# Deployment prerequisites (required)

Before running `docker compose up`, you **must** provision runtime secrets.

## 1) Create non-committed secret files

```bash
cp secrets/.env.secrets.example secrets/stack-secrets.env
chmod 600 secrets/stack-secrets.env
```

Create these Docker secret files (all ignored by git):

- `secrets/nextcloud_db_root_password.txt`
- `secrets/nextcloud_db_password.txt`
- `secrets/nextcloud_admin_password.txt`
- `secrets/nextcloud_smtp_password.txt`
- `secrets/nextcloud_redis_password.txt`
- `secrets/passbolt_db_password.txt`
- `secrets/influxdb_init_password.txt`
- `secrets/prometheus_kuma_basic_auth_password.txt`

Recommended permissions:

```bash
chmod 600 secrets/*.txt
```

## 2) Rotate previously committed credentials

These values were previously hardcoded and must be rotated in upstream systems immediately:

- Database credentials (Nextcloud, Passbolt, InfluxDB).
- Nextcloud SMTP app password.
- Authelia reset JWT secret, session secret, storage encryption key.
- Traefik CrowdSec LAPI key.
- Gotify admin password.
- Prometheus Uptime Kuma basic-auth password.

## 3) Start stack

After secrets are provisioned:

```bash
docker compose -f core/docker-compose.yml up -d
docker compose -f monitoring/prometheus/docker-compose.yml up -d
docker compose -f apps/nextcloud/docker-compose.yml up -d
```