From f3eea007f7fca698ee661a623f07ded187184086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Gra=CC=88fenstein?= <mail@thomas-graefenstein.de>
Date: Sun, 22 Mar 2026 12:38:17 +0100
Subject: [PATCH] improve .env handling

---
 scripts/deploy.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index d1f3fa8..e91e54e 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -72,6 +72,14 @@ for svc in nextcloud gitea monitoring; do
   fi
 done
 
+# ------------------------------------------------------------------
+# Lock down .env files (readable only by root)
+# ------------------------------------------------------------------
+echo "==> Securing .env files..."
+for envfile in "$REPO_ROOT"/.env "$REPO_ROOT"/*/.env; do
+  [ -f "$envfile" ] && chmod 600 "$envfile" && chown root:root "$envfile"
+done
+
 # ------------------------------------------------------------------
 # Start all stacks
 # ------------------------------------------------------------------