Secrets are the most fragile part of any stack.
Lose one, and the whole system can fall apart.
But solo-ops often handle them casually: keys hard-coded into configs, passwords in plain text.
Keep Secrets Out of the Repo
Whatever you’re building — Hugo site, automation scripts, deployment configs — never commit credentials:
- Add
.envor secret config files to.gitignore - Scan your repo periodically for accidental leaks
- Assume anything in version control is public eventually
Future you will make mistakes. Plan for that.
Environment Variables Are Your Friend
Use environment variables or a separate secrets file loaded at runtime:
- Keeps code and credentials apart
- Makes rotating secrets easier
- Avoids redeploying just to swap a token
It’s not enterprise magic. It’s just separation of concerns.
Encrypt What You Can
Full-disk encryption isn’t overkill even on a home server.
If your stack lives on a laptop or NAS, treat it as hostile if stolen:
- Encrypt drives and backup media
- Store decryption keys offline and documented
- Protect passwords in a manager rather than text files
Minimal Vaults for Minimal Stacks
You don’t need HashiCorp Vault to do solo ops, but a simple secret management tool helps:
pass,sopsor KeePassXC are light enough- Automate only if you understand the failure modes
- Always have a manual recovery path
A “vault” you can’t open under stress is worse than plain text you can.
Rotate and Revoke
Keys aren’t permanent. Rotate them periodically:
- Issue separate keys per service so a single leak doesn’t cascade
- Revoke and regenerate quickly if you suspect compromise
- Don’t leave dead keys around; clean as you go
Design the Stack Like You’ll Lose It
Secret management isn’t a luxury. It’s survival.
The day you leak an API token or lose a laptop is the day you’ll wish you treated credentials as critical infrastructure.
In Stackcraft, every moving part is under your control.
That’s the power — and the risk. Guard the keys.