diff --git a/roles/opnform/defaults/main.yml b/roles/opnform/defaults/main.yml
index 09aed4c..0f61c3a 100644
--- a/roles/opnform/defaults/main.yml
+++ b/roles/opnform/defaults/main.yml
@@ -25,18 +25,26 @@ opnform_redis_image: "redis:7"
 opnform_db_image: "postgres:16"
 opnform_ingress_image: "nginx:1"
 
-# REQUIRED SECRETS — generate with: openssl rand -base64 32
-# Always prefix opnform_app_key with "base64:"
+# REQUIRED SECRETS — must be overridden per-inventory.
 # Provide via OpenBao lookup, Ansible Vault or extra-vars.
 # Never commit real keys to version control.
-opnform_app_key: "base64:vsQw8EoC64nmhurLUUohXUlAeryaV6Y2Is64Tdvjlko="
-opnform_jwt_secret: "0b2e8ed326334a08ce3846bfcd6588f5a11be33999e96963cd4eaff1a3ae828b"
-opnform_front_api_secret: "8f52397785a110b657f2a6beab13362877bfac936ae9002bc236c54ed1011b2d"
+#
+# Generate with:
+#   opnform_app_key:          echo "base64:$(openssl rand -base64 32)"
+#   opnform_jwt_secret:       openssl rand -hex 32
+#   opnform_front_api_secret: openssl rand -hex 32
+#
+# opnform_app_key MUST start with the prefix "base64:" — the validate
+# task at the top of tasks/main.yml enforces this.
+opnform_app_key: ""
+opnform_jwt_secret: ""
+opnform_front_api_secret: ""
 
-# Database credentials
+# Database credentials. opnform_db_password must be overridden; the
+# validate task fails fast on an empty value.
 opnform_db_name: "opnform"
 opnform_db_user: "opnform"
-opnform_db_password: "xtNLUVc2ajcWictqWXWkLR"
+opnform_db_password: ""
 
 # Admin bootstrap — when email+password are set, the role creates the
 # first user via OpnForm's /api/register endpoint, skipping the