● Based on the infrastructure we built, here are the exact tasks to set up secrets in
  Pulumi ESC:

  1. Install Pulumi ESC CLI

  curl -fsSL https://get.pulumi.com/esc/install.sh | sh
  export PATH="$HOME/.pulumi/bin:$PATH"

  2. Login to Pulumi

  esc login

  This will open a browser for authentication. You'll get a PULUMI_ACCESS_TOKEN - save
  this for GitLab CI.

  3. Create Production Environment

  esc env init <your-org>/prod

  Replace <your-org> with your Pulumi organization name.

  4. Set All Required Secrets

  # SSH Keys
  esc env set <your-org>/prod SSH_PUBLIC_KEY "ssh-rsa AAAA..."
  esc env set <your-org>/prod SSH_PRIVATE_KEY_PATH "/path/to/private/key"

  # Hetzner
  esc env set <your-org>/prod HETZNER_API_TOKEN "your-hetzner-token"

  # Cloudflare R2 (for artifact storage)
  esc env set <your-org>/prod R2_ACCESS_KEY_ID "your-r2-access-key"
  esc env set <your-org>/prod R2_SECRET_ACCESS_KEY "your-r2-secret-key"
  esc env set <your-org>/prod R2_ENDPOINT "account-id.r2.cloudflarestorage.com"
  esc env set <your-org>/prod R2_ARTIFACTS_BUCKET "materia-artifacts"

  # Cloudflare R2 Data Catalog (for Iceberg)
  esc env set <your-org>/prod CLOUDFLARE_API_TOKEN "your-cf-api-token"
  esc env set <your-org>/prod ICEBERG_REST_URI "https://api.cloudflare.com/client/v4/acco
  unts/YOUR_ACCOUNT_ID/r2/buckets/YOUR_WAREHOUSE_BUCKET/iceberg"
  esc env set <your-org>/prod R2_WAREHOUSE_NAME "materia"

  5. Verify Secrets

  esc env open <your-org>/prod --format shell

  This shows all secrets as environment variables. You should see all the keys listed
  above.

  6. Test Locally

  eval $(esc env open <your-org>/prod --format shell)
  materia secrets list
  materia secrets test

  7. Configure GitLab CI

  In your GitLab project settings → CI/CD → Variables, add:

  - Key: PULUMI_ACCESS_TOKEN
  - Value: (the token from step 2)
  - Protected: Yes
  - Masked: Yes

  That's it! The CI/CD pipeline and materia CLI will automatically pull all other secrets
   from ESC.

  Where to Get Each Secret

  - SSH Keys: Generate with ssh-keygen -t rsa -b 4096
  - Hetzner API Token: https://console.hetzner.cloud/ → Project → Security → API Tokens
  - R2 Credentials: Cloudflare Dashboard → R2 → Manage R2 API Tokens
  - Cloudflare API Token: Cloudflare Dashboard → My Profile → API Tokens (needs R2
  permissions)
  - Iceberg REST URI: Format shown above - get account ID from Cloudflare dashboard URL