# Secrets

Do not commit plaintext secrets.

## Pattern

- Commit encrypted blobs only (`*.age`).
- Decrypt to `/srv/secrets/*` at bootstrap/runtime.
- Keep private decryption key outside git.

## Expected encrypted files

- `tailscale_authkey.age`
- `gitea_token.age` (optional)
- `postgres_password.age` (optional)