diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index d4af264d..ce45d991 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -78,12 +78,6 @@ jobs:
           APP_MAIL_FROM=noreply@staging.raddatz.cloud
           IMPORT_HOST_DIR=/srv/familienarchiv-staging/import
           POSTGRES_USER=archiv
-          PORT_GRAFANA=3003
-          PORT_GLITCHTIP=3002
-          PORT_PROMETHEUS=9090
-          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
-          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
-          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
           EOF
 
@@ -136,30 +130,43 @@ jobs:
         # into /opt/familienarchiv/ — the permanent location that persists
         # between CI runs. Containers started in the next step bind-mount
         # from there, so a future workspace wipe cannot corrupt a running
-        # config file. Secrets are read from /opt/familienarchiv/.env (managed
-        # separately on the server; not written or deleted by CI).
+        # config file.
+        #
+        # obs-secrets.env is written fresh from Gitea secrets on every run so
+        # Gitea is always the single source of truth for secret rotation.
+        # Non-secret config lives in infra/observability/obs.env (tracked in git).
         run: |
           mkdir -p /opt/familienarchiv/infra
           cp -r infra/observability /opt/familienarchiv/infra/
           cp docker-compose.observability.yml /opt/familienarchiv/
+          cat > /opt/familienarchiv/obs-secrets.env <<EOF
+          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
+          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
+          POSTGRES_USER=archiv
+          POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
+          EOF
 
       - name: Validate observability compose config
-        # Dry-run: resolves all variable substitutions from /opt/familienarchiv/.env
-        # and reports any missing required keys before containers start. Catches
-        # truncated passwords (missing $$ escaping), undefined variables, and YAML
-        # errors in config files updated by the previous step.
+        # Dry-run: resolves all variable substitutions and reports any missing
+        # required keys before containers start. Catches undefined variables and
+        # YAML errors in config files updated by the previous step.
         run: |
           docker compose \
             -f /opt/familienarchiv/docker-compose.observability.yml \
+            --env-file /opt/familienarchiv/infra/observability/obs.env \
+            --env-file /opt/familienarchiv/obs-secrets.env \
             config --quiet
 
       - name: Start observability stack
-        # Runs from /opt/familienarchiv/ so bind mounts resolve to stable
-        # host paths that survive workspace wipes between nightly runs.
-        # Docker Compose reads /opt/familienarchiv/.env automatically.
+        # Runs with absolute paths so bind mounts resolve to stable host paths
+        # that survive workspace wipes between nightly runs (see ADR-016).
+        # Non-secret config from obs.env (git-tracked); secrets from obs-secrets.env
+        # (written fresh from Gitea secrets above).
         run: |
           docker compose \
             -f /opt/familienarchiv/docker-compose.observability.yml \
+            --env-file /opt/familienarchiv/infra/observability/obs.env \
+            --env-file /opt/familienarchiv/obs-secrets.env \
             up -d --wait --remove-orphans
 
       - name: Assert observability stack health