diff --git a/deploy-k3s/config.yaml.example b/deploy-k3s/config.yaml.example
index 3c2c709..712f8e4 100644
--- a/deploy-k3s/config.yaml.example
+++ b/deploy-k3s/config.yaml.example
@@ -72,8 +72,13 @@ storage:
   b2_app_key: ""
   b2_bucket: ""
   b2_endpoint: ""                           # e.g. s3.us-west-004.backblazeb2.com
+  b2_region: ""                             # e.g. us-east-005
+  b2_use_ssl: true
   max_file_size: 10485760
   allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf"
+  upload_dir: /app/uploads                  # filesystem path inside the api container
+  base_url: /uploads                        # public URL prefix served by the api
+  static_dir: /app/static                   # static asset path inside the api container
 
 # --- Worker Schedules (UTC hours) ---
 worker:
diff --git a/deploy-k3s/scripts/_config.sh b/deploy-k3s/scripts/_config.sh
index 09fd558..4bcf4df 100755
--- a/deploy-k3s/scripts/_config.sh
+++ b/deploy-k3s/scripts/_config.sh
@@ -118,8 +118,9 @@ lines = [
     f\"DB_MAX_OPEN_CONNS={db['max_open_conns']}\",
     f\"DB_MAX_IDLE_CONNS={db['max_idle_conns']}\",
     f\"DB_MAX_LIFETIME={db['max_lifetime']}\",
-    # Redis (K8s internal DNS — password injected if configured)
-    f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis.honeydue.svc.cluster.local:6379/0\",
+    # Redis (in-namespace DNS short form — password injected if configured;
+    # short form works because /etc/resolv.conf in pods searches honeydue.svc.cluster.local)
+    f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis:6379/0\",
     'REDIS_DB=0',
     # Email
     f\"EMAIL_HOST={em['host']}\",
@@ -139,12 +140,21 @@ lines = [
     f\"OVERDUE_REMINDER_HOUR={wk['overdue_reminder_hour']}\",
     f\"DAILY_DIGEST_HOUR={wk['daily_digest_hour']}\",
     # B2 Storage
-    f\"B2_KEY_ID={val(st['b2_key_id'])}\",
-    f\"B2_APP_KEY={val(st['b2_app_key'])}\",
+    # B2_KEY_ID and B2_APP_KEY are intentionally NOT emitted into the
+    # ConfigMap — they're credentials and belong in honeydue-secrets
+    # (set by 02-setup-secrets.sh). Wire them into the api/worker
+    # deployments via envFrom: secretRef when B2 uploads need to be
+    # active. Leaving them in cleartext here would leak via
+    # `kubectl get cm`.
     f\"B2_BUCKET_NAME={val(st['b2_bucket'])}\",
     f\"B2_ENDPOINT={val(st['b2_endpoint'])}\",
+    f\"B2_REGION={val(st.get('b2_region'))}\",
+    f\"B2_USE_SSL={b(st.get('b2_use_ssl', True))}\",
     f\"STORAGE_MAX_FILE_SIZE={st['max_file_size']}\",
     f\"STORAGE_ALLOWED_TYPES={st['allowed_types']}\",
+    f\"STORAGE_UPLOAD_DIR={val(st.get('upload_dir', '/app/uploads'))}\",
+    f\"STORAGE_BASE_URL={val(st.get('base_url', '/uploads'))}\",
+    f\"STATIC_DIR={val(st.get('static_dir', '/app/static'))}\",
     # Features
     f\"FEATURE_PUSH_ENABLED={b(ft['push_enabled'])}\",
     f\"FEATURE_EMAIL_ENABLED={b(ft['email_enabled'])}\",