A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What I have seen people do in the past is use ansible secrets to secure the env file.
So only when the playbook is running does the env get decrypted.
Digital Ocean has an extensive how to on it.
https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
See if a light weight kubernetes installation is for you. Secrets are first class citizens in k8s. You can maintain secrets in a number of different ways, but they are exposed to containers the same way. They can become files or environment variables, whether you need.
I recommend looking at k3s to run on your Pi and see if that works for you. You can add vault software on top of that later without changing your containers.
I would look into something like Doppler instead of Vault. (I don't trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)
Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.
This is actually a host security problem, not generally a key storage problem per se. Regardless of how you have a vault setup, my approach here is to create a single host that acts as a gateway for the rest of the credentials. (This applies to if keys are stored in "the cloud" or in a local database somewhere.)
Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it's supporting apps...)
If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn't need root again until you start performing patches.