new file: .env.example

new file:   DEPLOYMENT.md
	new file:   SECURITY_SECRETS_INVENTORY.md
	new file:   secrets/.env.secrets.example

SECURITY_SECRETS_INVENTORY.md

@@ -0,0 +1,31 @@
+# Credential Inventory (apps/, core/, monitoring/)
+
+## apps/
+- `apps/nextcloud/docker-compose.yml`
+  - `MYSQL_PASSWORD` (nextcloud-webapp) -> `MYSQL_PASSWORD_FILE` + Docker secret.
+  - `SMTP_PASSWORD` -> `SMTP_PASSWORD_FILE` + Docker secret.
+  - `REDIS_HOST_PASSWORD` -> `REDIS_HOST_PASSWORD_FILE` + Docker secret.
+  - `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, `NEXTCLOUD_ADMIN_PASSWORD` (nextcloud-db) -> `_FILE` variants + Docker secrets.
+  - Redis `--requirepass` inline value -> read from Docker secret at runtime.
+- `apps/passbolt/docker-compose.yml`
+  - `MYSQL_PASSWORD`, `DATASOURCES_DEFAULT_PASSWORD` -> `_FILE` variants + Docker secret.
+- `apps/gramps/docker-compose.yml`
+  - `POSTGRES_PASSWORD` -> `POSTGRES_PASSWORD_FILE` + Docker secret.
+  - `DB_URI` password + `INITIAL_ADMIN_PASSWORD` -> env references from non-committed secrets env file.
+
+## core/
+- `core/authelia/configuration.yml`
+  - `identity_validation.reset_password.jwt_secret` -> `${AUTHELIA_JWT_SECRET}`.
+  - `session.secret` -> `${AUTHELIA_SESSION_SECRET}`.
+  - `storage.encryption_key` -> `${AUTHELIA_STORAGE_ENCRYPTION_KEY}`.
+- `core/traefik/dynamic.yml`
+  - `crowdsecLapiKey` -> `${CROWDSEC_LAPI_KEY}`.
+
+## monitoring/
+- `monitoring/gotify/docker-compose.yml`
+  - `GOTIFY_DEFAULTUSER_PASS` -> `${GOTIFY_DEFAULTUSER_PASS}` from non-committed secrets env file.
+- `monitoring/prometheus/docker-compose.yml`
+  - `DOCKER_INFLUXDB_INIT_PASSWORD` -> `DOCKER_INFLUXDB_INIT_PASSWORD_FILE` + Docker secret.
+  - `PIHOLE_PASSWORD` -> `${PIHOLE_PASSWORD}` from non-committed secrets env file.
+- `monitoring/prometheus/prometheus.yml`
+  - Uptime Kuma basic_auth `password` -> `password_file` mounted from non-committed secret file.