diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..37cd406
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,136 @@
+# ==============================================================================
+# Kestra Demo – Umgebungsvariablen
+# Kopieren:
+#   cp .env.example .env
+# Danach Werte in .env eintragen.
+# ==============================================================================
+
+
+# ------------------------------------------------------------------------------
+# Hetzner Cloud
+# ------------------------------------------------------------------------------
+# API-Token:
+# https://console.hetzner.cloud/ -> Projekt -> Sicherheit -> API-Tokens
+
+HCLOUD_TOKEN=changeme_hcloud_token
+
+# Name eines bereits in Hetzner hinterlegten SSH-Keys
+SSH_KEY_NAME=changeme_ssh_key_name
+
+
+# ------------------------------------------------------------------------------
+# Terraform Variablen
+# ------------------------------------------------------------------------------
+# Terraform liest automatisch alle Variablen mit Prefix TF_VAR_
+
+TF_VAR_hcloud_token=changeme_hcloud_token
+TF_VAR_ssh_key_name=changeme_ssh_key_name
+
+
+# ------------------------------------------------------------------------------
+# Hetzner Object Storage / S3 Backend für Terraform State
+# ------------------------------------------------------------------------------
+# Zugangsdaten:
+# https://console.hetzner.cloud/ -> Object Storage -> Zugangsdaten
+
+AWS_ACCESS_KEY_ID=changeme_s3_access_key_id
+AWS_SECRET_ACCESS_KEY=changeme_s3_secret_access_key
+AWS_DEFAULT_REGION=eu-central
+
+# Bucket-Name muss vorher angelegt sein
+TF_BACKEND_BUCKET=changeme_bucket_name
+
+# Beispiel Hetzner Object Storage Endpoint
+TF_BACKEND_ENDPOINT=https://nbg1.your-objectstorage.com
+
+
+# ------------------------------------------------------------------------------
+# OpenAI
+# ------------------------------------------------------------------------------
+# API-Key:
+# https://platform.openai.com/api-keys
+
+OPENAI_API_KEY=changeme_openai_api_key
+
+
+# ------------------------------------------------------------------------------
+# SMTP
+# ------------------------------------------------------------------------------
+
+SMTP_USERNAME=changeme_smtp_username
+SMTP_PASSWORD=changeme_smtp_password
+
+
+# ------------------------------------------------------------------------------
+# Git / Forgejo
+# ------------------------------------------------------------------------------
+# Nur nötig, wenn Kestra private Repositories klonen soll.
+
+GIT_USERNAME=changeme_git_username
+GIT_TOKEN=changeme_git_token
+
+
+# ==============================================================================
+# Kestra OSS Secrets
+# ==============================================================================
+# WICHTIG:
+# SECRET_* Werte müssen bei Kestra OSS base64-codiert sein.
+#
+# Beispiel Linux:
+#   echo -n "mein-geheimer-wert" | base64 -w 0
+#
+# Beispiel macOS:
+#   echo -n "mein-geheimer-wert" | base64
+#
+# SSH Private Key:
+#   base64 -w 0 ~/.ssh/id_ed25519
+# ==============================================================================
+
+
+# ------------------------------------------------------------------------------
+# Hetzner Cloud als Kestra Secret
+# ------------------------------------------------------------------------------
+SECRET_HCLOUD_TOKEN=base64_encoded_hcloud_token
+
+
+# ------------------------------------------------------------------------------
+# Hetzner SSH-Key-Name als Kestra Secret
+# ------------------------------------------------------------------------------
+SECRET_SSH_KEY_NAME=base64_encoded_ssh_key_name
+
+
+# ------------------------------------------------------------------------------
+# SSH Private Key für Remote-Zugriffe per Kestra
+# Wird z. B. verwendet durch:
+#   {{ secret('SSH_PRIVATE_KEY') }}
+# ------------------------------------------------------------------------------
+SECRET_SSH_PRIVATE_KEY=base64_encoded_private_ssh_key
+
+
+# ------------------------------------------------------------------------------
+# S3 / Object Storage Secrets
+# ------------------------------------------------------------------------------
+SECRET_AWS_ACCESS_KEY_ID=base64_encoded_s3_access_key_id
+SECRET_AWS_SECRET_ACCESS_KEY=base64_encoded_s3_secret_access_key
+SECRET_TF_BACKEND_BUCKET=base64_encoded_backend_bucket
+SECRET_TF_BACKEND_ENDPOINT=base64_encoded_backend_endpoint
+
+
+# ------------------------------------------------------------------------------
+# OpenAI als Kestra Secret
+# ------------------------------------------------------------------------------
+SECRET_OPENAI_API_KEY=base64_encoded_openai_api_key
+
+
+# ------------------------------------------------------------------------------
+# SMTP als Kestra Secret
+# ------------------------------------------------------------------------------
+SECRET_SMTP_USERNAME=base64_encoded_smtp_username
+SECRET_SMTP_PASSWORD=base64_encoded_smtp_password
+
+
+# ------------------------------------------------------------------------------
+# Git / Forgejo als Kestra Secret
+# ------------------------------------------------------------------------------
+SECRET_GIT_USERNAME=base64_encoded_git_username
+SECRET_GIT_TOKEN=base64_encoded_git_token