# Secrets Directory

Create these files before running `scripts/02-setup-secrets.sh`:

| File | Purpose |
|------|---------|
| `postgres_password.txt` | In-cluster PostgreSQL password |
| `secret_key.txt` | App signing secret (minimum 32 characters) |
| `email_host_password.txt` | SMTP password (Fastmail app password) |
| `fcm_server_key.txt` | Firebase Cloud Messaging server key (optional — Android not yet ready) |
| `apns_auth_key.p8` | Apple Push Notification private key |
| `minio_root_password.txt` | MinIO root password (minimum 8 characters) |

Optional (only if `tls.mode: cloudflare` in config.yaml):

| File | Purpose |
|------|---------|
| `cloudflare-origin.crt` | Cloudflare origin certificate (PEM) |
| `cloudflare-origin.key` | Cloudflare origin certificate key (PEM) |

All string config (registry token, domains, etc.) goes in `config.yaml` instead.
These files are gitignored and should never be committed.