|
|
exports/ # Export directory (if not needed in git)
|
|
homelab-export-*/ # Your homelab export directories
|
|
*.log # Log files (unless you specifically want to track them)
|
|
|
|
# Temporary Files
|
|
# --------------
|
|
*.tmp # Temporary files
|
|
*.temp # Temporary files
|
|
*.cache # Cache files
|
|
*.swp # Vim swap files
|
|
*.swo # Vim swap files
|
|
*~ # Backup files created by editors
|
|
.DS_Store # macOS metadata files
|
|
Thumbs.db # Windows thumbnail cache
|
|
|
|
# IDE and Editor Files
|
|
# -------------------
|
|
.vscode/ # VS Code settings (unless you want to share them)
|
|
.idea/ # JetBrains IDE settings
|
|
*.sublime-* # Sublime Text settings
|
|
.project # Eclipse project files
|
|
.classpath # Eclipse classpath
|
|
|
|
# Terraform State (if you use Terraform)
|
|
# -------------------------------------
|
|
*.tfstate # Terraform state files (contain sensitive data)
|
|
*.tfstate.* # Terraform state backups
|
|
.terraform/ # Terraform plugin directory
|
|
.terraform.lock.hcl # Terraform lock file (some prefer to track this)
|
|
|
|
# Ansible Vault (if you use Ansible)
|
|
# ---------------------------------
|
|
# Note: You might want to track encrypted vault files
|
|
# but ignore the decrypted versions
|
|
*.vault.yml.dec # Decrypted vault files
|
|
vault-password.txt # Vault password file
|
|
|
|
# Python (if you have Python scripts)
|
|
# ----------------------------------
|
|
__pycache__/ # Python cache
|
|
*.py[cod] # Python compiled files
|
|
*$py.class # Python class files
|
|
venv/ # Python virtual environment
|
|
env/ # Python virtual environment
|
|
.Python # Python runtime
|
|
|
|
# Node.js (if you have Node.js projects)
|
|
# -------------------------------------
|
|
node_modules/ # Node.js dependencies
|
|
npm-debug.log* # npm debug logs
|
|
yarn-debug.log* # Yarn debug logs
|
|
yarn-error.log* # Yarn error logs
|
|
|
|
# Claude Code Configuration Files
|
|
# -------------------------------
|
|
.claude.json # Claude MCP server configuration (contains API keys)
|
|
*.claude.json # Any Claude config files
|
|
.claude/ # Claude configuration directory
|
|
|
|
# Script Variants (with embedded credentials)
|
|
# -------------------------------------------
|
|
# Sanitized scripts are tracked in git, but variants with
|
|
# real credentials embedded should be kept local only
|
|
scripts/**/*_with_creds.* # Any script with embedded credentials
|
|
scripts/**/*.local.* # Local script variants
|
|
scripts/**/*_prod.* # Production script variants
|
|
scripts/**/fix_*_original.sh # Original unsanitized fix scripts
|
|
|
|
# Docker Compose Service Exclusions
|
|
# ---------------------------------
|
|
# Ignore runtime data and sensitive files in services directory
|
|
services/**/.env # Service environment files with secrets
|
|
services/**/.env.local # Local environment overrides
|
|
services/**/volumes/ # Docker volume mount directories
|
|
services/**/data/ # Data directories
|
|
services/**/*.log # Service log files
|
|
services/**/logs/ # Log directories
|
|
services/**/node_modules/ # Node.js dependencies in services
|
|
services/**/*.db # Database files
|
|
services/**/*.sqlite # SQLite database files
|
|
services/**/*.sqlite3 # SQLite3 database files
|
|
|
|
# Homepage Configuration (Sensitive)
|
|
# ----------------------------------
|
|
# Exclude the actual configuration file (contains API keys/passwords)
|
|
# Template file (.template) is tracked for reference
|
|
services/homepage/services.yaml
|
|
|
|
# Operational Scripts (Sensitive)
|
|
# -------------------------------
|
|
# Exclude scripts with embedded credentials
|
|
# Template files (.template) are tracked for reference
|
|
scripts/fix_n8n_db_c_locale.sh
|
|
|
|
# Custom Exclusions
|
|
# ----------------
|
|
# Add any custom patterns specific to your homelab below:
|
|
.env
|