diff --git a/infra/observability/obs.env b/infra/observability/obs.env
new file mode 100644
index 00000000..8200b235
--- /dev/null
+++ b/infra/observability/obs.env
@@ -0,0 +1,20 @@
+# Non-secret observability stack configuration — tracked in git.
+# Secret values (passwords, keys) are injected by CI from Gitea secrets
+# into /opt/familienarchiv/obs-secrets.env at deploy time.
+#
+# For local dev the main .env file supplies these values instead;
+# this file is only used in the CI/production path.
+
+# Host ports (all bound to 127.0.0.1 — Caddy is the external entry point)
+PORT_GRAFANA=3003
+PORT_GLITCHTIP=3002
+PORT_PROMETHEUS=9090
+
+# Public URLs — used for internal redirects, alert email links, OAuth callbacks
+GF_SERVER_ROOT_URL=https://grafana.archiv.raddatz.cloud
+GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
+
+# PostgreSQL hostname for GlitchTip db-init and workers.
+# archive-db is the production default (full stack running).
+# Override in obs-secrets.env when a different stack is active.
+POSTGRES_HOST=archive-db