34553f3bec
Mirrors the prod deploy-k3s/ setup but runs all services in-cluster on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible storage (replaces B2), Redis, API, worker, and admin. Includes fully automated setup scripts (00-init through 04-verify), server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik, network policies, RBAC, and security contexts matching prod. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
932 B
932 B
Secrets Directory
Create these files before running scripts/02-setup-secrets.sh:
| File | Purpose |
|---|---|
postgres_password.txt |
In-cluster PostgreSQL password |
secret_key.txt |
App signing secret (minimum 32 characters) |
email_host_password.txt |
SMTP password (Fastmail app password) |
fcm_server_key.txt |
Firebase Cloud Messaging server key (optional — Android not yet ready) |
apns_auth_key.p8 |
Apple Push Notification private key |
minio_root_password.txt |
MinIO root password (minimum 8 characters) |
Optional (only if tls.mode: cloudflare in config.yaml):
| File | Purpose |
|---|---|
cloudflare-origin.crt |
Cloudflare origin certificate (PEM) |
cloudflare-origin.key |
Cloudflare origin certificate key (PEM) |
All string config (registry token, domains, etc.) goes in config.yaml instead.
These files are gitignored and should never be committed.