34553f3bec
Mirrors the prod deploy-k3s/ setup but runs all services in-cluster on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible storage (replaces B2), Redis, API, worker, and admin. Includes fully automated setup scripts (00-init through 04-verify), server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik, network policies, RBAC, and security contexts matching prod. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
20 lines
884 B
Markdown
20 lines
884 B
Markdown
# Secrets Directory
|
|
|
|
Create these files before running `scripts/02-setup-secrets.sh`:
|
|
|
|
| File | Purpose |
|
|
|------|---------|
|
|
| `postgres_password.txt` | Neon PostgreSQL password |
|
|
| `secret_key.txt` | App signing secret (minimum 32 characters) |
|
|
| `email_host_password.txt` | SMTP password (Fastmail app password) |
|
|
| `fcm_server_key.txt` | Firebase Cloud Messaging server key |
|
|
| `apns_auth_key.p8` | Apple Push Notification private key |
|
|
| `cloudflare-origin.crt` | Cloudflare origin certificate (PEM) |
|
|
| `cloudflare-origin.key` | Cloudflare origin certificate key (PEM) |
|
|
|
|
The first five files are the same format as the Docker Swarm `deploy/secrets/` directory.
|
|
The Cloudflare files are new for K3s (TLS termination at the ingress).
|
|
|
|
All string config (database host, registry token, etc.) goes in `config.yaml` instead.
|
|
These files are gitignored and should never be committed.
|