feat: kompose secrets

Projects/kompose/.env

@@ -1,28 +1,70 @@
+# ===================================================================
+# KOMPOSE - Root Configuration
+# ===================================================================
+# Non-sensitive shared configuration for all stacks
+# Sensitive values should be in secrets.env (not committed to git)
+# ===================================================================
+
+# -------------------------------------------------------------------
 # Network Configuration
+# -------------------------------------------------------------------
 NETWORK_NAME=kompose
 
-# Database Connection Settings (shared across stacks)
+# -------------------------------------------------------------------
+# Database Connection Settings (non-sensitive)
+# -------------------------------------------------------------------
 DB_USER=valknar
-DB_PASSWORD=ragnarok98
 DB_PORT=5432
 DB_HOST=postgres
 
-# Admin Settings
+# NOTE: DB_PASSWORD is in secrets.env
-ADMIN_EMAIL=valknar@pivoine.art
-ADMIN_PASSWORD=macromeat888$
 
-# Email/SMTP Settings (shared across stacks)
+# -------------------------------------------------------------------
+# Admin Settings (non-sensitive)
+# -------------------------------------------------------------------
+ADMIN_EMAIL=valknar@pivoine.art
+
+# NOTE: ADMIN_PASSWORD is in secrets.env
+
+# -------------------------------------------------------------------
+# Email/SMTP Settings (non-sensitive)
+# -------------------------------------------------------------------
 EMAIL_TRANSPORT=smtp
 EMAIL_FROM=hi@pivoine.art
 EMAIL_SMTP_HOST=smtp.ionos.de
 EMAIL_SMTP_PORT=465
 EMAIL_SMTP_USER=hi@pivoine.art
-EMAIL_SMTP_PASSWORD=jaquoment
 
-GITEA_RUNNER_REGISTRATION_TOKEN=Vncav0M9tCaezdy2O9hnGas3hGjaODU5qeiayMdC
+# NOTE: EMAIL_SMTP_PASSWORD is in secrets.env
-NEXTAUTH_SECRET=zB7m3BTke5zZ8FxXCSV9gu3RbXC67S7i4No6InWvi60
+
-JWT_TOKEN=NtUr9kvfyyQwdWfEKddDxBRx2oQEO5oy
+# -------------------------------------------------------------------
-N8N_ENCRYPTION_KEY=a858dd62a2bb22fbb7eb243b6d49a920e82db66a883d271731ae78f9d8044e8a
+# Traefik Hostnames (shared configuration)
-DIRECTUS_SECRET=5c132272-bafe-4f14-8275-baebe9b948f4
+# -------------------------------------------------------------------
-APP_SECRET=6116487b-cda1-52c2-b5b5-c8022c45e263
+# Set custom domains for each stack here
-PASSWORD_HASH=b121f10d4e0cbada1e3268381836cff9006d642e9b7023decf1d6546856607a3
+# These can be overridden in individual stack .env files if needed
+
+TRAEFIK_HOST_PROXY=proxy.pivoine.art
+TRAEFIK_HOST_AUTH=auth.pivoine.art
+TRAEFIK_HOST_AUTO=auto.pivoine.art
+TRAEFIK_HOST_BLOG=blog.pivoine.art
+TRAEFIK_HOST_CHAIN=chain.pivoine.art
+TRAEFIK_HOST_CHAT=chat.pivoine.art
+TRAEFIK_HOST_CODE=code.pivoine.art
+TRAEFIK_HOST_DASH=dash.pivoine.art
+TRAEFIK_HOST_DATA=data.pivoine.art
+TRAEFIK_HOST_DOCK=dock.pivoine.art
+TRAEFIK_HOST_DOCS=docs.pivoine.art
+TRAEFIK_HOST_HOME=home.pivoine.art
+TRAEFIK_HOST_LINK=link.pivoine.art
+TRAEFIK_HOST_NEWS=news.pivoine.art
+TRAEFIK_HOST_SEXY=sexy.pivoine.art
+TRAEFIK_HOST_TRACE=trace.pivoine.art
+TRAEFIK_HOST_TRACK=umami.pivoine.art
+TRAEFIK_HOST_VAULT=vault.pivoine.art
+TRAEFIK_HOST_VPN=vpn.pivoine.art
+
+# -------------------------------------------------------------------
+# Default Settings (can be overridden in stack .env files)
+# -------------------------------------------------------------------
+# Enable Traefik integration by default
+TRAEFIK_ENABLED=true

Projects/kompose/auth/.env

@@ -1,3 +1,7 @@
+# =================================================================
+# AUTH Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=auth
 
@@ -7,9 +11,13 @@ DOCKER_IMAGE=quay.io/keycloak/keycloak:latest
 # Database name
 DB_NAME=keycloak
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=auth.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_AUTH}
 
-# Keycloak admin credentials
+# Additional configuration
 KC_ADMIN_USERNAME=admin
-KC_ADMIN_PASSWORD=admin
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/auth/.env.bak

@@ -0,0 +1,15 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=auth
+
+# Docker image
+DOCKER_IMAGE=quay.io/keycloak/keycloak:latest
+
+# Database name
+DB_NAME=keycloak
+
+# Traefik hostname
+TRAEFIK_HOST=auth.pivoine.art
+
+# Keycloak admin credentials
+KC_ADMIN_USERNAME=admin
+KC_ADMIN_PASSWORD=admin

Projects/kompose/auth/.env.new

@@ -1,6 +0,0 @@
-# Stack identification
-COMPOSE_PROJECT_NAME=auth
-
-# Note: All configuration variables are now in the root .env file
-# with AUTH_ prefix (e.g., AUTH_TRAEFIK_HOST, AUTH_DOCKER_IMAGE, AUTH_DB_NAME)
-# All secrets are in secrets.env (e.g., AUTH_KC_ADMIN_PASSWORD)

Projects/kompose/auto/.env

@@ -1,23 +1,28 @@
+# =================================================================
+# AUTO Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=auto
 
-# Docker images
+# Docker image
 DOCKER_IMAGE=semaphoreui/semaphore:v2.16.18
-RUNNER_IMAGE=public.ecr.aws/semaphore/pro/runner:v2.16.18
 
 # Database name
 DB_NAME=semaphore
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=auto.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_AUTO}
 
-# App settings
+# Application port
 APP_PORT=3000
 
-# Semaphore admin credentials
+# Additional configuration
+RUNNER_IMAGE=public.ecr.aws/semaphore/pro/runner:v2.16.18
 SEMAPHORE_ADMIN=admin
-SEMAPHORE_ADMIN_PASSWORD=admin
 SEMAPHORE_ADMIN_NAME=Admin
 
-# Registration token
+# NOTE: Secrets are stored in root secrets.env file
-JWT_TOKEN=changeme
+# Available secrets for this stack:
+#   - AUTO_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/auto/.env.bak

@@ -0,0 +1,23 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=auto
+
+# Docker images
+DOCKER_IMAGE=semaphoreui/semaphore:v2.16.18
+RUNNER_IMAGE=public.ecr.aws/semaphore/pro/runner:v2.16.18
+
+# Database name
+DB_NAME=semaphore
+
+# Traefik hostname
+TRAEFIK_HOST=auto.pivoine.art
+
+# App settings
+APP_PORT=3000
+
+# Semaphore admin credentials
+SEMAPHORE_ADMIN=admin
+SEMAPHORE_ADMIN_PASSWORD=admin
+SEMAPHORE_ADMIN_NAME=Admin
+
+# Registration token
+JWT_TOKEN=changeme

Projects/kompose/blog/.env

@@ -1,11 +1,21 @@
+# =================================================================
+# BLOG Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=blog
 
 # Docker image
 DOCKER_IMAGE=joseluisq/static-web-server:latest
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_BLOG}
 
-# App port
+# Application port
 APP_PORT=80
+
+# Additional configuration
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/blog/.env.bak

@@ -0,0 +1,11 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=blog
+
+# Docker image
+DOCKER_IMAGE=joseluisq/static-web-server:latest
+
+# Traefik hostname
+TRAEFIK_HOST=pivoine.art
+
+# App port
+APP_PORT=80

Projects/kompose/chain/.env

@@ -1,3 +1,7 @@
+# =================================================================
+# CHAIN Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=chain
 
@@ -7,22 +11,18 @@ DOCKER_IMAGE=n8nio/n8n:latest
 # Database name
 DB_NAME=n8n
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=chain.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_CHAIN}
 
-# App port
+# Application port
 APP_PORT=5678
 
-# Network
+# Additional configuration
 NETWORK_NAME=kompose
-
-# Timezone
 TZ=Europe/Paris
-
-# Encryption key for credentials
-N8N_ENCRYPTION_KEY=changeme
-
-# Basic Auth (optional, recommended for initial setup)
 N8N_BASIC_AUTH_ACTIVE=true
 N8N_BASIC_AUTH_USER=admin
-N8N_BASIC_AUTH_PASSWORD=admin
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/chain/.env.bak

@@ -0,0 +1,28 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=chain
+
+# Docker image
+DOCKER_IMAGE=n8nio/n8n:latest
+
+# Database name
+DB_NAME=n8n
+
+# Traefik hostname
+TRAEFIK_HOST=chain.pivoine.art
+
+# App port
+APP_PORT=5678
+
+# Network
+NETWORK_NAME=kompose
+
+# Timezone
+TZ=Europe/Paris
+
+# Encryption key for credentials
+N8N_ENCRYPTION_KEY=changeme
+
+# Basic Auth (optional, recommended for initial setup)
+N8N_BASIC_AUTH_ACTIVE=true
+N8N_BASIC_AUTH_USER=admin
+N8N_BASIC_AUTH_PASSWORD=admin

Projects/kompose/chat/.env

@@ -1,14 +1,23 @@
+# =================================================================
+# CHAT Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=chat
 
 # Docker image
 DOCKER_IMAGE=gotify/server:latest
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=chat.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_CHAT}
 
-# App port
+# Application port
 APP_PORT=80
 
+# Additional configuration
 GOTIFY_DEFAULTUSER_NAME=admin
 GOTIFY_DEFAULTUSER_PASS=admin
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/chat/.env.bak

@@ -0,0 +1,14 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=chat
+
+# Docker image
+DOCKER_IMAGE=gotify/server:latest
+
+# Traefik hostname
+TRAEFIK_HOST=chat.pivoine.art
+
+# App port
+APP_PORT=80
+
+GOTIFY_DEFAULTUSER_NAME=admin
+GOTIFY_DEFAULTUSER_PASS=admin

Projects/kompose/code/.env

@@ -1,3 +1,7 @@
+# =================================================================
+# CODE Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=code
 
@@ -7,20 +11,19 @@ DOCKER_IMAGE=gitea/gitea:latest
 # Database name
 DB_NAME=gitea
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=code.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_CODE}
 
-# App port (internal HTTP)
+# Application port
 APP_PORT=3000
 
-# SSH port (for git operations)
+# Additional configuration
 SSH_PORT=2222
-
-# Network
 NETWORK_NAME=kompose
-
-# SSH settings
 DISABLE_SSH=false
-
-# Email settings (optional)
 EMAIL_ENABLED=true
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - CODE_RUNNER_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/code/.env.bak

@@ -0,0 +1,26 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=code
+
+# Docker image
+DOCKER_IMAGE=gitea/gitea:latest
+
+# Database name
+DB_NAME=gitea
+
+# Traefik hostname
+TRAEFIK_HOST=code.pivoine.art
+
+# App port (internal HTTP)
+APP_PORT=3000
+
+# SSH port (for git operations)
+SSH_PORT=2222
+
+# Network
+NETWORK_NAME=kompose
+
+# SSH settings
+DISABLE_SSH=false
+
+# Email settings (optional)
+EMAIL_ENABLED=true

Projects/kompose/dash/.env

@@ -1,20 +1,26 @@
+# =================================================================
+# DASH Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=dash
 
 # Docker image
 DOCKER_IMAGE=ghcr.io/gethomepage/homepage:latest
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=dash.localhost
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_DASH}
 
-# App port
+# Application port
 APP_PORT=3000
 
-# Network
+# Additional configuration
 NETWORK_NAME=kompose
-
-# User/Group IDs
 PUID=1000
 PGID=1000
-
 ALLOWED_HOST=pivoine.art
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - DASH_NEXTAUTH_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/dash/.env.bak

@@ -0,0 +1,20 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=dash
+
+# Docker image
+DOCKER_IMAGE=ghcr.io/gethomepage/homepage:latest
+
+# Traefik hostname
+TRAEFIK_HOST=dash.localhost
+
+# App port
+APP_PORT=3000
+
+# Network
+NETWORK_NAME=kompose
+
+# User/Group IDs
+PUID=1000
+PGID=1000
+
+ALLOWED_HOST=pivoine.art

Projects/kompose/data/.env

@@ -1,6 +1,16 @@
+# =================================================================
+# DATA Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=data
 
-# Infrastructure images (can override root defaults)
+# Docker image
-# POSTGRES_IMAGE=postgres:16-alpine
+
-# REDIS_IMAGE=redis:7-alpine
+# Traefik configuration
+TRAEFIK_ENABLED=true
+
+# Additional configuration
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/data/.env.bak

@@ -0,0 +1,6 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=data
+
+# Infrastructure images (can override root defaults)
+# POSTGRES_IMAGE=postgres:16-alpine
+# REDIS_IMAGE=redis:7-alpine

Projects/kompose/dock/.env

@@ -1,14 +1,22 @@
+# =================================================================
+# DOCK Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=dock
 
 # Docker image
 DOCKER_IMAGE=louislam/dockge:1
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=dock.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_DOCK}
 
-# App port
+# Application port
 APP_PORT=5001
 
-# Stacks directory path
+# Additional configuration
 DOCKGE_STACKS_DIR=/root/repos/compose
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/dock/.env.bak

@@ -0,0 +1,14 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=dock
+
+# Docker image
+DOCKER_IMAGE=louislam/dockge:1
+
+# Traefik hostname
+TRAEFIK_HOST=dock.pivoine.art
+
+# App port
+APP_PORT=5001
+
+# Stacks directory path
+DOCKGE_STACKS_DIR=/root/repos/compose

Projects/kompose/docs/.env

@@ -1,3 +1,18 @@
+# =================================================================
+# DOCS Stack Configuration
+# =================================================================
+
+# Stack identification
 COMPOSE_PROJECT_NAME=docs
-TRAEFIK_HOST=docs.pivoine.art
+
+# Docker image
 DOCKER_IMAGE=joseluisq/static-web-server:latest
+
+# Traefik configuration
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_DOCS}
+
+# Additional configuration
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/docs/.env.bak

@@ -0,0 +1,3 @@
+COMPOSE_PROJECT_NAME=docs
+TRAEFIK_HOST=docs.pivoine.art
+DOCKER_IMAGE=joseluisq/static-web-server:latest

Projects/kompose/home/.env

@@ -1,17 +1,23 @@
+# =================================================================
+# HOME Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=home
 
 # Docker image
 DOCKER_IMAGE=ghcr.io/home-assistant/home-assistant:stable
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=home.localhost
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_HOME}
 
-# App port
+# Application port
 APP_PORT=8123
 
-# Network
+# Additional configuration
 NETWORK_NAME=kompose
-
-# Timezone (important for automations!)
 TZ=Europe/Paris
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/home/.env.bak

@@ -0,0 +1,17 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=home
+
+# Docker image
+DOCKER_IMAGE=ghcr.io/home-assistant/home-assistant:stable
+
+# Traefik hostname
+TRAEFIK_HOST=home.localhost
+
+# App port
+APP_PORT=8123
+
+# Network
+NETWORK_NAME=kompose
+
+# Timezone (important for automations!)
+TZ=Europe/Paris

Projects/kompose/link/.env

@@ -1,3 +1,7 @@
+# =================================================================
+# LINK Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=link
 
@@ -7,19 +11,18 @@ DOCKER_IMAGE=ghcr.io/linkwarden/linkwarden:latest
 # Database name
 DB_NAME=linkwarden
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=link.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_LINK}
 
-# App port
+# Application port
 APP_PORT=3000
 
-# Network
+# Additional configuration
 NETWORK_NAME=kompose
-
-# NextAuth Secret
-NEXTAUTH_SECRET=changeme
-
-# Features
 DISABLE_SCREENSHOT=false
 DISABLE_ARCHIVE=false
 DISABLE_REGISTRATION=true
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/link/.env.bak

@@ -0,0 +1,25 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=link
+
+# Docker image
+DOCKER_IMAGE=ghcr.io/linkwarden/linkwarden:latest
+
+# Database name
+DB_NAME=linkwarden
+
+# Traefik hostname
+TRAEFIK_HOST=link.pivoine.art
+
+# App port
+APP_PORT=3000
+
+# Network
+NETWORK_NAME=kompose
+
+# NextAuth Secret
+NEXTAUTH_SECRET=changeme
+
+# Features
+DISABLE_SCREENSHOT=false
+DISABLE_ARCHIVE=false
+DISABLE_REGISTRATION=true

Projects/kompose/migrate-stack-env.sh

@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+
+# ===================================================================
+# Kompose Stack .env Migration Script
+# ===================================================================
+# This script updates all stack .env files to:
+# 1. Add TRAEFIK_ENABLED=true (if not present)
+# 2. Update TRAEFIK_HOST to use root .env variable
+# 3. Remove sensitive secrets (move to secrets.env)
+# 4. Add standardized comments
+# ===================================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+RESET='\033[0m'
+
+log_info() {
+    echo -e "${BLUE}[INFO]${RESET} $*"
+}
+
+log_success() {
+    echo -e "${GREEN}[SUCCESS]${RESET} $*"
+}
+
+log_warning() {
+    echo -e "${YELLOW}[WARNING]${RESET} $*"
+}
+
+update_stack_env() {
+    local stack="$1"
+    local env_file="${SCRIPT_DIR}/${stack}/.env"
+    
+    if [[ ! -f "${env_file}" ]]; then
+        log_warning "No .env file in ${stack}, skipping"
+        return
+    fi
+    
+    log_info "Updating ${stack}/.env..."
+    
+    local temp_file="${env_file}.new"
+    
+    # Read stack name
+    local project_name=$(grep "^COMPOSE_PROJECT_NAME=" "${env_file}" | cut -d= -f2)
+    local has_traefik_enabled=false
+    local has_traefik_host=false
+    
+    # Check if file already has TRAEFIK_ENABLED
+    if grep -q "^TRAEFIK_ENABLED=" "${env_file}"; then
+        has_traefik_enabled=true
+    fi
+    
+    # Check if file has TRAEFIK_HOST
+    if grep -q "^TRAEFIK_HOST=" "${env_file}"; then
+        has_traefik_host=true
+    fi
+    
+    # Start building new file
+    {
+        echo "# ================================================================="
+        echo "# ${stack^^} Stack Configuration"
+        echo "# ================================================================="
+        echo ""
+        echo "# Stack identification"
+        
+        # Copy COMPOSE_PROJECT_NAME
+        grep "^COMPOSE_PROJECT_NAME=" "${env_file}" || echo "COMPOSE_PROJECT_NAME=${stack}"
+        
+        echo ""
+        echo "# Docker image"
+        grep "^DOCKER_IMAGE=" "${env_file}" 2>/dev/null || true
+        
+        # Add database if present
+        if grep -q "^DB_NAME=" "${env_file}"; then
+            echo ""
+            echo "# Database name"
+            grep "^DB_NAME=" "${env_file}"
+        fi
+        
+        echo ""
+        echo "# Traefik configuration"
+        
+        # Add TRAEFIK_ENABLED if not present
+        if ${has_traefik_enabled}; then
+            grep "^TRAEFIK_ENABLED=" "${env_file}"
+        else
+            echo "TRAEFIK_ENABLED=true"
+        fi
+        
+        # Update TRAEFIK_HOST to reference root variable
+        if ${has_traefik_host}; then
+            local uppercase_stack=$(echo "${stack}" | tr '[:lower:]' '[:upper:]')
+            echo "TRAEFIK_HOST=\${TRAEFIK_HOST_${uppercase_stack}}"
+        fi
+        
+        # Copy APP_PORT if present
+        if grep -q "^APP_PORT=" "${env_file}"; then
+            echo ""
+            echo "# Application port"
+            grep "^APP_PORT=" "${env_file}"
+        fi
+        
+        # Copy other non-sensitive variables
+        echo ""
+        echo "# Additional configuration"
+        grep -v "^COMPOSE_PROJECT_NAME=" "${env_file}" | \
+        grep -v "^DOCKER_IMAGE=" | \
+        grep -v "^DB_NAME=" | \
+        grep -v "^TRAEFIK_ENABLED=" | \
+        grep -v "^TRAEFIK_HOST=" | \
+        grep -v "^APP_PORT=" | \
+        grep -v "^#" | \
+        grep -v "^$" | \
+        grep -v "_SECRET=" | \
+        grep -v "_PASSWORD=" | \
+        grep -v "_TOKEN=" | \
+        grep -v "_KEY=" || true
+        
+        # Add note about secrets
+        echo ""
+        echo "# NOTE: Secrets are stored in root secrets.env file"
+        echo "# Available secrets for this stack:"
+        local uppercase_stack=$(echo "${stack}" | tr '[:lower:]' '[:upper:]')
+        
+        # List stack-specific secrets from template
+        if [[ -f "${SCRIPT_DIR}/secrets.env.template" ]]; then
+            grep "^${uppercase_stack}_" "${SCRIPT_DIR}/secrets.env.template" | \
+            sed 's/^/#   - /' || true
+        fi
+        
+    } > "${temp_file}"
+    
+    # Show diff
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "Changes for ${stack}/.env:"
+    diff -u "${env_file}" "${temp_file}" || true
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    
+    # Ask for confirmation
+    read -p "Apply these changes? (y/N): " -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        mv "${env_file}" "${env_file}.bak"
+        mv "${temp_file}" "${env_file}"
+        log_success "Updated ${stack}/.env (backup: ${stack}/.env.bak)"
+    else
+        rm "${temp_file}"
+        log_info "Skipped ${stack}/.env"
+    fi
+}
+
+# Main migration
+main() {
+    log_info "Starting stack .env migration..."
+    echo ""
+    
+    # Get all stacks
+    local stacks=(auth auto blog chain chat code dash data dock docs home link news proxy sexy trace track vault vpn)
+    
+    for stack in "${stacks[@]}"; do
+        if [[ -d "${SCRIPT_DIR}/${stack}" ]]; then
+            update_stack_env "${stack}"
+            echo ""
+        fi
+    done
+    
+    log_success "Migration complete!"
+    log_info "Review the changes and test with: ./kompose.sh --list"
+}
+
+main "$@"

Projects/kompose/news/.env

@@ -1,14 +1,24 @@
+# =================================================================
+# NEWS Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=news
 
+# Docker image
+
 # Database name
 DB_NAME=letterspace
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=news.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_NEWS}
 
-# App settings
+# Application port
 APP_PORT=5000
 
-# JWT secret (generate with: openssl rand -hex 32)
+# Additional configuration
-JWT_SECRET=changeme
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - NEWS_JWT_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/news/.env.bak

@@ -0,0 +1,14 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=news
+
+# Database name
+DB_NAME=letterspace
+
+# Traefik hostname
+TRAEFIK_HOST=news.pivoine.art
+
+# App settings
+APP_PORT=5000
+
+# JWT secret (generate with: openssl rand -hex 32)
+JWT_SECRET=changeme

Projects/kompose/proxy/.env

@@ -1,5 +1,17 @@
+# =================================================================
+# PROXY Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=proxy
 
 # Docker image
 DOCKER_IMAGE=traefik:latest
+
+# Traefik configuration
+TRAEFIK_ENABLED=true
+
+# Additional configuration
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/proxy/.env.bak

@@ -0,0 +1,5 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=proxy
+
+# Docker image
+DOCKER_IMAGE=traefik:latest

Projects/kompose/secrets.env.template

@@ -2,50 +2,85 @@
 # KOMPOSE - Secrets Configuration
 # ===================================================================
 # This file contains SENSITIVE data and should NOT be committed to git.
-# Add secrets.env to your .gitignore file!
+# Ensure secrets.env is in your .gitignore file!
 #
-# Generate random secrets with: ./kompose.sh --generate-secrets
+# Generate random secrets with: ./kompose.sh secrets generate
+# List all secrets with:        ./kompose.sh secrets list
+# Validate configuration:       ./kompose.sh secrets validate
+# Rotate a secret:              ./kompose.sh secrets rotate SECRET_NAME
 # ===================================================================
 
 # -------------------------------------------------------------------
-# Database Passwords (Shared)
+# Shared Database Secrets
 # -------------------------------------------------------------------
 DB_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 
 # -------------------------------------------------------------------
-# Admin Passwords
+# Shared Admin Secrets
 # -------------------------------------------------------------------
 ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 
 # -------------------------------------------------------------------
-# Email/SMTP Passwords
+# Shared Email/SMTP Secrets
 # -------------------------------------------------------------------
 EMAIL_SMTP_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 
 # -------------------------------------------------------------------
 # AUTH Stack Secrets (Keycloak)
+# Scope: auth.pivoine.art
 # -------------------------------------------------------------------
 AUTH_KC_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
 
 # -------------------------------------------------------------------
-# TRACK Stack Secrets (Umami)
+# CODE Stack Secrets (Gitea)
+# Scope: code.pivoine.art
+# -------------------------------------------------------------------
+CODE_RUNNER_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# AUTO Stack Secrets (n8n)
+# Scope: auto.pivoine.art
+# -------------------------------------------------------------------
+AUTO_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# SEXY Stack Secrets (Directus)
+# Scope: sexy.pivoine.art
+# -------------------------------------------------------------------
+SEXY_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+SEXY_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# DASH Stack Secrets (NextAuth)
+# Scope: dash.pivoine.art
+# -------------------------------------------------------------------
+DASH_NEXTAUTH_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# NEWS Stack Secrets (Letterspace)
+# Scope: news.pivoine.art
+# -------------------------------------------------------------------
+NEWS_JWT_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
+# -------------------------------------------------------------------
+# TRACK Stack Secrets (Umami)
+# Scope: umami.pivoine.art
 # -------------------------------------------------------------------
-# APP_SECRET for Umami (64 character hex string)
 TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
 
 # -------------------------------------------------------------------
-# Add more stack secrets below (scope them with stack name)
+# CHAT Stack Secrets
+# Scope: chat.pivoine.art
 # -------------------------------------------------------------------
-# BLOG_SECRET_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
 # CHAT_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
-# DATA_DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
-# CODE_GITEA_RUNNER_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
-# etc...
 
-# Example secrets from your current .env that should be scoped:
+# -------------------------------------------------------------------
-# GITEA_RUNNER_REGISTRATION_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# VAULT Stack Secrets (Vaultwarden)
-# NEXTAUTH_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# Scope: vault.pivoine.art
-# JWT_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# -------------------------------------------------------------------
-# N8N_ENCRYPTION_KEY=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# VAULT_ADMIN_TOKEN=CHANGE_ME_GENERATE_WITH_KOMPOSE
-# DIRECTUS_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+
-# PASSWORD_HASH=CHANGE_ME_GENERATE_WITH_KOMPOSE
+# -------------------------------------------------------------------
+# Additional Stack Secrets
+# Follow the naming convention: STACKNAME_SECRET_PURPOSE
+# -------------------------------------------------------------------

Projects/kompose/sexy/.env

@@ -1,54 +1,44 @@
+# =================================================================
+# SEXY Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=sexy
 
-# Docker images
+# Docker image
 DOCKER_IMAGE=directus/directus:11.12.0
-FRONTEND_IMAGE=node:22
 
 # Database name
 DB_NAME=directus
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=sexy.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_SEXY}
 
-# App settings
+# Application port
 APP_PORT=8055
+
+# Additional configuration
+FRONTEND_IMAGE=node:22
 FRONTEND_PORT=3000
-
-# Directus secret (generate with: openssl rand -hex 32)
-DIRECTUS_SECRET=changeme
-
-# Cache Configuration
 CACHE_ENABLED=true
 CACHE_AUTO_PURGE=true
-
-# Admin credentials
-ADMIN_PASSWORD=admin
-
-# WebSocket Configuration
 WEBSOCKETS_ENABLED=true
-
-# URL Configuration
 PUBLIC_URL=https://sexy.pivoine.art/api
-
-# CORS Configuration
 CORS_ENABLED=true
 CORS_ORIGIN=https://sexy.pivoine.art
 CORS_CREDENTIALS=true
-
-# Cookie Configuration
 SESSION_COOKIE_SECURE=true
 SESSION_COOKIE_SAME_SITE=strict
 SESSION_COOKIE_DOMAIN=sexy.pivoine.art
-
-# Extensions Configuration
 EXTENSIONS_PATH=./extensions
 EXTENSIONS_AUTO_RELOAD=true
 DIRECTUS_BUNDLE=/var/www/sexy.pivoine.art/packages/bundle
-
-# Content Security Policy
 CONTENT_SECURITY_POLICY_DIRECTIVES__FRAME_SRC=https://sexy.pivoine.art
-
-# User registration and password reset URLs
 USER_REGISTER_URL_ALLOW_LIST=https://sexy.pivoine.art/signup/verify
 PASSWORD_RESET_URL_ALLOW_LIST=https://sexy.pivoine.art/password/reset
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - SEXY_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE
+#   - SEXY_ADMIN_PASSWORD=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/sexy/.env.bak

@@ -0,0 +1,54 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=sexy
+
+# Docker images
+DOCKER_IMAGE=directus/directus:11.12.0
+FRONTEND_IMAGE=node:22
+
+# Database name
+DB_NAME=directus
+
+# Traefik hostname
+TRAEFIK_HOST=sexy.pivoine.art
+
+# App settings
+APP_PORT=8055
+FRONTEND_PORT=3000
+
+# Directus secret (generate with: openssl rand -hex 32)
+DIRECTUS_SECRET=changeme
+
+# Cache Configuration
+CACHE_ENABLED=true
+CACHE_AUTO_PURGE=true
+
+# Admin credentials
+ADMIN_PASSWORD=admin
+
+# WebSocket Configuration
+WEBSOCKETS_ENABLED=true
+
+# URL Configuration
+PUBLIC_URL=https://sexy.pivoine.art/api
+
+# CORS Configuration
+CORS_ENABLED=true
+CORS_ORIGIN=https://sexy.pivoine.art
+CORS_CREDENTIALS=true
+
+# Cookie Configuration
+SESSION_COOKIE_SECURE=true
+SESSION_COOKIE_SAME_SITE=strict
+SESSION_COOKIE_DOMAIN=sexy.pivoine.art
+
+# Extensions Configuration
+EXTENSIONS_PATH=./extensions
+EXTENSIONS_AUTO_RELOAD=true
+DIRECTUS_BUNDLE=/var/www/sexy.pivoine.art/packages/bundle
+
+# Content Security Policy
+CONTENT_SECURITY_POLICY_DIRECTIVES__FRAME_SRC=https://sexy.pivoine.art
+
+# User registration and password reset URLs
+USER_REGISTER_URL_ALLOW_LIST=https://sexy.pivoine.art/signup/verify
+PASSWORD_RESET_URL_ALLOW_LIST=https://sexy.pivoine.art/password/reset

Projects/kompose/trace/.env

@@ -1,25 +1,31 @@
+# =================================================================
+# TRACE Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=trace
 
-# Traefik hostname
+# Docker image
-TRAEFIK_HOST=trace.pivoine.art
 
-# App port (SigNoz UI)
+# Traefik configuration
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_TRACE}
+
+# Application port
 APP_PORT=8080
 
-# Docker images
+# Additional configuration
 SIGNOZ_IMAGE=signoz/signoz:v0.96.1
 OTELCOL_IMAGE=signoz/signoz-otel-collector:v0.129.6
 CLICKHOUSE_IMAGE=clickhouse/clickhouse-server:25.5.6
 ZOOKEEPER_IMAGE=signoz/zookeeper:3.7.1
-
-# Port configuration
 SIGNOZ_API_PORT=4320
 SIGNOZ_PPROF_PORT=6060
 CLICKHOUSE_PORT=9000
 CLICKHOUSE_HTTP_PORT=8123
 CLICKHOUSE_METRICS_PORT=9181
-
-# Feature flags
 TELEMETRY_ENABLED=true
 DOT_METRICS_ENABLED=true
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/trace/.env.bak

@@ -0,0 +1,25 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=trace
+
+# Traefik hostname
+TRAEFIK_HOST=trace.pivoine.art
+
+# App port (SigNoz UI)
+APP_PORT=8080
+
+# Docker images
+SIGNOZ_IMAGE=signoz/signoz:v0.96.1
+OTELCOL_IMAGE=signoz/signoz-otel-collector:v0.129.6
+CLICKHOUSE_IMAGE=clickhouse/clickhouse-server:25.5.6
+ZOOKEEPER_IMAGE=signoz/zookeeper:3.7.1
+
+# Port configuration
+SIGNOZ_API_PORT=4320
+SIGNOZ_PPROF_PORT=6060
+CLICKHOUSE_PORT=9000
+CLICKHOUSE_HTTP_PORT=8123
+CLICKHOUSE_METRICS_PORT=9181
+
+# Feature flags
+TELEMETRY_ENABLED=true
+DOT_METRICS_ENABLED=true

Projects/kompose/track/.env

@@ -1,3 +1,7 @@
+# =================================================================
+# TRACK Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=track
 
@@ -7,11 +11,15 @@ DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
 # Database name
 DB_NAME=umami
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=umami.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_TRACK}
 
-# App settings
+# Application port
 APP_PORT=3000
 
-# App secret (generate with: openssl rand -hex 32)
+# Additional configuration
-APP_SECRET=changeme
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:
+#   - TRACK_APP_SECRET=CHANGE_ME_GENERATE_WITH_KOMPOSE

Projects/kompose/track/.env.bak

@@ -0,0 +1,17 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=track
+
+# Docker image
+DOCKER_IMAGE=ghcr.io/umami-software/umami:postgresql-latest
+
+# Database name
+DB_NAME=umami
+
+# Traefik hostname
+TRAEFIK_HOST=umami.pivoine.art
+
+# App settings
+APP_PORT=3000
+
+# App secret (generate with: openssl rand -hex 32)
+APP_SECRET=changeme

Projects/kompose/track/.env.new

@@ -1,6 +0,0 @@
-# Stack identification
-COMPOSE_PROJECT_NAME=track
-
-# Note: All configuration variables are now in the root .env file
-# with TRACK_ prefix (e.g., TRACK_TRAEFIK_HOST, TRACK_DOCKER_IMAGE)
-# All secrets are in secrets.env (e.g., TRACK_APP_SECRET)

Projects/kompose/vault/.env

@@ -1,25 +1,26 @@
+# =================================================================
+# VAULT Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=vault
 
 # Docker image
 DOCKER_IMAGE=vaultwarden/server:latest
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=vault.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_VAULT}
 
-# App port
+# Application port
 APP_PORT=80
 
-# Admin token (generate with: openssl rand -base64 32)
+# Additional configuration
-JWT_TOKEN=changeme
-
-# WebSocket Configuration
 WEBSOCKET_ENABLED=true
 SIGNUPS_ALLOWED=false
-
-# SMTP Settings (using root .env values)
 SMTP_SECURITY=force_tls
 SMTP_TIMEOUT=15
-
-# Domain
 DOMAIN=https://vault.pivoine.art
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/vault/.env.bak

@@ -0,0 +1,25 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=vault
+
+# Docker image
+DOCKER_IMAGE=vaultwarden/server:latest
+
+# Traefik hostname
+TRAEFIK_HOST=vault.pivoine.art
+
+# App port
+APP_PORT=80
+
+# Admin token (generate with: openssl rand -base64 32)
+JWT_TOKEN=changeme
+
+# WebSocket Configuration
+WEBSOCKET_ENABLED=true
+SIGNUPS_ALLOWED=false
+
+# SMTP Settings (using root .env values)
+SMTP_SECURITY=force_tls
+SMTP_TIMEOUT=15
+
+# Domain
+DOMAIN=https://vault.pivoine.art

Projects/kompose/vpn/.env

@@ -1,27 +1,29 @@
+# =================================================================
+# VPN Stack Configuration
+# =================================================================
+
 # Stack identification
 COMPOSE_PROJECT_NAME=vpn
 
 # Docker image
 DOCKER_IMAGE=ghcr.io/wg-easy/wg-easy:15
 
-# Traefik hostname
+# Traefik configuration
-TRAEFIK_HOST=vpn.pivoine.art
+TRAEFIK_ENABLED=true
+TRAEFIK_HOST=${TRAEFIK_HOST_VPN}
 
-# App port
+# Application port
 APP_PORT=51821
 
-# WireGuard port
+# Additional configuration
 WG_PORT=51820
-
-# WireGuard host (public IP or domain)
 WG_HOST=vpn.pivoine.art
-
-# Password hash (generate with: echo -n 'your-password' | npx bcrypt-cli)
 PASSWORD_HASH=changeme
-
-# Optional settings
 WG_DEFAULT_DNS=1.1.1.1
 WG_ALLOWED_IPS=0.0.0.0/0,::/0
 LANG=en
 UI_TRAFFIC_STATS=true
 UI_CHART_TYPE=0
+
+# NOTE: Secrets are stored in root secrets.env file
+# Available secrets for this stack:

Projects/kompose/vpn/.env.bak

@@ -0,0 +1,27 @@
+# Stack identification
+COMPOSE_PROJECT_NAME=vpn
+
+# Docker image
+DOCKER_IMAGE=ghcr.io/wg-easy/wg-easy:15
+
+# Traefik hostname
+TRAEFIK_HOST=vpn.pivoine.art
+
+# App port
+APP_PORT=51821
+
+# WireGuard port
+WG_PORT=51820
+
+# WireGuard host (public IP or domain)
+WG_HOST=vpn.pivoine.art
+
+# Password hash (generate with: echo -n 'your-password' | npx bcrypt-cli)
+PASSWORD_HASH=changeme
+
+# Optional settings
+WG_DEFAULT_DNS=1.1.1.1
+WG_ALLOWED_IPS=0.0.0.0/0,::/0
+LANG=en
+UI_TRAFFIC_STATS=true
+UI_CHART_TYPE=0