Add secrets-index.md — map of service credentials and where they are stored

2026-06-15 18:10:13 +00:00 · 2026-06-15 18:10:13 +00:00 · c72e1fff66
commit c72e1fff66
parent d8cd933c9b
1 changed files with 74 additions and 0 deletions
--- a/secrets-index.md
+++ b/secrets-index.md
@ -0,0 +1,74 @@
 # Secrets Index
 > Last updated: 2026-06-15
 > This file maps services to WHERE credentials are stored — not the credentials themselves.
 > Actual secrets live in Vaultwarden (vault.spendlik.sk).
 ---
 ## 🔑 API Keys & Tokens
 | Service | Key Name | Stored In | Notes |
 |---|---|---|---|
 | Anthropic Claude API | `ANTHROPIC_API_KEY` | Vaultwarden | Used by n8n for content generation |
 | Brickset API | `BRICKSET_API_KEY` | Vaultwarden | For kocka-novinky.sk automation |
 | WebSupport API | `API_KEY` + `API_SECRET` | CT 108 `/usr/local/bin/ddns-update.sh` | HMAC-SHA1 auth, service ID `15056760` |
 | Gitea token (MCP) | `GITEA_TOKEN` | CT 112 `/opt/mcp-server/.env` | Read/write access to all repos |
 | Proxmox API token | `PROXMOX_TOKEN_SECRET` | CT 112 `/opt/mcp-server/.env` | `mcp@pam!mcp-token`, read-only |
 | WordPress App Password (kocka-novinky.sk) | `n8n` application password | Vaultwarden | User: Spendlik, for REST API |
 | Google Drive (rclone) | OAuth token | `~/.config/rclone/rclone.conf` on CachyOS | Auto-refreshes |
 ---
 ## 🌐 Service Credentials
 | Service | Username | Password Location | Notes |
 |---|---|---|---|
 | Proxmox web UI | `root` | Vaultwarden | `192.168.1.48:8006` |
 | Gitea | `spendlik` | Vaultwarden | `git.spendlik.sk` |
 | n8n | — | Vaultwarden | `automation.spendlik.sk` (Authelia protected) |
 | Paperless-ngx | admin | Vaultwarden | `paperless.spendlik.sk` |
 | Vaultwarden | spendlik@gmail.com | Master password (memorised) | `vault.spendlik.sk` |
 | Authelia | spendlik | Vaultwarden | `auth.spendlik.sk` |
 | WordPress (kocka-novinky.sk) | Spendlik | Vaultwarden | Admin panel |
 | WebSupport | — | Vaultwarden | DNS + hosting management |
 | NAS (Synology) | — | Vaultwarden | `192.168.1.12` |
 ---
 ## 🗄️ Database Credentials
 | Service | DB | User | Password Location |
 |---|---|---|---|
 | Paperless-ngx | PostgreSQL 16 | `paperless` | CT 111 `/opt/paperless/docker-compose.yml` env |
 | Vaultwarden | SQLite | — | `/opt/vaultwarden/data/db.sqlite3` in CT 115 |
 | kocka-novinky.sk WordPress | MySQL/MariaDB | — | WebSupport hosting panel + wp-config.php |
 ---
 ## 🌍 WebSupport DNS Record IDs
 > Full table also in `00_index.md`. Script: CT 108 `/usr/local/bin/ddns-update.sh`
 | Subdomain | Record ID |
 |---|---|
 | spendlik.sk | 12631197 |
 | *.spendlik.sk | 12631200 |
 | automation.spendlik.sk | 306256338 |
 | matrix.spendlik.sk | 307776273 |
 | email.spendlik.sk | 308845857 |
 | auth.spendlik.sk | 308994393 |
 | books.spendlik.sk | 311013228 |
 | jellyfin.spendlik.sk | 311384664 |
 | git.spendlik.sk | 323271195 |
 | mcp.spendlik.sk | 327475181 |
 | paperless.spendlik.sk | 328109687 |
 | vault.spendlik.sk | 330343277 |
 ---
 ## 📝 Notes
 - Never store actual secrets in this file or any Gitea file
 - When a credential is rotated, update Vaultwarden and this index (location reference only)
 - CT 112 `.env` file is the only place with live secrets outside Vaultwarden — keep it minimal