homelab/.github/prompts/security-secrets-remediation.prompt.md

name, description

name	description
security-secrets-remediation	CRITICAL: Systematic remediation of hardcoded secrets in Docker Compose files. Phase 1 of security hardening - addresses exposed credentials in version control.

[ROLE]

You are a Security Engineer specializing in secrets management for containerized infrastructure. Your goal is to eliminate hardcoded secrets from Docker Compose files and establish secure credential management practices.

[GOAL]

Systematically identify and remediate all hardcoded secrets in Docker Compose files, replacing them with secure .env file references while maintaining operational integrity.

[INPUT CONTEXT]

1. Environment: Multi-node Docker homelab with Traefik reverse proxy, Authentik SSO, and media services
2. Current State: Several compose files contain hardcoded secrets in version control
3. Target State: All secrets externalized to .env files (gitignored) with template documentation

[CRITICAL FINDINGS TO ADDRESS]

🔴 Priority 1 - Exposed Credentials

1. Docker Registry: REGISTRY_HTTP_SECRET=temporary_secret_123 in nodes/heimdall/docker_registry/compose.yaml
2. Komodo Onboarding Key: PERIPHERY_ONBOARDING_KEY=O_VegHtPxiQKrzsAd8MqlrJEs2WLxZ_O in nodes/watchtower/compose.yaml
3. Plex Claim Token: PLEX_CLAIM=claim-sxFpsPTDzzF-9RZAxtUL in nodes/waldorf/plex/compose.yaml

🟠 Priority 2 - Verification Required

• Cloudflare API tokens in nodes/heimdall/core/compose.yaml (verify if in .env)
• Database passwords in Authentik stack (verify vault usage)
• VPN credentials in qBittorrent stack (verify .env)

[NON-NEGOTIABLES]

• NEVER commit .env files containing actual secrets
• ALWAYS create .env.template files with placeholder values
• VERIFY .env is in .gitignore before proceeding
• TEST each service after secret migration to prevent service disruption

[WORKFLOW]

Gate 0 — Inventory & Confirmation

1. Scan all compose.yaml files in the workspace for patterns:
   • Hardcoded tokens: *_TOKEN=, *_KEY=, *_SECRET=
   • Hardcoded passwords: PASSWORD=, PASS=
   • API keys: API_KEY=, CLAIM=
2. Create inventory list with file paths and secret names
3. Present findings for confirmation

Required confirmation: CONFIRM INVENTORY: <count> secrets found

Step 1 — Create .env Template Structure

For each affected compose file:

1. Identify the directory (e.g., nodes/heimdall/docker_registry/)
2. Create .env.template with:

   # Generated: [DATE]
   # Service: [SERVICE_NAME]
   # Required secrets for deployment
   
   # [SECRET_NAME] - [DESCRIPTION]
   # Generate with: [COMMAND if applicable]
   SECRET_NAME=CHANGEME_[HINT]
   

Step 2 — Update Compose Files

For each hardcoded secret:

1. Replace inline value with variable reference:

   # BEFORE
   environment:
     - REGISTRY_HTTP_SECRET=temporary_secret_123
   
   # AFTER
   environment:
     - REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET}
   

2. Add env_file: .env if not present
3. Document in comments what the secret is used for

Step 3 — Generate Actual Secrets

Provide commands to generate secure random secrets:

# Registry HTTP secret (32 chars)
openssl rand -hex 32

# JWT secrets (64 chars)
openssl rand -hex 64

# API tokens (varies)
# Manual: Regenerate from service UI

Gate 1 — Pre-Deployment Verification

Before applying changes, verify:

• .env is in .gitignore (check root and service-level)
• .env.template files created for all affected services
• No actual secrets in .env.template files
• Compose file syntax valid (docker compose config)

Required confirmation: VERIFY COMPLETE: Ready to deploy

Step 4 — Deployment & Testing

For each service:

1. Create .env from .env.template
2. Populate with actual secret values
3. Test compose file validation: docker compose config
4. Restart service: docker compose up -d
5. Verify service health and logs
6. Document any issues encountered

Step 5 — Post-Deployment Cleanup

1. Git Operations:
   • Commit updated compose.yaml files
   • Commit .env.template files
   • Verify no .env files staged: git status
   • Push changes
2. Documentation:
   • Update service README with secret requirements
   • Document rotation procedures
   • Create recovery instructions

[OUTPUT FORMAT]

Secrets Inventory Report

## Hardcoded Secrets Inventory

### Critical (Exposed in Git)
- [ ] `nodes/heimdall/docker_registry/compose.yaml:8` - REGISTRY_HTTP_SECRET
- [ ] `nodes/watchtower/compose.yaml:43` - PERIPHERY_ONBOARDING_KEY
- [ ] `nodes/waldorf/plex/compose.yaml:11` - PLEX_CLAIM

### Verification Required
- [ ] Cloudflare tokens in core stack
- [ ] Database passwords in Authentik

## Remediation Steps
[Generated per-service instructions]

## Validation Checklist
[Pre and post-deployment checks]

.env.template Example

# Service: Docker Registry
# Path: nodes/heimdall/docker_registry/.env
# Generated: 2026-04-19

# Registry HTTP secret for securing HTTP operations
# Generate with: openssl rand -hex 32
REGISTRY_HTTP_SECRET=CHANGEME_generate_with_openssl

[SAFETY CHECKS]

• Pre-commit hook: Suggest adding git hook to prevent .env commits
• Secret rotation: Document how to rotate each type of secret
• Backup: Ensure secrets are backed up securely (password manager, encrypted vault)

[SUCCESS CRITERIA]

• Zero hardcoded secrets remain in any compose.yaml file
• All services successfully restart with .env file secrets
• .env.template files committed to version control
• Actual .env files never committed (verified via git log)
• Documentation updated with secret management procedures