# Deployment Prerequisites

Before running compose operations, provision local secret material.

## 1) Create non-committed secret env file

```bash
cp secrets/.env.secrets.example secrets/stack-secrets.env
chmod 600 secrets/stack-secrets.env
```

## 2) Create required Docker secret files

All files below are expected locally and are gitignored:

- `secrets/nextcloud_db_root_password.txt`
- `secrets/nextcloud_db_password.txt`
- `secrets/nextcloud_admin_password.txt`
- `secrets/nextcloud_smtp_password.txt`
- `secrets/nextcloud_redis_password.txt`
- `secrets/passbolt_db_password.txt`
- `secrets/influxdb_init_password.txt`
- `secrets/prometheus_kuma_basic_auth_password.txt`

Recommended permissions:

```bash
chmod 600 secrets/*.txt
```

## 3) Validate composed configuration

Use the repository composition entrypoint:

```bash
./services-up.sh --profile all config
```

This confirms compose rendering with shared env/network inputs before any runtime operation.

## 4) Rotate previously committed credentials

If migrating from older states where secrets were committed, rotate upstream values immediately (DB credentials, app passwords, auth keys, and API tokens).

## Related docs

- [`./security-secrets.md`](./security-secrets.md)
- [`./docker-environment.md`](./docker-environment.md)
- [`./source-of-truth.md`](./source-of-truth.md)