From 279aaf37d9b46546edad1ad934bb01e7d6646f2d Mon Sep 17 00:00:00 2001
From: scoot <scoot@telia.com>
Date: Sun, 24 May 2026 16:15:59 +0200
Subject: [PATCH] Document .env deployment options

---
 23may2026-Q-server-prototype.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/23may2026-Q-server-prototype.md b/23may2026-Q-server-prototype.md
index 9ac5f03..3fdec23 100644
--- a/23may2026-Q-server-prototype.md
+++ b/23may2026-Q-server-prototype.md
@@ -137,6 +137,18 @@ To rotate a password:
 
 Do not commit `.env` to git. The `.env.example` template is the only password-related file that belongs in the repo.
 
+### Deploy-time only
+
+The `.env` file is read only during `docker compose up` (container create/recreate). At runtime, secrets live in Docker volumes and container env vars. Options for handling `.env` on the target machine:
+
+| Option | Security | Convenience |
+|--------|----------|-------------|
+| **Keep with `chmod 600`** (current) | Root on agge can still read it — but root already owns the volumes | Compose works immediately |
+| **Remove after deploy** | Minimal disk exposure | Must scp from hector before any `docker compose down && up` |
+| **Deploy script** (`deploy.sh`) | `.env` lives only on hector, pushed transiently during deploy | Single command, cleanest for production |
+
+For the prototype, `chmod 600` is fine. For a production VPS, a deploy script is better — the `.env` never sits on disk permanently.
+
 # Session history
 
 **Session ses_21ab382baffej8OpnTkrmaG5UA** — initial prototype deployment: Docker files written, containers configured, applications deployed and verified.