From 4e777970cd10c6b65848db55ee9bc07929183652 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Sun, 8 Feb 2026 12:19:40 +0000
Subject: [PATCH] Remove hardcoded API keys and credentials from tracked files

Move RESEND_API_KEY and Listmonk credentials to .env file
on the server. No secrets should be committed to the repo.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.yml                    | 3 ++-
 n8n-workflows/03-newsletter-sync.json | 4 ++--
 n8n-workflows/README.md               | 7 +++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 9ee27f1..bf68f6e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,7 +31,8 @@ services:
       - DB_POSTGRESDB_USER=n8n
       - DB_POSTGRESDB_PASSWORD=${N8N_DB_PASSWORD:-***REDACTED_DB_PASS***}
       - TWENTY_API_KEY=${TWENTY_API_KEY}
-      - RESEND_API_KEY=${RESEND_API_KEY:-***REDACTED_RESEND_KEY***}
+      - RESEND_API_KEY=${RESEND_API_KEY}
+      - LISTMONK_CREDENTIALS=${LISTMONK_CREDENTIALS}
     volumes:
       - n8n-cosmolocal-data:/home/node/.n8n
     labels:
diff --git a/n8n-workflows/03-newsletter-sync.json b/n8n-workflows/03-newsletter-sync.json
index f9ccac3..6ceaae8 100644
--- a/n8n-workflows/03-newsletter-sync.json
+++ b/n8n-workflows/03-newsletter-sync.json
@@ -97,7 +97,7 @@
           "parameters": [
             {
               "name": "Authorization",
-              "value": "Basic {{ Buffer.from('admin:***REDACTED_LISTMONK_PASS***').toString('base64') }}"
+              "value": "Basic {{ Buffer.from($env.LISTMONK_CREDENTIALS || 'admin:changeme').toString('base64') }}"
             }
           ]
         },
@@ -164,7 +164,7 @@
           "parameters": [
             {
               "name": "Authorization",
-              "value": "Basic {{ Buffer.from('admin:***REDACTED_LISTMONK_PASS***').toString('base64') }}"
+              "value": "Basic {{ Buffer.from($env.LISTMONK_CREDENTIALS || 'admin:changeme').toString('base64') }}"
             },
             {
               "name": "Content-Type",
diff --git a/n8n-workflows/README.md b/n8n-workflows/README.md
index 66bec9d..e098545 100644
--- a/n8n-workflows/README.md
+++ b/n8n-workflows/README.md
@@ -9,11 +9,10 @@ API keys are passed as **Docker environment variables** in `docker-compose.yml`
 | Variable | Description | Where to find |
 |----------|-------------|---------------|
 | `TWENTY_API_KEY` | Twenty CRM API key | crm.cosmolocal.world > Settings > API Keys |
-| `RESEND_API_KEY` | Resend email API key | Already set (or `ssh netcup "cat ~/.resend_credentials"`) |
+| `RESEND_API_KEY` | Resend email API key | `ssh netcup "cat ~/.resend_credentials"` |
+| `LISTMONK_CREDENTIALS` | Listmonk `user:pass` | Internal Docker service credentials |
 
-To update keys, edit the `environment:` section of the `n8n-cosmolocal` service in `docker-compose.yml` and redeploy.
-
-The Listmonk credentials are hardcoded for internal Docker network access (no external exposure).
+To set keys, create `/opt/websites/cosmolocal-website/.env` on the server and redeploy.
 
 ## Workflows