# Secrets Directory

Create these files before running `scripts/02-setup-secrets.sh`:

| File | Purpose |
|------|---------|
| `postgres_password.txt` | Neon PostgreSQL password |
| `secret_key.txt` | App signing secret (minimum 32 characters) |
| `email_host_password.txt` | SMTP password (Fastmail app password) |
| `fcm_server_key.txt` | Firebase Cloud Messaging server key |
| `apns_auth_key.p8` | Apple Push Notification private key |
| `cloudflare-origin.crt` | Cloudflare origin certificate (PEM) |
| `cloudflare-origin.key` | Cloudflare origin certificate key (PEM) |

The first five files are the same format as the Docker Swarm `deploy/secrets/` directory.
The Cloudflare files are new for K3s (TLS termination at the ingress).

All string config (database host, registry token, etc.) goes in `config.yaml` instead.
These files are gitignored and should never be committed.