diff --git a/.woodpecker.yml b/.woodpecker.yml
index cd1703a..e13ca5b 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -207,6 +207,33 @@ steps:
     commands:
       - echo "Deploying to production environment"
       - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us
+      - echo "Removing old stack to release secrets"
+      - docker stack rm $${CI_REPO_NAME} || true
+      - echo "Waiting for stack removal to complete"
+      - sleep 30
+      - echo "Removing old Docker secrets"
+      - docker secret rm AUTHENTICATION_BACKEND_LDAP_PASSWORD || true
+      - docker secret rm IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET || true
+      - docker secret rm STORAGE_ENCRYPTION_KEY || true
+      - docker secret rm SESSION_SECRET || true
+      - docker secret rm NOTIFIER_SMTP_PASSWORD || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_HMAC_SECRET || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY || true
+      - docker secret rm IDENTITY_PROVIDERS_OIDC_JWKS_KEY || true
+      - docker secret rm CLIENT_SECRET_HEADSCALE || true
+      - docker secret rm CLIENT_SECRET_HEADADMIN || true
+      - echo "Creating new Docker secrets with updated values"
+      - echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" | docker secret create AUTHENTICATION_BACKEND_LDAP_PASSWORD -
+      - echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" | docker secret create IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET -
+      - echo "$${STORAGE_ENCRYPTION_KEY}" | docker secret create STORAGE_ENCRYPTION_KEY -
+      - echo "$${SESSION_SECRET}" | docker secret create SESSION_SECRET -
+      - echo "$${NOTIFIER_SMTP_PASSWORD}" | docker secret create NOTIFIER_SMTP_PASSWORD -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" | docker secret create IDENTITY_PROVIDERS_OIDC_HMAC_SECRET -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY -
+      - echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_JWKS_KEY -
+      - echo "$${CLIENT_SECRET_HEADSCALE}" | docker secret create CLIENT_SECRET_HEADSCALE -
+      - echo "$${CLIENT_SECRET_HEADADMIN}" | docker secret create CLIENT_SECRET_HEADADMIN -
+      - echo "Deploying new stack with fresh secrets"
       - docker stack deploy --with-registry-auth -c ./stack.production.yml $${CI_REPO_NAME}
     when:
       branch: main