scoot/selfhosted2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document .env deployment options

Browse Source
This commit is contained in:
scoot
2026-05-24 16:15:59 +02:00
parent a90002aefc
commit 279aaf37d9
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
23may2026-Q-server-prototype.md
+12
View File
@@ -137,6 +137,18 @@ To rotate a password:
Do not commit `.env` to git. The `.env.example` template is the only password-related file that belongs in the repo.
### Deploy-time only
The `.env` file is read only during `docker compose up` (container create/recreate). At runtime, secrets live in Docker volumes and container env vars. Options for handling `.env` on the target machine:
| Option | Security | Convenience |
|--------|----------|-------------|
| **Keep with `chmod 600`** (current) | Root on agge can still read it — but root already owns the volumes | Compose works immediately |
| **Remove after deploy** | Minimal disk exposure | Must scp from hector before any `docker compose down && up` |
| **Deploy script** (`deploy.sh`) | `.env` lives only on hector, pushed transiently during deploy | Single command, cleanest for production |
For the prototype, `chmod 600` is fine. For a production VPS, a deploy script is better — the `.env` never sits on disk permanently.
# Session history
**Session ses_21ab382baffej8OpnTkrmaG5UA** — initial prototype deployment: Docker files written, containers configured, applications deployed and verified.