From fe2672d55bb70e79b85bc3a4b049241b12ca0cc0 Mon Sep 17 00:00:00 2001
From: DeadSwitch <deadswitch404@proton.me>
Date: Mon, 9 Feb 2026 13:26:28 +0100
Subject: [PATCH] Added the doc for generating secret keys.

---
 README.org | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.org b/README.org
index 250e3dc..81431cc 100644
--- a/README.org
+++ b/README.org
@@ -54,6 +54,19 @@ Remaining variables must be declared in the inventory.
 - =Reload_systemd=: It runs a =daemon-reload=
 - =Restart_gitea=: It restarts the Gitea service
 
+* Secrets
+
+Always store the production secrets in SOPS, or in Vault.
+
+Generate the secrets manually when the playbook stops:
+
+#+begin_src shell
+gitea generate secret INTERNAL_TOKEN
+gitea generate secret JWT_SECRET
+#+end_src
+
+Use the =JWT_SECRET= command to generate the =gitea_lfs_jwt_secret= as well. It's an alias.
+
 * Example Playbook
 
 #+begin_src yaml