diff --git a/packaging/freebsd/colibri_daemon.in b/packaging/freebsd/colibri_daemon.in
index 637d2ea..0dae534 100644
--- a/packaging/freebsd/colibri_daemon.in
+++ b/packaging/freebsd/colibri_daemon.in
@@ -14,6 +14,9 @@
 #   cp packaging/freebsd/colibri_daemon.in /usr/local/etc/rc.d/colibri_daemon
 #   chmod 555 /usr/local/etc/rc.d/colibri_daemon
 #   sysrc colibri_daemon_enable=YES   # or NO during dual-run
+#   cp packaging/freebsd/provider.env.example /usr/local/etc/colibri/provider.env
+#   chmod 600 /usr/local/etc/colibri/provider.env
+#   $EDITOR /usr/local/etc/colibri/provider.env   # fill in vault credentials
 #
 # Runtime:
 #   service colibri_daemon start
diff --git a/packaging/freebsd/provider.env.example b/packaging/freebsd/provider.env.example
new file mode 100644
index 0000000..8639641
--- /dev/null
+++ b/packaging/freebsd/provider.env.example
@@ -0,0 +1,13 @@
+# Vaultwarden credentials — sourced by colibri_daemon pre-start.
+# Install to: /usr/local/etc/colibri/provider.env
+# Permissions: chmod 600, chown clawdie:clawdie
+#
+# Fill in the three values below. The daemon pre-start sources this
+# file; colibri-vault uses BW_CLIENTID + BW_CLIENTSECRET to log in
+# and BW_PASSWORD to unlock the vault before fetching secrets.
+
+BW_CLIENTID=
+BW_CLIENTSECRET=***
+BW_PASSWORD=***
+
+# BW_SERVER=   # optional: vault server URL if not default