[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars

Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00 · 2026-03-07 14:30:36 +00:00 · 1f2c1ca361
commit 1f2c1ca361
parent fb1347a130
146 changed files with 921 additions and 186 deletions
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@ -1,5 +1,6 @@
 when:
  event: push
+  branch: master

 clone:
  git:
@ -13,33 +14,44 @@ steps:
    image: alpine
    commands:
      - "apk update && apk add jq curl git git-crypt"
+      # git-crypt for secrets/ directory (TLS certs, deploy key)
      - |
        curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
-      - "git-crypt unlock /tmp/key"
+      - "git-crypt unlock /tmp/key && rm /tmp/key"
+      # SOPS: download to workspace (shared across steps), decrypt secrets
+      - "wget -qO ./sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 && chmod +x ./sops"
+      - "echo \"$SOPS_AGE_KEY\" > /tmp/age.key && SOPS_AGE_KEY_FILE=/tmp/age.key ./sops -d secrets.sops.json > secrets.auto.tfvars.json && rm -f /tmp/age.key"
+    environment:
+      SOPS_AGE_KEY:
+        from_secret: sops_age_key

  - name: terragrunt-apply
    image: alpine
    commands:
      - "apk update && apk add curl unzip git openssh-client"
      # Install Terraform
-      - "wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip"
+      - "wget -qO /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip"
      - "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform"
      # Install Terragrunt
-      - "wget -O /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
+      - "wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
      - "chmod 755 /usr/local/bin/terragrunt"
      # Apply platform stack (core infrastructure services)
      - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve"

-  - name: push-commit
+  - name: cleanup-and-push
    image: alpine
    commands:
+      - "rm -f secrets.auto.tfvars.json secrets.auto.tfvars.json.*"
      - "apk update && apk add openssh-client git git-crypt"
-      - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
+      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
      - "chmod 400 secrets/deploy_key"
-      - "git add ."
+      # Only add specific paths — never git add .
+      - "git add stacks/ state/ .woodpecker/ || true"
      - "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
      - "git commit -m 'Woodpecker CI deploy commit [CI SKIP]' || echo 'No changes'"
      - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
+    when:
+      status: [success, failure]

  - name: slack
    image: curlimages/curl
@ -52,4 +64,4 @@ steps:
      SLACK_WEBHOOK:
        from_secret: slack_webhook
    when:
-      - status: [success, failure]
+      status: [success, failure]
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@ -16,7 +16,7 @@ steps:
      - "apk update && apk add jq curl git git-crypt"
      - |
        curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
-      - "git-crypt unlock /tmp/key"
+      - "git-crypt unlock /tmp/key && rm /tmp/key"

  - name: renew-tls
    image: alpine
@ -35,9 +35,10 @@ steps:
    image: alpine
    commands:
      - "apk update && apk add openssh-client git git-crypt"
-      - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
+      - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
      - "chmod 400 secrets/deploy_key"
-      - "git add ."
+      # Only add specific paths — never git add .
+      - "git add secrets/ state/ || true"
      - "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
      - "git commit -m 'Woodpecker CI Update TLS Certificates Commit' || echo 'No changes'"
      - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master"
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@ -11,6 +11,7 @@ variable "sync_id" {
 variable "budget_encryption_password" {
  type    = string
  default = null # If not passed, we won't run banksync ;known after initial installation
+  sensitive = true
 }
 variable "nfs_server" { type = string }

--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "actualbudget_credentials" { type = map(any) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "actualbudget_credentials" {
+  type = map(any)
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/actualbudget/providers.tf
+++ b/stacks/actualbudget/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "affine_postgresql_password" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "affine_postgresql_password" {
+  type = string
+  sensitive = true
+}
 variable "mailserver_accounts" { type = map(any) }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
--- a/stacks/affine/providers.tf
+++ b/stacks/affine/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/audiobookshelf/main.tf
+++ b/stacks/audiobookshelf/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/audiobookshelf/providers.tf
+++ b/stacks/audiobookshelf/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/blog/main.tf
+++ b/stacks/blog/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "website" {
--- a/stacks/blog/providers.tf
+++ b/stacks/blog/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/calibre/main.tf
+++ b/stacks/calibre/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "homepage_credentials" { type = map(any) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "homepage_credentials" {
+  type = map(any)
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/calibre/providers.tf
+++ b/stacks/calibre/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/changedetection/providers.tf
+++ b/stacks/changedetection/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/city-guesser/main.tf
+++ b/stacks/city-guesser/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "city-guesser" {
--- a/stacks/city-guesser/providers.tf
+++ b/stacks/city-guesser/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "coturn_turn_secret" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "coturn_turn_secret" {
+  type = string
+  sensitive = true
+}
 variable "public_ip" { type = string }


--- a/stacks/coturn/providers.tf
+++ b/stacks/coturn/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/cyberchef/main.tf
+++ b/stacks/cyberchef/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "cyberchef" {
--- a/stacks/cyberchef/providers.tf
+++ b/stacks/cyberchef/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/dashy/main.tf
+++ b/stacks/dashy/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 module "tls_secret" {
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@ -1,6 +1,15 @@
-variable "tls_secret_name" { type = string }
-variable "dawarich_database_password" { type = string }
-variable "geoapify_api_key" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "dawarich_database_password" {
+  type = string
+  sensitive = true
+}
+variable "geoapify_api_key" {
+  type = string
+  sensitive = true
+}


 variable "image_version" {
--- a/stacks/dawarich/providers.tf
+++ b/stacks/dawarich/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/descheduler/providers.tf
+++ b/stacks/descheduler/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "diun_nfty_token" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "diun_nfty_token" {
+  type = string
+  sensitive = true
+}
 variable "diun_slack_url" { type = string }
 variable "nfs_server" { type = string }

--- a/stacks/diun/providers.tf
+++ b/stacks/diun/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/ebook2audiobook/main.tf
+++ b/stacks/ebook2audiobook/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/ebook2audiobook/providers.tf
+++ b/stacks/ebook2audiobook/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/echo/main.tf
+++ b/stacks/echo/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "echo" {
--- a/stacks/echo/providers.tf
+++ b/stacks/echo/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/excalidraw/main.tf
+++ b/stacks/excalidraw/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/excalidraw/providers.tf
+++ b/stacks/excalidraw/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -1,6 +1,12 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
-variable "discord_user_token" { type = string }
+variable "discord_user_token" {
+  type = string
+  sensitive = true
+}
 variable "discord_f1_guild_id" { type = string }
 variable "discord_f1_channel_ids" { type = string }

--- a/stacks/f1-stream/providers.tf
+++ b/stacks/f1-stream/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/forgejo/providers.tf
+++ b/stacks/forgejo/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/freedify/factory/main.tf
+++ b/stacks/freedify/factory/main.tf
@ -11,10 +11,12 @@ variable "protected" {
 variable "listenbrainz_token" {
  type    = string
  default = null
+  sensitive = true
 }
 variable "genius_token" {
  type    = string
  default = null
+  sensitive = true
 }
 variable "dab_visitor_id" {
  type    = string
@ -27,6 +29,7 @@ variable "dab_session" {
 variable "gemini_api_key" {
  type    = string
  default = null
+  sensitive = true
 }
 variable "cpu_limit" {
  type    = string
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "freedify_credentials" { type = map(any) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "freedify_credentials" {
+  type = map(any)
+  sensitive = true
+}


 # To create a new deployment:
--- a/stacks/freedify/providers.tf
+++ b/stacks/freedify/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/freshrss/providers.tf
+++ b/stacks/freshrss/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/frigate/main.tf
+++ b/stacks/frigate/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/frigate/providers.tf
+++ b/stacks/frigate/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "mailserver_accounts" { type = map(any) }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
--- a/stacks/grampsweb/providers.tf
+++ b/stacks/grampsweb/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@ -1,5 +1,11 @@
-variable "hackmd_db_password" { type = string }
-variable "tls_secret_name" { type = string }
+variable "hackmd_db_password" {
+  type = string
+  sensitive = true
+}
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }

--- a/stacks/hackmd/providers.tf
+++ b/stacks/hackmd/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -1,6 +1,15 @@
-variable "tls_secret_name" { type = string }
-variable "health_postgresql_password" { type = string }
-variable "health_secret_key" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "health_postgresql_password" {
+  type = string
+  sensitive = true
+}
+variable "health_secret_key" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }

--- a/stacks/health/providers.tf
+++ b/stacks/health/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/homepage/INGRESS_WIDGET_MAPPING.md
+++ b/stacks/homepage/INGRESS_WIDGET_MAPPING.md
@ -0,0 +1,121 @@
+# Homepage Ingress Mapping
+
+Total mapped services: **114**\
+Widget-capable matches (candidate): **27**
+
+| Namespace | Ingress | URL | Homepage widget candidate |
+|---|---|---|---|
+| `actualbudget` | `budget-anca` | `https://budget-anca.viktorbarzin.me` | `link-only` |
+| `actualbudget` | `budget-emo` | `https://budget-emo.viktorbarzin.me` | `link-only` |
+| `actualbudget` | `budget-viktor` | `https://budget-viktor.viktorbarzin.me` | `link-only` |
+| `affine` | `affine` | `https://affine.viktorbarzin.me` | `link-only` |
+| `aiostreams` | `aiostreams` | `https://aiostreams.viktorbarzin.me` | `link-only` |
+| `audiobookshelf` | `audiobookshelf` | `https://audiobookshelf.viktorbarzin.me` | `audiobookshelf` |
+| `authentik` | `authentik` | `https://authentik.viktorbarzin.me` | `authentik` |
+| `calibre` | `calibre` | `https://calibre.viktorbarzin.me` | `link-only` |
+| `calibre` | `stacks` | `https://stacks.viktorbarzin.me` | `link-only` |
+| `changedetection` | `changedetection` | `https://changedetection.viktorbarzin.me` | `changedetectionio` |
+| `city-guesser` | `city-guesser` | `https://city-guesser.viktorbarzin.me` | `link-only` |
+| `crowdsec` | `crowdsec-web` | `https://crowdsec-web.viktorbarzin.me` | `crowdsec` |
+| `cyberchef` | `cc` | `https://cc.viktorbarzin.me` | `link-only` |
+| `dashy` | `dashy` | `https://dashy.viktorbarzin.me` | `link-only` |
+| `dawarich` | `dawarich` | `https://dawarich.viktorbarzin.me` | `link-only` |
+| `dbaas` | `pgadmin` | `https://pgadmin.viktorbarzin.me` | `link-only` |
+| `dbaas` | `pma` | `https://pma.viktorbarzin.me` | `link-only` |
+| `ebook2audiobook` | `audiblez-web` | `https://audiblez.viktorbarzin.me` | `link-only` |
+| `ebook2audiobook` | `ebook2audiobook` | `https://ebook2audiobook.viktorbarzin.me` | `link-only` |
+| `echo` | `echo` | `https://echo.viktorbarzin.me` | `link-only` |
+| `excalidraw` | `draw` | `https://draw.viktorbarzin.me` | `link-only` |
+| `f1-stream` | `f1` | `https://f1.viktorbarzin.me` | `link-only` |
+| `forgejo` | `forgejo` | `https://forgejo.viktorbarzin.me` | `link-only` |
+| `freedify` | `music-emo` | `https://music-emo.viktorbarzin.me` | `link-only` |
+| `freedify` | `music-viktor` | `https://music-viktor.viktorbarzin.me` | `link-only` |
+| `freshrss` | `rss` | `https://rss.viktorbarzin.me` | `freshrss` |
+| `frigate` | `frigate` | `https://frigate.viktorbarzin.me` | `frigate` |
+| `frigate` | `frigate-lan` | `https://frigate-lan.viktorbarzin.lan` | `frigate` |
+| `grampsweb` | `family` | `https://family.viktorbarzin.me` | `link-only` |
+| `hackmd` | `hackmd` | `https://hackmd.viktorbarzin.me` | `link-only` |
+| `headscale` | `headscale` | `https://headscale.viktorbarzin.me` | `headscale` |
+| `health` | `health` | `https://health.viktorbarzin.me` | `link-only` |
+| `homepage` | `homepage` | `https://home.viktorbarzin.me` | `link-only` |
+| `immich` | `highlights-immich` | `https://highlights-immich.viktorbarzin.me` | `immich` |
+| `immich` | `immich` | `https://immich.viktorbarzin.me` | `immich` |
+| `jsoncrack` | `json` | `https://json.viktorbarzin.me` | `link-only` |
+| `k8s-portal` | `k8s-portal` | `https://k8s-portal.viktorbarzin.me` | `link-only` |
+| `kms` | `kms` | `https://kms.viktorbarzin.me` | `link-only` |
+| `linkwarden` | `linkwarden` | `https://linkwarden.viktorbarzin.me` | `linkwarden` |
+| `mailserver` | `mail` | `https://mail.viktorbarzin.me` | `link-only` |
+| `matrix` | `matrix` | `https://matrix.viktorbarzin.me` | `link-only` |
+| `meshcentral` | `meshcentral` | `https://meshcentral.viktorbarzin.me` | `link-only` |
+| `monitoring` | `grafana` | `https://grafana.viktorbarzin.me` | `grafana` |
+| `monitoring` | `hetrix-redirect-ingress` | `https://status.viktorbarzin.me` | `link-only` |
+| `monitoring` | `hetrix-yotovski-redirect-ingress` | `https://yotovski-status.viktorbarzin.me` | `link-only` |
+| `monitoring` | `idrac-redfish-exporter` | `https://idrac-redfish-exporter.viktorbarzin.lan` | `link-only` |
+| `monitoring` | `prometheus-alertmanager` | `https://alertmanager.viktorbarzin.me` | `link-only` |
+| `monitoring` | `prometheus-server` | `https://prometheus.viktorbarzin.me` | `prometheus` |
+| `monitoring` | `snmp-exporter` | `https://snmp-exporter.viktorbarzin.lan` | `link-only` |
+| `n8n` | `n8n` | `https://n8n.viktorbarzin.me` | `link-only` |
+| `navidrome` | `navidrome` | `https://navidrome.viktorbarzin.me` | `navidrome` |
+| `netbox` | `netbox` | `https://netbox.viktorbarzin.me` | `link-only` |
+| `networking-toolbox` | `networking-toolbox` | `https://networking-toolbox.viktorbarzin.me` | `link-only` |
+| `nextcloud` | `nextcloud` | `https://nextcloud.viktorbarzin.me` | `nextcloud` |
+| `nextcloud` | `whiteboard` | `https://whiteboard.viktorbarzin.me` | `nextcloud` |
+| `ntfy` | `ntfy` | `https://ntfy.viktorbarzin.me` | `link-only` |
+| `nvidia` | `nvidia-exporter` | `https://nvidia-exporter.viktorbarzin.lan` | `link-only` |
+| `ollama` | `ollama` | `https://ollama.viktorbarzin.me` | `link-only` |
+| `ollama` | `ollama-api` | `https://ollama-api.viktorbarzin.me` | `link-only` |
+| `ollama` | `ollama-server` | `https://ollama-server.viktorbarzin.lan` | `link-only` |
+| `onlyoffice` | `onlyoffice` | `https://onlyoffice.viktorbarzin.me` | `link-only` |
+| `openclaw` | `openclaw` | `https://openclaw.viktorbarzin.me` | `link-only` |
+| `owntracks` | `owntracks` | `https://owntracks.viktorbarzin.me` | `link-only` |
+| `paperless-ngx` | `paperless-ngx` | `https://pdf.viktorbarzin.me` | `paperlessngx` |
+| `plotting-book` | `plotting-book` | `https://plotting-book.viktorbarzin.me` | `link-only` |
+| `poison-fountain` | `poison-fountain` | `https://poison.viktorbarzin.me` | `link-only` |
+| `privatebin` | `privatebin` | `https://pb.viktorbarzin.me` | `link-only` |
+| `realestate-crawler` | `wrongmove` | `https://wrongmove.viktorbarzin.me` | `link-only` |
+| `resume` | `resume` | `https://resume.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `files` | `https://files.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `gw` | `https://gw.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `ha-london` | `https://ha-london.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `ha-sofia` | `https://ha-sofia.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `idrac` | `https://idrac.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `london` | `https://london.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `mbp14` | `https://mbp14.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `mladost3` | `https://mladost3.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `nas` | `https://nas.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `pfsense` | `https://pfsense.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `pi` | `https://pi.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `proxmox` | `https://proxmox.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `r730` | `https://r730.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `registry` | `https://registry.viktorbarzin.me` | `link-only` |
+| `reverse-proxy` | `truenas` | `https://truenas.viktorbarzin.me` | `truenas` |
+| `reverse-proxy` | `valchedrym` | `https://valchedrym.viktorbarzin.me` | `link-only` |
+| `rybbit` | `rybbit` | `https://rybbit.viktorbarzin.me` | `link-only` |
+| `send` | `send` | `https://send.viktorbarzin.me` | `link-only` |
+| `servarr` | `flaresolverr` | `https://flaresolverr.viktorbarzin.me` | `link-only` |
+| `servarr` | `listenarr` | `https://listenarr.viktorbarzin.me` | `link-only` |
+| `servarr` | `prowlarr` | `https://prowlarr.viktorbarzin.me` | `prowlarr` |
+| `servarr` | `qbittorrent` | `https://qbittorrent.viktorbarzin.me` | `qbittorrent` |
+| `speedtest` | `speedtest` | `https://speedtest.viktorbarzin.me` | `speedtest-tracker` |
+| `stirling-pdf` | `stirling-pdf` | `https://stirling-pdf.viktorbarzin.me` | `link-only` |
+| `tandoor` | `tandoor` | `https://tandoor.viktorbarzin.me` | `tandoor` |
+| `technitium` | `technitium` | `https://technitium.viktorbarzin.me` | `technitium` |
+| `technitium` | `technitium-doh` | `https://dns.viktorbarzin.me` | `technitium` |
+| `trading-bot` | `trading` | `https://trading.viktorbarzin.me` | `link-only` |
+| `traefik` | `traefik` | `https://traefik.viktorbarzin.me` | `traefik` |
+| `travel-blog` | `travel` | `https://travel.viktorbarzin.me` | `link-only` |
+| `tuya-bridge` | `tuya-bridge` | `https://tuya-bridge.viktorbarzin.me` | `link-only` |
+| `uptime-kuma` | `uptime` | `https://uptime.viktorbarzin.me` | `uptime-kuma` |
+| `url` | `shlink` | `https://shlink.viktorbarzin.me` | `shlink` |
+| `url` | `url` | `https://url.viktorbarzin.me` | `link-only` |
+| `vaultwarden` | `vaultwarden` | `https://vaultwarden.viktorbarzin.me` | `link-only` |
+| `vpa` | `goldilocks` | `https://goldilocks.viktorbarzin.me` | `link-only` |
+| `wealthfolio` | `wealthfolio` | `https://wealthfolio.viktorbarzin.me` | `link-only` |
+| `webhook-handler` | `webhook-handler` | `https://webhook.viktorbarzin.me` | `link-only` |
+| `website` | `blog` | `https://viktorbarzin.me` | `link-only` |
+| `woodpecker` | `ci` | `https://ci.viktorbarzin.me` | `link-only` |
+| `xray` | `xray-grpc` | `https://xray-grpc.viktorbarzin.me` | `link-only` |
+| `xray` | `xray-vless` | `https://xray-vless.viktorbarzin.me` | `link-only` |
+| `xray` | `xray-ws` | `https://xray-ws.viktorbarzin.me` | `link-only` |
+| `ytdlp` | `yt-highlights` | `https://yt-highlights.viktorbarzin.me` | `link-only` |
+| `ytdlp` | `ytdlp` | `https://yt.viktorbarzin.me` | `link-only` |
--- a/stacks/homepage/main.tf
+++ b/stacks/homepage/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 module "tls_secret" {
--- a/stacks/homepage/providers.tf
+++ b/stacks/homepage/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@ -1,7 +1,19 @@
-variable "tls_secret_name" { type = string }
-variable "immich_postgresql_password" { type = string }
-variable "immich_frame_api_key" { type = string }
-variable "homepage_credentials" { type = map(any) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "immich_postgresql_password" {
+  type = string
+  sensitive = true
+}
+variable "immich_frame_api_key" {
+  type = string
+  sensitive = true
+}
+variable "homepage_credentials" {
+  type = map(any)
+  sensitive = true
+}


 variable "immich_version" {
--- a/stacks/immich/providers.tf
+++ b/stacks/immich/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@ -12,6 +12,7 @@ variable "proxmox_host" { type = string }
 variable "ssh_private_key" {
  type    = string
  default = ""
+  sensitive = true
 }

 variable "ssh_public_key" {
@ -19,7 +20,10 @@ variable "ssh_public_key" {
  default = ""
 }

-variable "vm_wizard_password" { type = string }
+variable "vm_wizard_password" {
+  type = string
+  sensitive = true
+}

 variable "k8s_join_command" { type = string }

--- a/stacks/infra/providers.tf
+++ b/stacks/infra/providers.tf
@ -11,11 +11,18 @@ terraform {
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 variable "proxmox_pm_api_url" { type = string }
-variable "proxmox_pm_api_token_id" { type = string }
-variable "proxmox_pm_api_token_secret" { type = string }
+variable "proxmox_pm_api_token_id" {
+  type = string
+  sensitive = true
+}
+variable "proxmox_pm_api_token_secret" {
+  type = string
+  sensitive = true
+}

 provider "proxmox" {
  pm_api_url          = var.proxmox_pm_api_url
--- a/stacks/isponsorblocktv/providers.tf
+++ b/stacks/isponsorblocktv/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/jsoncrack/main.tf
+++ b/stacks/jsoncrack/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "jsoncrack" {
--- a/stacks/jsoncrack/providers.tf
+++ b/stacks/jsoncrack/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/k8s-dashboard/main.tf
+++ b/stacks/k8s-dashboard/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "client_certificate_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "client_certificate_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "random_password" "csrf_token" {
--- a/stacks/k8s-dashboard/providers.tf
+++ b/stacks/k8s-dashboard/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "kms" {
--- a/stacks/kms/providers.tf
+++ b/stacks/kms/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -1,7 +1,16 @@
-variable "tls_secret_name" { type = string }
-variable "linkwarden_postgresql_password" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "linkwarden_postgresql_password" {
+  type = string
+  sensitive = true
+}
 variable "linkwarden_authentik_client_id" { type = string }
-variable "linkwarden_authentik_client_secret" { type = string }
+variable "linkwarden_authentik_client_secret" {
+  type = string
+  sensitive = true
+}
 variable "postgresql_host" { type = string }


--- a/stacks/linkwarden/providers.tf
+++ b/stacks/linkwarden/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/matrix/providers.tf
+++ b/stacks/matrix/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/meshcentral/providers.tf
+++ b/stacks/meshcentral/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "n8n_postgresql_password" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "n8n_postgresql_password" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }

--- a/stacks/n8n/providers.tf
+++ b/stacks/n8n/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/navidrome/providers.tf
+++ b/stacks/navidrome/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@ -1,6 +1,15 @@
-variable "tls_secret_name" { type = string }
-variable "netbox_db_password" { type = string }
-variable "netbox_superuser_password" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "netbox_db_password" {
+  type = string
+  sensitive = true
+}
+variable "netbox_superuser_password" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
--- a/stacks/netbox/providers.tf
+++ b/stacks/netbox/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/networking-toolbox/main.tf
+++ b/stacks/networking-toolbox/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}


 resource "kubernetes_namespace" "networking-toolbox" {
--- a/stacks/networking-toolbox/providers.tf
+++ b/stacks/networking-toolbox/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "nextcloud_db_password" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "nextcloud_db_password" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
--- a/stacks/nextcloud/providers.tf
+++ b/stacks/nextcloud/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/ntfy/main.tf
+++ b/stacks/ntfy/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/ntfy/providers.tf
+++ b/stacks/ntfy/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/ollama/main.tf
+++ b/stacks/ollama/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "ollama_api_credentials" { type = map(string) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "ollama_api_credentials" {
+  type = map(string)
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "ollama_host" { type = string }

--- a/stacks/ollama/providers.tf
+++ b/stacks/ollama/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@ -1,6 +1,15 @@
-variable "tls_secret_name" { type = string }
-variable "onlyoffice_db_password" { type = string }
-variable "onlyoffice_jwt_token" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "onlyoffice_db_password" {
+  type = string
+  sensitive = true
+}
+variable "onlyoffice_jwt_token" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
--- a/stacks/onlyoffice/providers.tf
+++ b/stacks/onlyoffice/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -1,11 +1,35 @@
-variable "tls_secret_name" { type = string }
-variable "openclaw_ssh_key" { type = string }
-variable "openclaw_skill_secrets" { type = map(string) }
-variable "llama_api_key" { type = string }
-variable "brave_api_key" { type = string }
-variable "openrouter_api_key" { type = string }
-variable "nvidia_api_key" { type = string }
-variable "openclaw_telegram_bot_token" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "openclaw_ssh_key" {
+  type = string
+  sensitive = true
+}
+variable "openclaw_skill_secrets" {
+  type = map(string)
+  sensitive = true
+}
+variable "llama_api_key" {
+  type = string
+  sensitive = true
+}
+variable "brave_api_key" {
+  type = string
+  sensitive = true
+}
+variable "openrouter_api_key" {
+  type = string
+  sensitive = true
+}
+variable "nvidia_api_key" {
+  type = string
+  sensitive = true
+}
+variable "openclaw_telegram_bot_token" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/openclaw/providers.tf
+++ b/stacks/openclaw/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/osm_routing/main.tf
+++ b/stacks/osm_routing/main.tf
@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/osm_routing/providers.tf
+++ b/stacks/osm_routing/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -1,5 +1,11 @@
-variable "tls_secret_name" { type = string }
-variable "owntracks_credentials" { type = map(string) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "owntracks_credentials" {
+  type = map(string)
+  sensitive = true
+}
 variable "nfs_server" { type = string }


--- a/stacks/owntracks/providers.tf
+++ b/stacks/owntracks/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@ -1,6 +1,15 @@
-variable "tls_secret_name" { type = string }
-variable "paperless_db_password" { type = string }
-variable "homepage_credentials" { type = map(any) }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
+variable "paperless_db_password" {
+  type = string
+  sensitive = true
+}
+variable "homepage_credentials" {
+  type = map(any)
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
--- a/stacks/paperless-ngx/providers.tf
+++ b/stacks/paperless-ngx/providers.tf
@ -2,6 +2,7 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
+  sensitive = true
 }

 provider "kubernetes" {
--- a/stacks/platform/main.tf
+++ b/stacks/platform/main.tf
@ -22,7 +22,10 @@
 # =============================================================================

 # --- Core ---
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
@ -35,12 +38,24 @@ variable "prod" {
 }

 # --- dbaas ---
-variable "dbaas_root_password" { type = string }
-variable "dbaas_postgresql_root_password" { type = string }
-variable "dbaas_pgadmin_password" { type = string }
+variable "dbaas_root_password" {
+  type = string
+  sensitive = true
+}
+variable "dbaas_postgresql_root_password" {
+  type = string
+  sensitive = true
+}
+variable "dbaas_pgadmin_password" {
+  type = string
+  sensitive = true
+}

 # --- traefik ---
-variable "ingress_crowdsec_api_key" { type = string }
+variable "ingress_crowdsec_api_key" {
+  type = string
+  sensitive = true
+}
 variable "auth_fallback_htpasswd" {
  type      = string
  sensitive = true
@ -48,16 +63,28 @@ variable "auth_fallback_htpasswd" {
 }

 # --- technitium ---
-variable "technitium_db_password" { type = string }
-variable "homepage_credentials" { type = map(any) }
+variable "technitium_db_password" {
+  type = string
+  sensitive = true
+}
+variable "homepage_credentials" {
+  type = map(any)
+  sensitive = true
+}

 # --- headscale ---
 variable "headscale_config" { type = string }
 variable "headscale_acl" { type = string }

 # --- authentik / rbac / k8s-portal ---
-variable "authentik_secret_key" { type = string }
-variable "authentik_postgres_password" { type = string }
+variable "authentik_secret_key" {
+  type = string
+  sensitive = true
+}
+variable "authentik_postgres_password" {
+  type = string
+  sensitive = true
+}
 variable "k8s_users" {
  type    = map(any)
  default = {}
@ -70,14 +97,26 @@ variable "ssh_private_key" {

 # --- crowdsec ---
 variable "crowdsec_enroll_key" { type = string }
-variable "crowdsec_db_password" { type = string }
-variable "crowdsec_dash_api_key" { type = string }
+variable "crowdsec_db_password" {
+  type = string
+  sensitive = true
+}
+variable "crowdsec_dash_api_key" {
+  type = string
+  sensitive = true
+}
 variable "crowdsec_dash_machine_id" { type = string }
-variable "crowdsec_dash_machine_password" { type = string }
+variable "crowdsec_dash_machine_password" {
+  type = string
+  sensitive = true
+}
 variable "alertmanager_slack_api_url" { type = string }

 # --- cloudflared ---
-variable "cloudflare_api_key" { type = string }
+variable "cloudflare_api_key" {
+  type = string
+  sensitive = true
+}
 variable "cloudflare_email" { type = string }
 variable "cloudflare_account_id" { type = string }
 variable "cloudflare_zone_id" { type = string }
@ -85,20 +124,47 @@ variable "cloudflare_tunnel_id" { type = string }
 variable "public_ip" { type = string }
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
-variable "cloudflare_tunnel_token" { type = string }
+variable "cloudflare_tunnel_token" {
+  type = string
+  sensitive = true
+}

 # --- monitoring ---
-variable "alertmanager_account_password" { type = string }
+variable "alertmanager_account_password" {
+  type = string
+  sensitive = true
+}
 variable "monitoring_idrac_username" { type = string }
-variable "monitoring_idrac_password" { type = string }
-variable "tiny_tuya_service_secret" { type = string }
-variable "haos_api_token" { type = string }
-variable "pve_password" { type = string }
-variable "grafana_db_password" { type = string }
-variable "grafana_admin_password" { type = string }
+variable "monitoring_idrac_password" {
+  type = string
+  sensitive = true
+}
+variable "tiny_tuya_service_secret" {
+  type = string
+  sensitive = true
+}
+variable "haos_api_token" {
+  type = string
+  sensitive = true
+}
+variable "pve_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_db_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_admin_password" {
+  type = string
+  sensitive = true
+}

 # --- vaultwarden ---
-variable "vaultwarden_smtp_password" { type = string }
+variable "vaultwarden_smtp_password" {
+  type = string
+  sensitive = true
+}

 # --- wireguard ---
 variable "wireguard_wg_0_conf" { type = string }
@ -107,7 +173,10 @@ variable "wireguard_firewall_sh" { type = string }

 # --- xray ---
 variable "xray_reality_clients" { type = list(map(string)) }
-variable "xray_reality_private_key" { type = string }
+variable "xray_reality_private_key" {
+  type = string
+  sensitive = true
+}
 variable "xray_reality_short_ids" { type = list(string) }

 # --- mailserver ---
@ -115,13 +184,22 @@ variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
 variable "mailserver_opendkim_key" {}
 variable "mailserver_sasl_passwd" {}
-variable "mailserver_roundcubemail_db_password" { type = string }
+variable "mailserver_roundcubemail_db_password" {
+  type = string
+  sensitive = true
+}

 # --- infra-maintenance ---
 variable "webhook_handler_git_user" { type = string }
-variable "webhook_handler_git_token" { type = string }
+variable "webhook_handler_git_token" {
+  type = string
+  sensitive = true
+}
 variable "technitium_username" { type = string }
-variable "technitium_password" { type = string }
+variable "technitium_password" {
+  type = string
+  sensitive = true
+}

 # --- iscsi-csi ---
 variable "truenas_api_key" {
--- a/stacks/platform/modules/crowdsec/main.tf
+++ b/stacks/platform/modules/crowdsec/main.tf
@ -3,9 +3,15 @@ variable "homepage_username" {}
 variable "homepage_password" {}
 variable "db_password" {}
 variable "enroll_key" {}
-variable "crowdsec_dash_api_key" { type = string }          # used for web dash
+variable "crowdsec_dash_api_key" {
+  type = string
+  sensitive = true
+}
 variable "crowdsec_dash_machine_id" { type = string }       # used for web dash
-variable "crowdsec_dash_machine_password" { type = string } # used for web dash
+variable "crowdsec_dash_machine_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "slack_webhook_url" { type = string }
 variable "mysql_host" { type = string }
--- a/stacks/platform/modules/dbaas/main.tf
+++ b/stacks/platform/modules/dbaas/main.tf
@ -12,7 +12,10 @@ variable "prod" {
  type    = bool
 }
 variable "nfs_server" { type = string }
-variable "kube_config_path" { type = string }
+variable "kube_config_path" {
+  type = string
+  sensitive = true
+}

 resource "kubernetes_namespace" "dbaas" {
  metadata {
--- a/stacks/platform/modules/mailserver/roundcubemail.tf
+++ b/stacks/platform/modules/mailserver/roundcubemail.tf
@ -1,4 +1,7 @@
-variable "roundcube_db_password" { type = string }
+variable "roundcube_db_password" {
+  type = string
+  sensitive = true
+}
 variable "mysql_host" { type = string }

 module "nfs_roundcube_html" {
--- a/stacks/platform/modules/monitoring/main.tf
+++ b/stacks/platform/modules/monitoring/main.tf
@ -8,13 +8,29 @@ variable "idrac_username" {
 }
 variable "idrac_password" {
  default = "calvin"
+  sensitive = true
 }
 variable "alertmanager_slack_api_url" {}
-variable "tiny_tuya_service_secret" { type = string }
-variable "haos_api_token" { type = string }
-variable "pve_password" { type = string }
-variable "grafana_db_password" { type = string }
-variable "grafana_admin_password" { type = string }
+variable "tiny_tuya_service_secret" {
+  type = string
+  sensitive = true
+}
+variable "haos_api_token" {
+  type = string
+  sensitive = true
+}
+variable "pve_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_db_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_admin_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "mysql_host" { type = string }

--- a/stacks/platform/modules/reverse_proxy/factory/main.tf
+++ b/stacks/platform/modules/reverse_proxy/factory/main.tf
@ -17,6 +17,7 @@ variable "protected" {
 variable "ingress_path" {
  type    = list(string)
  default = ["/"]
+  sensitive = true
 }
 variable "max_body_size" {
  type    = string
--- a/Show more
+++ b/Show more