diff --git a/.gitignore b/.gitignore
index 64181a2..cc04a1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,6 @@
 avanti*
 debug*
 scrap*
-secret*
+#secret*
 TODO*
 *.log
diff --git a/docker/.dockerignore b/docker/.dockerignore
index 7adc687..ad3e0d3 100644
--- a/docker/.dockerignore
+++ b/docker/.dockerignore
@@ -2,4 +2,4 @@
 !src
 !xfce*
 !.g3-cache
-secret*
+
diff --git a/secrets.rc b/secrets.rc
new file mode 100644
index 0000000..c1b79f0
--- /dev/null
+++ b/secrets.rc
@@ -0,0 +1,116 @@
+### This files configures the environment (including secrets!) for building images locally.
+### Source this file before building.
+### Rename it to "secrets.rc" (or similar) and **make sure** that the '.gitignore' and '.dockerignore' files 
+### contain the 'secret*' exclusion pattern!
+### Example: source ./secrets.rc
+### This file is automatically sourced by the script 'hooks/env.rc' if it's found in the same directory.
+
+#region General building pipeline control
+
+export DOCKER_BUILDKIT=1
+# export COMPOSE_DOCKER_CLI_BUILD=0
+
+### will force re-building regardless of the verbose version sticker changes
+# export FORCE_BUILDING=0
+
+### will prohibit re-building regardless of verbose version sticker changes
+# export PROHIBIT_BUILDING=0
+
+#endregion
+
+
+#region Optional version sticker prefix and/or suffix
+
+# export VERSION_STICKER_PREFIX="LOCAL-BETA-"
+# export VERSION_STICKER_SUFFIX="-BETA"
+
+#endregion
+
+
+#region Development environment
+
+### -----------------------
+### development environment
+### -----------------------
+
+# ### owner of Gitea repos
+# export REPO_OWNER_NAME="akanealw"
+# ### development builder gist
+# export GIST_ID=""
+# ### development deployment gist
+# export DEPLOY_GIST_ID=""
+# ### note that the reserved repository name 'void' will prohibit the publishing
+# ### primary deployment repos may not exist (may be also left unset)
+export DEPLOYMENT_REPO="repo.aknlw.com/akanealw/debian-xfce"
+export DEPLOYMENT_REPO_CHROMIUM="repo.aknlw.com/akanealw/debian-xfce-chromium"
+export DEPLOYMENT_REPO_FIREFOX="repo.aknlw.com/akanealw/debian-xfce-firefox"
+# ### builder repo can be a secondary deployment repo (if FORCE_PUBLISHING_BUILDER_REPO=1)
+export BUILDER_REPO="repo.aknlw.com/akanealw/debian-vnc-xfce-g3"
+# ### shared g3-cache is outside the Docker building context
+# export SHARED_G3_CACHE_PATH=""
+# ### used to control building/publishing (unset means '0')
+# export FORCE_PUBLISHING_BUILDER_REPO=1
+# export FORCE_BUILDING=1
+# ### used by the 'post_push' hook script, which normally removes the helper files
+# # export KEEP_HELPER_FILES=0
+# ### explicitly disable features that are enabled by default
+# # export FEATURES_NOVNC=0
+export FEATURES_FIREFOX_PLUS=0
+# # export FEATURES_OVERRIDING_ENVV=0
+
+#endregion
+
+
+#region Production environment
+
+### ----------------------
+### production environment
+### ----------------------
+
+# ### owner of Docker Hub repos
+# export REPO_OWNER_NAME=""
+# ### production builder gist
+# export GIST_ID=""
+# ### produktion deployment gist
+# export DEPLOY_GIST_ID=""
+# ### note that the reserved repository name 'void' will prohibit the publishing
+# ### primary deployment repos
+# export DEPLOYMENT_REPO=""
+# export DEPLOYMENT_REPO_CHROMIUM=""
+# export DEPLOYMENT_REPO_FIREFOX=""
+# ### builder repo can be a secondary deployment repo (if FORCE_PUBLISHING_BUILDER_REPO=1)
+# export BUILDER_REPO=""
+# ### shared g3-cache is outside the Docker building context
+# export SHARED_G3_CACHE_PATH=""
+# ### used to control building/publishing (unset means '0')
+# export FORCE_PUBLISHING_BUILDER_REPO=1
+# export FORCE_BUILDING=1
+# ### used by the 'post_push' hook script, which normally removes the helper files
+# export KEEP_HELPER_FILES=0
+# ### explicitly disable features that are enabled by default
+# # export FEATURES_NOVNC=0
+# # export FEATURES_FIREFOX_PLUS=0
+# # export FEATURES_OVERRIDING_ENVV=0
+
+#endregion
+
+
+#region Real secrets
+
+### ------------
+### REAL SECRETS
+### ------------
+
+### !!! REAL SECRET !!!
+### Gitea: Settings/Developer settings/Personal access tokens
+### this PAT must have the 'gist' scope
+### warning! this gist token is valid for all gits of the same owner!
+# export GIST_TOKEN=""
+
+### !!! REAL SECRETS !!!
+### Docker Hub credentials
+### warning! this credentials are valid for all Docker Hub repositories of the same owner!
+# export DOCKERHUB_USERNAME=""
+# export DOCKERHUB_PASSWORD=""
+
+#endregion