Check them into Git, but be cautious about credentials that might live in the env files that you don't want to expose if you end up making the repo publicly available.
this post was submitted on 30 Mar 2025
6 points (75.0% liked)
Selfhosted
45388 readers
560 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
That is an option I've been thinking about but I've never used it, I'm not a dev. Maybe I'll look at it more seriously since it does sound like what would work best, I'd really apprecieate the versioning. Thanks!
Definitely worth a shot.
One thing I do to prevent stuff from getting into a public git repo is:
- In the git repo, make a file called
.gitignorethen add the line.envto it. Then git will ignore any file named.env - edit compose files from a computer that is separate from the one that gets secrets. I have my desktop setup to push to github. Then I make a change, then simply run `git pull on my server to download the changes.
- make the .env only viewable by root (you'll have to use
sudo nano) by runningsudo chmod 600 .env && sudo chown root:root .env
Docker compose in git. Env in 1password or whatever password manager you use. Most support uploading a raw file.
I have mine in git! I have:
-docker
- .env
- <thing name>
- dockers-compose.yml
Then using docker compose --env-file ../.env -v up -d it uses the above .env file. (../ means up one folder)
For more details and a bunch of my compose files checkout my repo! https://github.com/shadybraden/homelab/tree/main/docker
Keeping backup of .env means exposing sensitive creds ?
In my particular case I only have a few .env files and they don't have any credentials in them. This is mostly for the docker-compose files.
You can specify a folder in your files for configs, and a different one for the compose and env:
- config
- <container_config>
- docker
- container
- compose.yml
Edit: then you can map your volume not to ./config:/config but instead to /config/containerName:/config
Backups are encrypted so it shouldn't be an issue.
what about a local, encrypted backup
It’s like you have secrets that you pull in to build your .env which should only be used by the stuff that needs it and it’s not shared.
I’m assuming this is a production backup and the idea that someone has a prod .env file gives me the Willies.
Id want to change all the cards.
I mean... just back them up like any other file. If you want them and nothing else, then do an exclude all and then include after for those files.
But you also need to backup the rest of the data, so I'm not sure why you'd want to exclude all the other folders.
As a Mac user, I like Time Machine for backups. It’s not perfect, but it gets the job done. There is a Linux version.
Nb. I’ve not used this particular software, so YMMV.