diff --git a/.gitignore b/.gitignore
index 892fd87e4..d3fe0784b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -73,8 +73,11 @@ docker-data/
 veza-backend-api/main
 veza-backend-api/api
 veza-backend-api/migrate_tool
-chat_exports/!veza-stream-server/src/bin/
-!veza-stream-server/.env
+chat_exports/
+
+# Environment / Secrets — config templates only, never commit real .env
+config/incus/env/*.env
+!config/incus/env/env.example
 
 # Playwright
 /test-results/
diff --git a/config/incus/env/backend-api.env b/config/incus/env/backend-api.env
deleted file mode 100644
index 75cc326e5..000000000
--- a/config/incus/env/backend-api.env
+++ /dev/null
@@ -1,31 +0,0 @@
-# Veza Backend API Environment Configuration
-# Edit this file to configure your backend-api service
-
-# Application
-APP_ENV=production
-APP_PORT=8080
-LOG_LEVEL=INFO
-LOG_DIR=/var/log/veza
-
-# Database
-DATABASE_URL=postgresql://veza:password@10.10.10.10:5432/veza?sslmode=disable
-
-# Redis
-REDIS_URL=redis://10.10.10.10:6379
-REDIS_ENABLE=true
-
-# RabbitMQ (disabled - not deployed in infra)
-RABBITMQ_URL=amqp://veza:password@10.10.10.10:5672/%2f
-RABBITMQ_ENABLE=false
-
-# Security
-JWT_SECRET=your-super-secret-jwt-key-change-this-in-production-min-32-chars
-CORS_ALLOWED_ORIGINS=http://10.10.10.1,http://10.10.10.6,https://10.10.10.6,http://localhost
-
-# Services
-STREAM_SERVER_URL=http://10.10.10.4:3002
-CHAT_SERVER_URL=http://10.10.10.3:8081
-
-# ClamAV (disabled in Incus by default)
-ENABLE_CLAMAV=false
-CLAMAV_REQUIRED=false
diff --git a/config/incus/env/chat-server.env b/config/incus/env/chat-server.env
deleted file mode 100644
index 0e47cf8de..000000000
--- a/config/incus/env/chat-server.env
+++ /dev/null
@@ -1,32 +0,0 @@
-# Veza Chat Server Environment Configuration
-# Edit this file to configure your chat-server service
-
-# Environment
-RUST_ENV=production
-RUST_LOG=info
-
-# Database
-DATABASE_URL=postgresql://veza:password@10.10.10.10:5432/veza?sslmode=disable
-DB_MAX_CONNECTIONS=10
-DB_CONNECT_TIMEOUT=10
-DB_AUTO_MIGRATE=true
-
-# Security
-JWT_SECRET=your-super-secret-jwt-key-change-this-in-production-min-32-chars
-JWT_ACCESS_DURATION=15m
-JWT_REFRESH_DURATION=7d
-JWT_ALGORITHM=HS256
-
-# Server
-SERVER_BIND_ADDR=0.0.0.0:8081
-SERVER_WORKERS=0
-CONNECTION_TIMEOUT=30
-HEARTBEAT_INTERVAL=30
-
-# Redis (optional)
-REDIS_URL=redis://10.10.10.10:6379
-REDIS_ENABLED=true
-REDIS_POOL_SIZE=10
-
-# RabbitMQ
-RABBITMQ_URL=amqp://veza:password@10.10.10.10:5672/%2f
diff --git a/config/incus/env/stream-server.env b/config/incus/env/stream-server.env
deleted file mode 100644
index f0709c0d0..000000000
--- a/config/incus/env/stream-server.env
+++ /dev/null
@@ -1,26 +0,0 @@
-# Veza Stream Server Environment Configuration
-# Edit this file to configure your stream-server service
-
-# Environment
-RUST_ENV=production
-RUST_LOG=info
-
-# Database
-DATABASE_URL=postgresql://veza:password@10.10.10.10:5432/veza?sslmode=disable
-DB_MAX_CONNECTIONS=10
-DB_CONNECT_TIMEOUT=10
-
-# Server
-SERVER_BIND_ADDR=0.0.0.0:3002
-SERVER_WORKERS=0
-
-# Audio
-AUDIO_DIR=/opt/veza/stream-server/audio
-MAX_AUDIO_SIZE=104857600
-
-# Redis (optional)
-REDIS_URL=redis://10.10.10.10:6379
-REDIS_ENABLED=true
-
-# RabbitMQ
-RABBITMQ_URL=amqp://veza:password@10.10.10.10:5672/%2f
diff --git a/veza-stream-server/.env b/veza-stream-server/.env
deleted file mode 100644
index 5eb57ffc5..000000000
--- a/veza-stream-server/.env
+++ /dev/null
@@ -1,7 +0,0 @@
-SECRET_KEY=dev-secret-key-minimum-32-characters-long-for-testing-stream
-DATABASE_URL=postgres://veza:password@localhost:5432/veza?sslmode=disable
-RABBITMQ_URL=amqp://veza:password@localhost:5672/%2f
-JWT_SECRET=dev-secret-key-minimum-32-characters-long-for-testing
-ALLOWED_ORIGINS=*
-AUDIO_DIR=audio
-STREAM_PORT=3002