34553f3bec
Mirrors the prod deploy-k3s/ setup but runs all services in-cluster on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible storage (replaces B2), Redis, API, worker, and admin. Includes fully automated setup scripts (00-init through 04-verify), server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik, network policies, RBAC, and security contexts matching prod. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Secrets Directory
Create these files before running scripts/02-setup-secrets.sh:
| File | Purpose |
|---|---|
postgres_password.txt |
Neon PostgreSQL password |
secret_key.txt |
App signing secret (minimum 32 characters) |
email_host_password.txt |
SMTP password (Fastmail app password) |
fcm_server_key.txt |
Firebase Cloud Messaging server key |
apns_auth_key.p8 |
Apple Push Notification private key |
cloudflare-origin.crt |
Cloudflare origin certificate (PEM) |
cloudflare-origin.key |
Cloudflare origin certificate key (PEM) |
The first five files are the same format as the Docker Swarm deploy/secrets/ directory.
The Cloudflare files are new for K3s (TLS termination at the ingress).
All string config (database host, registry token, etc.) goes in config.yaml instead.
These files are gitignored and should never be committed.