feat: decouple user-specific config from committed scaffolding
Separate scaffolding (committed, generic, shared) from user-specific
data (gitignored, templated, synced from the operator's machine) so the
repo can be cloned and deployed by anyone without editing a committed
file.
Two mechanisms, one posture (local + gitignored + synced):
- User-identity env vars -> .env (consumed by Quadlets via
EnvironmentFile and by scripts via sourcing). ensure_env is relocated
from server-side deploy.sh to the local sync wrapper (deploy-to.sh):
*_SECRET auto-generation runs on the operator's machine, not the VPS.
The wrapper syncs .env local->server; the old .example-as-reference
server sync is removed.
- Application data files (Caddyfiles, frps.toml) -> per-Host user data
in hosts/<host>/ (gitignored). A committed hosts/example/ skeleton
bundles templates with CHANGE_ME placeholders; config/ becomes
template-only — real bind-mounted data reaches the server only via
the hosts/<host>/ overlay.
A new check_placeholders step in deploy.sh rejects any surviving
CHANGE_ME in .env or under config/ post-sync, failing with a list of
offending files/keys.
Server templates follow the same pattern: servers/alma-linux-9 is the
committed bootstrap template (YOUR_SERVER_IP); real server dirs are
gitignored via servers/* + !servers/alma-linux-9/.
Extraction: JMAP_SERVER_URL and STALWART_PUBLIC_URL move out of the
mail Quadlet Environment= lines into .env.example; refresh-certs.sh
sources .env for DOMAIN instead of hardcoding. No committed file
contains the real domain or VPS IP.
ADRs 0002 and 0003 amended. CONTEXT.md 'Secret config' term updated.
Repo README gains a Getting started section; apps/README secrets and
host-config sections rewritten; per-App setup docs added (mail, proxy).
BREAKING CHANGE: operators must provision .env locally before deploy
(ensure_env runs locally now, not on the server). The created-on-
server secret path is removed; Skate (or equivalent) is the supported
alternative for stronger secret isolation.
Refs: .scratch/decouple-user-config/PRD.md, issues 01-05
feat: decouple user-specific config from committed scaffolding
Separate scaffolding (committed, generic, shared) from user-specific
data (gitignored, templated, synced from the operator's machine) so the
repo can be cloned and deployed by anyone without editing a committed
file.
Two mechanisms, one posture (local + gitignored + synced):
- User-identity env vars -> .env (consumed by Quadlets via
EnvironmentFile and by scripts via sourcing). ensure_env is relocated
from server-side deploy.sh to the local sync wrapper (deploy-to.sh):
*_SECRET auto-generation runs on the operator's machine, not the VPS.
The wrapper syncs .env local->server; the old .example-as-reference
server sync is removed.
- Application data files (Caddyfiles, frps.toml) -> per-Host user data
in hosts/<host>/ (gitignored). A committed hosts/example/ skeleton
bundles templates with CHANGE_ME placeholders; config/ becomes
template-only — real bind-mounted data reaches the server only via
the hosts/<host>/ overlay.
A new check_placeholders step in deploy.sh rejects any surviving
CHANGE_ME in .env or under config/ post-sync, failing with a list of
offending files/keys.
Server templates follow the same pattern: servers/alma-linux-9 is the
committed bootstrap template (YOUR_SERVER_IP); real server dirs are
gitignored via servers/* + !servers/alma-linux-9/.
Extraction: JMAP_SERVER_URL and STALWART_PUBLIC_URL move out of the
mail Quadlet Environment= lines into .env.example; refresh-certs.sh
sources .env for DOMAIN instead of hardcoding. No committed file
contains the real domain or VPS IP.
ADRs 0002 and 0003 amended. CONTEXT.md 'Secret config' term updated.
Repo README gains a Getting started section; apps/README secrets and
host-config sections rewritten; per-App setup docs added (mail, proxy).
BREAKING CHANGE: operators must provision .env locally before deploy
(ensure_env runs locally now, not on the server). The created-on-
server secret path is removed; Skate (or equivalent) is the supported
alternative for stronger secret isolation.
Refs: .scratch/decouple-user-config/PRD.md, issues 01-05