diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..3587bd4
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,19 @@
+# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders)
+title = "homelab gitea bootstrap"
+
+[allowlist]
+description = "Test fixtures and example configs are not production secrets"
+paths = [
+  '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''',
+  '''(?i).*\.spec\.(ts|tsx|js|jsx)$''',
+  '''(?i).*/tests/.*''',
+  '''(?i).*/__tests__/.*''',
+  '''(?i).*\.example\.(yml|yaml|env|json|toml)$''',
+  '''(?i).*vault\.example\.(yml|yaml)$''',
+  '''(?i).*\.env\.example$''',
+]
+regexes = [
+  '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''',
+  '''(?i)sk-or-invalid''',
+  '''(?i)msk-or-invalid''',
+]