diff --git a/.woodpecker/default.yml b/.woodpecker/default.yml index 36974309..86624b5f 100644 --- a/.woodpecker/default.yml +++ b/.woodpecker/default.yml @@ -1,5 +1,6 @@ when: event: push + branch: master clone: git: @@ -13,33 +14,44 @@ steps: image: alpine commands: - "apk update && apk add jq curl git git-crypt" + # git-crypt for secrets/ directory (TLS certs, deploy key) - | curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" + - "git-crypt unlock /tmp/key && rm /tmp/key" + # SOPS: download to workspace (shared across steps), decrypt secrets + - "wget -qO ./sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 && chmod +x ./sops" + - "echo \"$SOPS_AGE_KEY\" > /tmp/age.key && SOPS_AGE_KEY_FILE=/tmp/age.key ./sops -d secrets.sops.json > secrets.auto.tfvars.json && rm -f /tmp/age.key" + environment: + SOPS_AGE_KEY: + from_secret: sops_age_key - name: terragrunt-apply image: alpine commands: - "apk update && apk add curl unzip git openssh-client" # Install Terraform - - "wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip" + - "wget -qO /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip" - "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform" # Install Terragrunt - - "wget -O /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" + - "wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" - "chmod 755 /usr/local/bin/terragrunt" # Apply platform stack (core infrastructure services) - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve" - - name: push-commit + - name: cleanup-and-push image: alpine commands: + - "rm -f secrets.auto.tfvars.json secrets.auto.tfvars.json.*" - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" + - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - "chmod 400 secrets/deploy_key" - - "git add ." + # Only add specific paths — never git add . + - "git add stacks/ state/ .woodpecker/ || true" - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - "git commit -m 'Woodpecker CI deploy commit [CI SKIP]' || echo 'No changes'" - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master" + when: + status: [success, failure] - name: slack image: curlimages/curl @@ -52,4 +64,4 @@ steps: SLACK_WEBHOOK: from_secret: slack_webhook when: - - status: [success, failure] + status: [success, failure] diff --git a/.woodpecker/renew-tls.yml b/.woodpecker/renew-tls.yml index 7429ec63..d68360d4 100644 --- a/.woodpecker/renew-tls.yml +++ b/.woodpecker/renew-tls.yml @@ -16,7 +16,7 @@ steps: - "apk update && apk add jq curl git git-crypt" - | curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" + - "git-crypt unlock /tmp/key && rm /tmp/key" - name: renew-tls image: alpine @@ -35,9 +35,10 @@ steps: image: alpine commands: - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" + - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - "chmod 400 secrets/deploy_key" - - "git add ." + # Only add specific paths — never git add . + - "git add secrets/ state/ || true" - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - "git commit -m 'Woodpecker CI Update TLS Certificates Commit' || echo 'No changes'" - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master" diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf index 6d15f250..6caff933 100644 --- a/stacks/actualbudget/factory/main.tf +++ b/stacks/actualbudget/factory/main.tf @@ -11,6 +11,7 @@ variable "sync_id" { variable "budget_encryption_password" { type = string default = null # If not passed, we won't run banksync ;known after initial installation + sensitive = true } variable "nfs_server" { type = string } diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index 68975507..b7989ee8 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "actualbudget_credentials" { type = map(any) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "actualbudget_credentials" { + type = map(any) + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/actualbudget/providers.tf b/stacks/actualbudget/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/actualbudget/providers.tf +++ b/stacks/actualbudget/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 0c173186..a855f9ee 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "affine_postgresql_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "affine_postgresql_password" { + type = string + sensitive = true +} variable "mailserver_accounts" { type = map(any) } variable "nfs_server" { type = string } variable "redis_host" { type = string } diff --git a/stacks/affine/providers.tf b/stacks/affine/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/affine/providers.tf +++ b/stacks/affine/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/audiobookshelf/main.tf b/stacks/audiobookshelf/main.tf index 8249b014..9e2f00ac 100644 --- a/stacks/audiobookshelf/main.tf +++ b/stacks/audiobookshelf/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/audiobookshelf/providers.tf b/stacks/audiobookshelf/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/audiobookshelf/providers.tf +++ b/stacks/audiobookshelf/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index 9992204c..bfaf22ab 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "website" { diff --git a/stacks/blog/providers.tf b/stacks/blog/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/blog/providers.tf +++ b/stacks/blog/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/calibre/main.tf b/stacks/calibre/main.tf index 6c47abb2..c6d217c8 100644 --- a/stacks/calibre/main.tf +++ b/stacks/calibre/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "homepage_credentials" { type = map(any) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "homepage_credentials" { + type = map(any) + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/calibre/providers.tf b/stacks/calibre/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/calibre/providers.tf +++ b/stacks/calibre/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index 5f3f9e5f..88272411 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/changedetection/providers.tf b/stacks/changedetection/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/changedetection/providers.tf +++ b/stacks/changedetection/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/city-guesser/main.tf b/stacks/city-guesser/main.tf index b723c28e..c7bdea73 100644 --- a/stacks/city-guesser/main.tf +++ b/stacks/city-guesser/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "city-guesser" { diff --git a/stacks/city-guesser/providers.tf b/stacks/city-guesser/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/city-guesser/providers.tf +++ b/stacks/city-guesser/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index 696cbe45..dd256632 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "coturn_turn_secret" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "coturn_turn_secret" { + type = string + sensitive = true +} variable "public_ip" { type = string } diff --git a/stacks/coturn/providers.tf b/stacks/coturn/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/coturn/providers.tf +++ b/stacks/coturn/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index 5dc3370a..8979bf38 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "cyberchef" { diff --git a/stacks/cyberchef/providers.tf b/stacks/cyberchef/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/cyberchef/providers.tf +++ b/stacks/cyberchef/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/dashy/main.tf b/stacks/dashy/main.tf index e0649dab..650b67fa 100644 --- a/stacks/dashy/main.tf +++ b/stacks/dashy/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} module "tls_secret" { diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index d0456de1..63b83096 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "dawarich_database_password" { type = string } -variable "geoapify_api_key" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "dawarich_database_password" { + type = string + sensitive = true +} +variable "geoapify_api_key" { + type = string + sensitive = true +} variable "image_version" { diff --git a/stacks/dawarich/providers.tf b/stacks/dawarich/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/dawarich/providers.tf +++ b/stacks/dawarich/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/descheduler/providers.tf b/stacks/descheduler/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/descheduler/providers.tf +++ b/stacks/descheduler/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index 23356c20..c979953b 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "diun_nfty_token" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "diun_nfty_token" { + type = string + sensitive = true +} variable "diun_slack_url" { type = string } variable "nfs_server" { type = string } diff --git a/stacks/diun/providers.tf b/stacks/diun/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/diun/providers.tf +++ b/stacks/diun/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/ebook2audiobook/main.tf b/stacks/ebook2audiobook/main.tf index f687414d..568d0f53 100644 --- a/stacks/ebook2audiobook/main.tf +++ b/stacks/ebook2audiobook/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/ebook2audiobook/providers.tf b/stacks/ebook2audiobook/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/ebook2audiobook/providers.tf +++ b/stacks/ebook2audiobook/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/echo/main.tf b/stacks/echo/main.tf index a7d3b5bd..be1fcab0 100644 --- a/stacks/echo/main.tf +++ b/stacks/echo/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "echo" { diff --git a/stacks/echo/providers.tf b/stacks/echo/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/echo/providers.tf +++ b/stacks/echo/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/excalidraw/main.tf b/stacks/excalidraw/main.tf index cff5b99d..30b357b0 100644 --- a/stacks/excalidraw/main.tf +++ b/stacks/excalidraw/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/excalidraw/providers.tf b/stacks/excalidraw/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/excalidraw/providers.tf +++ b/stacks/excalidraw/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 07628c4f..55bd604e 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -1,6 +1,12 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } -variable "discord_user_token" { type = string } +variable "discord_user_token" { + type = string + sensitive = true +} variable "discord_f1_guild_id" { type = string } variable "discord_f1_channel_ids" { type = string } diff --git a/stacks/f1-stream/providers.tf b/stacks/f1-stream/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/f1-stream/providers.tf +++ b/stacks/f1-stream/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 079e700c..9b5bd6d4 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/forgejo/providers.tf b/stacks/forgejo/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/forgejo/providers.tf +++ b/stacks/forgejo/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/freedify/factory/main.tf b/stacks/freedify/factory/main.tf index 8077d1f2..d9055b27 100755 --- a/stacks/freedify/factory/main.tf +++ b/stacks/freedify/factory/main.tf @@ -11,10 +11,12 @@ variable "protected" { variable "listenbrainz_token" { type = string default = null + sensitive = true } variable "genius_token" { type = string default = null + sensitive = true } variable "dab_visitor_id" { type = string @@ -27,6 +29,7 @@ variable "dab_session" { variable "gemini_api_key" { type = string default = null + sensitive = true } variable "cpu_limit" { type = string diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 2a319de6..3d8e0401 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "freedify_credentials" { type = map(any) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "freedify_credentials" { + type = map(any) + sensitive = true +} # To create a new deployment: diff --git a/stacks/freedify/providers.tf b/stacks/freedify/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/freedify/providers.tf +++ b/stacks/freedify/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 79fb5243..03906575 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/freshrss/providers.tf b/stacks/freshrss/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/freshrss/providers.tf +++ b/stacks/freshrss/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index 6ac0054a..c323722b 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/frigate/providers.tf b/stacks/frigate/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/frigate/providers.tf +++ b/stacks/frigate/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 1147aec8..d54beb04 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "mailserver_accounts" { type = map(any) } variable "nfs_server" { type = string } variable "redis_host" { type = string } diff --git a/stacks/grampsweb/providers.tf b/stacks/grampsweb/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/grampsweb/providers.tf +++ b/stacks/grampsweb/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index 17faab7b..debe9a5a 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -1,5 +1,11 @@ -variable "hackmd_db_password" { type = string } -variable "tls_secret_name" { type = string } +variable "hackmd_db_password" { + type = string + sensitive = true +} +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/hackmd/providers.tf b/stacks/hackmd/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/hackmd/providers.tf +++ b/stacks/hackmd/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 6bad10c7..34ad6403 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "health_postgresql_password" { type = string } -variable "health_secret_key" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "health_postgresql_password" { + type = string + sensitive = true +} +variable "health_secret_key" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "postgresql_host" { type = string } diff --git a/stacks/health/providers.tf b/stacks/health/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/health/providers.tf +++ b/stacks/health/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/homepage/INGRESS_WIDGET_MAPPING.md b/stacks/homepage/INGRESS_WIDGET_MAPPING.md new file mode 100644 index 00000000..8d61e7e0 --- /dev/null +++ b/stacks/homepage/INGRESS_WIDGET_MAPPING.md @@ -0,0 +1,121 @@ +# Homepage Ingress Mapping + +Total mapped services: **114**\ +Widget-capable matches (candidate): **27** + +| Namespace | Ingress | URL | Homepage widget candidate | +|---|---|---|---| +| `actualbudget` | `budget-anca` | `https://budget-anca.viktorbarzin.me` | `link-only` | +| `actualbudget` | `budget-emo` | `https://budget-emo.viktorbarzin.me` | `link-only` | +| `actualbudget` | `budget-viktor` | `https://budget-viktor.viktorbarzin.me` | `link-only` | +| `affine` | `affine` | `https://affine.viktorbarzin.me` | `link-only` | +| `aiostreams` | `aiostreams` | `https://aiostreams.viktorbarzin.me` | `link-only` | +| `audiobookshelf` | `audiobookshelf` | `https://audiobookshelf.viktorbarzin.me` | `audiobookshelf` | +| `authentik` | `authentik` | `https://authentik.viktorbarzin.me` | `authentik` | +| `calibre` | `calibre` | `https://calibre.viktorbarzin.me` | `link-only` | +| `calibre` | `stacks` | `https://stacks.viktorbarzin.me` | `link-only` | +| `changedetection` | `changedetection` | `https://changedetection.viktorbarzin.me` | `changedetectionio` | +| `city-guesser` | `city-guesser` | `https://city-guesser.viktorbarzin.me` | `link-only` | +| `crowdsec` | `crowdsec-web` | `https://crowdsec-web.viktorbarzin.me` | `crowdsec` | +| `cyberchef` | `cc` | `https://cc.viktorbarzin.me` | `link-only` | +| `dashy` | `dashy` | `https://dashy.viktorbarzin.me` | `link-only` | +| `dawarich` | `dawarich` | `https://dawarich.viktorbarzin.me` | `link-only` | +| `dbaas` | `pgadmin` | `https://pgadmin.viktorbarzin.me` | `link-only` | +| `dbaas` | `pma` | `https://pma.viktorbarzin.me` | `link-only` | +| `ebook2audiobook` | `audiblez-web` | `https://audiblez.viktorbarzin.me` | `link-only` | +| `ebook2audiobook` | `ebook2audiobook` | `https://ebook2audiobook.viktorbarzin.me` | `link-only` | +| `echo` | `echo` | `https://echo.viktorbarzin.me` | `link-only` | +| `excalidraw` | `draw` | `https://draw.viktorbarzin.me` | `link-only` | +| `f1-stream` | `f1` | `https://f1.viktorbarzin.me` | `link-only` | +| `forgejo` | `forgejo` | `https://forgejo.viktorbarzin.me` | `link-only` | +| `freedify` | `music-emo` | `https://music-emo.viktorbarzin.me` | `link-only` | +| `freedify` | `music-viktor` | `https://music-viktor.viktorbarzin.me` | `link-only` | +| `freshrss` | `rss` | `https://rss.viktorbarzin.me` | `freshrss` | +| `frigate` | `frigate` | `https://frigate.viktorbarzin.me` | `frigate` | +| `frigate` | `frigate-lan` | `https://frigate-lan.viktorbarzin.lan` | `frigate` | +| `grampsweb` | `family` | `https://family.viktorbarzin.me` | `link-only` | +| `hackmd` | `hackmd` | `https://hackmd.viktorbarzin.me` | `link-only` | +| `headscale` | `headscale` | `https://headscale.viktorbarzin.me` | `headscale` | +| `health` | `health` | `https://health.viktorbarzin.me` | `link-only` | +| `homepage` | `homepage` | `https://home.viktorbarzin.me` | `link-only` | +| `immich` | `highlights-immich` | `https://highlights-immich.viktorbarzin.me` | `immich` | +| `immich` | `immich` | `https://immich.viktorbarzin.me` | `immich` | +| `jsoncrack` | `json` | `https://json.viktorbarzin.me` | `link-only` | +| `k8s-portal` | `k8s-portal` | `https://k8s-portal.viktorbarzin.me` | `link-only` | +| `kms` | `kms` | `https://kms.viktorbarzin.me` | `link-only` | +| `linkwarden` | `linkwarden` | `https://linkwarden.viktorbarzin.me` | `linkwarden` | +| `mailserver` | `mail` | `https://mail.viktorbarzin.me` | `link-only` | +| `matrix` | `matrix` | `https://matrix.viktorbarzin.me` | `link-only` | +| `meshcentral` | `meshcentral` | `https://meshcentral.viktorbarzin.me` | `link-only` | +| `monitoring` | `grafana` | `https://grafana.viktorbarzin.me` | `grafana` | +| `monitoring` | `hetrix-redirect-ingress` | `https://status.viktorbarzin.me` | `link-only` | +| `monitoring` | `hetrix-yotovski-redirect-ingress` | `https://yotovski-status.viktorbarzin.me` | `link-only` | +| `monitoring` | `idrac-redfish-exporter` | `https://idrac-redfish-exporter.viktorbarzin.lan` | `link-only` | +| `monitoring` | `prometheus-alertmanager` | `https://alertmanager.viktorbarzin.me` | `link-only` | +| `monitoring` | `prometheus-server` | `https://prometheus.viktorbarzin.me` | `prometheus` | +| `monitoring` | `snmp-exporter` | `https://snmp-exporter.viktorbarzin.lan` | `link-only` | +| `n8n` | `n8n` | `https://n8n.viktorbarzin.me` | `link-only` | +| `navidrome` | `navidrome` | `https://navidrome.viktorbarzin.me` | `navidrome` | +| `netbox` | `netbox` | `https://netbox.viktorbarzin.me` | `link-only` | +| `networking-toolbox` | `networking-toolbox` | `https://networking-toolbox.viktorbarzin.me` | `link-only` | +| `nextcloud` | `nextcloud` | `https://nextcloud.viktorbarzin.me` | `nextcloud` | +| `nextcloud` | `whiteboard` | `https://whiteboard.viktorbarzin.me` | `nextcloud` | +| `ntfy` | `ntfy` | `https://ntfy.viktorbarzin.me` | `link-only` | +| `nvidia` | `nvidia-exporter` | `https://nvidia-exporter.viktorbarzin.lan` | `link-only` | +| `ollama` | `ollama` | `https://ollama.viktorbarzin.me` | `link-only` | +| `ollama` | `ollama-api` | `https://ollama-api.viktorbarzin.me` | `link-only` | +| `ollama` | `ollama-server` | `https://ollama-server.viktorbarzin.lan` | `link-only` | +| `onlyoffice` | `onlyoffice` | `https://onlyoffice.viktorbarzin.me` | `link-only` | +| `openclaw` | `openclaw` | `https://openclaw.viktorbarzin.me` | `link-only` | +| `owntracks` | `owntracks` | `https://owntracks.viktorbarzin.me` | `link-only` | +| `paperless-ngx` | `paperless-ngx` | `https://pdf.viktorbarzin.me` | `paperlessngx` | +| `plotting-book` | `plotting-book` | `https://plotting-book.viktorbarzin.me` | `link-only` | +| `poison-fountain` | `poison-fountain` | `https://poison.viktorbarzin.me` | `link-only` | +| `privatebin` | `privatebin` | `https://pb.viktorbarzin.me` | `link-only` | +| `realestate-crawler` | `wrongmove` | `https://wrongmove.viktorbarzin.me` | `link-only` | +| `resume` | `resume` | `https://resume.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `files` | `https://files.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `gw` | `https://gw.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `ha-london` | `https://ha-london.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `ha-sofia` | `https://ha-sofia.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `idrac` | `https://idrac.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `london` | `https://london.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `mbp14` | `https://mbp14.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `mladost3` | `https://mladost3.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `nas` | `https://nas.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `pfsense` | `https://pfsense.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `pi` | `https://pi.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `proxmox` | `https://proxmox.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `r730` | `https://r730.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `registry` | `https://registry.viktorbarzin.me` | `link-only` | +| `reverse-proxy` | `truenas` | `https://truenas.viktorbarzin.me` | `truenas` | +| `reverse-proxy` | `valchedrym` | `https://valchedrym.viktorbarzin.me` | `link-only` | +| `rybbit` | `rybbit` | `https://rybbit.viktorbarzin.me` | `link-only` | +| `send` | `send` | `https://send.viktorbarzin.me` | `link-only` | +| `servarr` | `flaresolverr` | `https://flaresolverr.viktorbarzin.me` | `link-only` | +| `servarr` | `listenarr` | `https://listenarr.viktorbarzin.me` | `link-only` | +| `servarr` | `prowlarr` | `https://prowlarr.viktorbarzin.me` | `prowlarr` | +| `servarr` | `qbittorrent` | `https://qbittorrent.viktorbarzin.me` | `qbittorrent` | +| `speedtest` | `speedtest` | `https://speedtest.viktorbarzin.me` | `speedtest-tracker` | +| `stirling-pdf` | `stirling-pdf` | `https://stirling-pdf.viktorbarzin.me` | `link-only` | +| `tandoor` | `tandoor` | `https://tandoor.viktorbarzin.me` | `tandoor` | +| `technitium` | `technitium` | `https://technitium.viktorbarzin.me` | `technitium` | +| `technitium` | `technitium-doh` | `https://dns.viktorbarzin.me` | `technitium` | +| `trading-bot` | `trading` | `https://trading.viktorbarzin.me` | `link-only` | +| `traefik` | `traefik` | `https://traefik.viktorbarzin.me` | `traefik` | +| `travel-blog` | `travel` | `https://travel.viktorbarzin.me` | `link-only` | +| `tuya-bridge` | `tuya-bridge` | `https://tuya-bridge.viktorbarzin.me` | `link-only` | +| `uptime-kuma` | `uptime` | `https://uptime.viktorbarzin.me` | `uptime-kuma` | +| `url` | `shlink` | `https://shlink.viktorbarzin.me` | `shlink` | +| `url` | `url` | `https://url.viktorbarzin.me` | `link-only` | +| `vaultwarden` | `vaultwarden` | `https://vaultwarden.viktorbarzin.me` | `link-only` | +| `vpa` | `goldilocks` | `https://goldilocks.viktorbarzin.me` | `link-only` | +| `wealthfolio` | `wealthfolio` | `https://wealthfolio.viktorbarzin.me` | `link-only` | +| `webhook-handler` | `webhook-handler` | `https://webhook.viktorbarzin.me` | `link-only` | +| `website` | `blog` | `https://viktorbarzin.me` | `link-only` | +| `woodpecker` | `ci` | `https://ci.viktorbarzin.me` | `link-only` | +| `xray` | `xray-grpc` | `https://xray-grpc.viktorbarzin.me` | `link-only` | +| `xray` | `xray-vless` | `https://xray-vless.viktorbarzin.me` | `link-only` | +| `xray` | `xray-ws` | `https://xray-ws.viktorbarzin.me` | `link-only` | +| `ytdlp` | `yt-highlights` | `https://yt-highlights.viktorbarzin.me` | `link-only` | +| `ytdlp` | `ytdlp` | `https://yt.viktorbarzin.me` | `link-only` | diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index b88e6f53..75aef109 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} module "tls_secret" { diff --git a/stacks/homepage/providers.tf b/stacks/homepage/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/homepage/providers.tf +++ b/stacks/homepage/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index 85bdbaf0..90b3e521 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -1,7 +1,19 @@ -variable "tls_secret_name" { type = string } -variable "immich_postgresql_password" { type = string } -variable "immich_frame_api_key" { type = string } -variable "homepage_credentials" { type = map(any) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "immich_postgresql_password" { + type = string + sensitive = true +} +variable "immich_frame_api_key" { + type = string + sensitive = true +} +variable "homepage_credentials" { + type = map(any) + sensitive = true +} variable "immich_version" { diff --git a/stacks/immich/providers.tf b/stacks/immich/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/immich/providers.tf +++ b/stacks/immich/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf index bca518fb..f5e5aed4 100644 --- a/stacks/infra/main.tf +++ b/stacks/infra/main.tf @@ -12,6 +12,7 @@ variable "proxmox_host" { type = string } variable "ssh_private_key" { type = string default = "" + sensitive = true } variable "ssh_public_key" { @@ -19,7 +20,10 @@ variable "ssh_public_key" { default = "" } -variable "vm_wizard_password" { type = string } +variable "vm_wizard_password" { + type = string + sensitive = true +} variable "k8s_join_command" { type = string } diff --git a/stacks/infra/providers.tf b/stacks/infra/providers.tf index eaf9ab50..0fddad19 100644 --- a/stacks/infra/providers.tf +++ b/stacks/infra/providers.tf @@ -11,11 +11,18 @@ terraform { variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } variable "proxmox_pm_api_url" { type = string } -variable "proxmox_pm_api_token_id" { type = string } -variable "proxmox_pm_api_token_secret" { type = string } +variable "proxmox_pm_api_token_id" { + type = string + sensitive = true +} +variable "proxmox_pm_api_token_secret" { + type = string + sensitive = true +} provider "proxmox" { pm_api_url = var.proxmox_pm_api_url diff --git a/stacks/isponsorblocktv/providers.tf b/stacks/isponsorblocktv/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/isponsorblocktv/providers.tf +++ b/stacks/isponsorblocktv/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index bbf573ac..b4607caa 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "jsoncrack" { diff --git a/stacks/jsoncrack/providers.tf b/stacks/jsoncrack/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/jsoncrack/providers.tf +++ b/stacks/jsoncrack/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index 17915274..27f90858 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "client_certificate_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "client_certificate_secret_name" { + type = string + sensitive = true +} resource "random_password" "csrf_token" { diff --git a/stacks/k8s-dashboard/providers.tf b/stacks/k8s-dashboard/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/k8s-dashboard/providers.tf +++ b/stacks/k8s-dashboard/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 6c65c58e..0c47313d 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "kms" { diff --git a/stacks/kms/providers.tf b/stacks/kms/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/kms/providers.tf +++ b/stacks/kms/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index ce4ee60d..67e7d41c 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -1,7 +1,16 @@ -variable "tls_secret_name" { type = string } -variable "linkwarden_postgresql_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "linkwarden_postgresql_password" { + type = string + sensitive = true +} variable "linkwarden_authentik_client_id" { type = string } -variable "linkwarden_authentik_client_secret" { type = string } +variable "linkwarden_authentik_client_secret" { + type = string + sensitive = true +} variable "postgresql_host" { type = string } diff --git a/stacks/linkwarden/providers.tf b/stacks/linkwarden/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/linkwarden/providers.tf +++ b/stacks/linkwarden/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 1ab2acfb..cde87f76 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/matrix/providers.tf b/stacks/matrix/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/matrix/providers.tf +++ b/stacks/matrix/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index f3ed751e..fda1c717 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/meshcentral/providers.tf b/stacks/meshcentral/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/meshcentral/providers.tf +++ b/stacks/meshcentral/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 76464d5b..a061b12c 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "n8n_postgresql_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "n8n_postgresql_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "postgresql_host" { type = string } diff --git a/stacks/n8n/providers.tf b/stacks/n8n/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/n8n/providers.tf +++ b/stacks/n8n/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 832a40f1..4a1e9e35 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/navidrome/providers.tf b/stacks/navidrome/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/navidrome/providers.tf +++ b/stacks/navidrome/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index 645343f2..3e4aee6e 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "netbox_db_password" { type = string } -variable "netbox_superuser_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "netbox_db_password" { + type = string + sensitive = true +} +variable "netbox_superuser_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "postgresql_host" { type = string } diff --git a/stacks/netbox/providers.tf b/stacks/netbox/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/netbox/providers.tf +++ b/stacks/netbox/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf index bf3f87de..bf35ca70 100644 --- a/stacks/networking-toolbox/main.tf +++ b/stacks/networking-toolbox/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "networking-toolbox" { diff --git a/stacks/networking-toolbox/providers.tf b/stacks/networking-toolbox/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/networking-toolbox/providers.tf +++ b/stacks/networking-toolbox/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index 145b2be5..57b108e6 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "nextcloud_db_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "nextcloud_db_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/nextcloud/providers.tf b/stacks/nextcloud/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/nextcloud/providers.tf +++ b/stacks/nextcloud/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/ntfy/main.tf b/stacks/ntfy/main.tf index 485607ca..c143cd64 100644 --- a/stacks/ntfy/main.tf +++ b/stacks/ntfy/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/ntfy/providers.tf b/stacks/ntfy/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/ntfy/providers.tf +++ b/stacks/ntfy/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/ollama/main.tf b/stacks/ollama/main.tf index 30bca477..c446e4c2 100644 --- a/stacks/ollama/main.tf +++ b/stacks/ollama/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "ollama_api_credentials" { type = map(string) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "ollama_api_credentials" { + type = map(string) + sensitive = true +} variable "nfs_server" { type = string } variable "ollama_host" { type = string } diff --git a/stacks/ollama/providers.tf b/stacks/ollama/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/ollama/providers.tf +++ b/stacks/ollama/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index 33b62dd0..bc621012 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "onlyoffice_db_password" { type = string } -variable "onlyoffice_jwt_token" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "onlyoffice_db_password" { + type = string + sensitive = true +} +variable "onlyoffice_jwt_token" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/onlyoffice/providers.tf b/stacks/onlyoffice/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/onlyoffice/providers.tf +++ b/stacks/onlyoffice/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index f4ee3afc..55c8b59b 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -1,11 +1,35 @@ -variable "tls_secret_name" { type = string } -variable "openclaw_ssh_key" { type = string } -variable "openclaw_skill_secrets" { type = map(string) } -variable "llama_api_key" { type = string } -variable "brave_api_key" { type = string } -variable "openrouter_api_key" { type = string } -variable "nvidia_api_key" { type = string } -variable "openclaw_telegram_bot_token" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "openclaw_ssh_key" { + type = string + sensitive = true +} +variable "openclaw_skill_secrets" { + type = map(string) + sensitive = true +} +variable "llama_api_key" { + type = string + sensitive = true +} +variable "brave_api_key" { + type = string + sensitive = true +} +variable "openrouter_api_key" { + type = string + sensitive = true +} +variable "nvidia_api_key" { + type = string + sensitive = true +} +variable "openclaw_telegram_bot_token" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/openclaw/providers.tf b/stacks/openclaw/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/openclaw/providers.tf +++ b/stacks/openclaw/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 7a7d343e..0146c17e 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/osm_routing/providers.tf b/stacks/osm_routing/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/osm_routing/providers.tf +++ b/stacks/osm_routing/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index aa5beac3..2b657e69 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "owntracks_credentials" { type = map(string) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "owntracks_credentials" { + type = map(string) + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/owntracks/providers.tf b/stacks/owntracks/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/owntracks/providers.tf +++ b/stacks/owntracks/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index 04df177d..b1a996ae 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "paperless_db_password" { type = string } -variable "homepage_credentials" { type = map(any) } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "paperless_db_password" { + type = string + sensitive = true +} +variable "homepage_credentials" { + type = map(any) + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/paperless-ngx/providers.tf b/stacks/paperless-ngx/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/paperless-ngx/providers.tf +++ b/stacks/paperless-ngx/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf index 7ad0ac6a..847ec9bf 100644 --- a/stacks/platform/main.tf +++ b/stacks/platform/main.tf @@ -22,7 +22,10 @@ # ============================================================================= # --- Core --- -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "postgresql_host" { type = string } @@ -35,12 +38,24 @@ variable "prod" { } # --- dbaas --- -variable "dbaas_root_password" { type = string } -variable "dbaas_postgresql_root_password" { type = string } -variable "dbaas_pgadmin_password" { type = string } +variable "dbaas_root_password" { + type = string + sensitive = true +} +variable "dbaas_postgresql_root_password" { + type = string + sensitive = true +} +variable "dbaas_pgadmin_password" { + type = string + sensitive = true +} # --- traefik --- -variable "ingress_crowdsec_api_key" { type = string } +variable "ingress_crowdsec_api_key" { + type = string + sensitive = true +} variable "auth_fallback_htpasswd" { type = string sensitive = true @@ -48,16 +63,28 @@ variable "auth_fallback_htpasswd" { } # --- technitium --- -variable "technitium_db_password" { type = string } -variable "homepage_credentials" { type = map(any) } +variable "technitium_db_password" { + type = string + sensitive = true +} +variable "homepage_credentials" { + type = map(any) + sensitive = true +} # --- headscale --- variable "headscale_config" { type = string } variable "headscale_acl" { type = string } # --- authentik / rbac / k8s-portal --- -variable "authentik_secret_key" { type = string } -variable "authentik_postgres_password" { type = string } +variable "authentik_secret_key" { + type = string + sensitive = true +} +variable "authentik_postgres_password" { + type = string + sensitive = true +} variable "k8s_users" { type = map(any) default = {} @@ -70,14 +97,26 @@ variable "ssh_private_key" { # --- crowdsec --- variable "crowdsec_enroll_key" { type = string } -variable "crowdsec_db_password" { type = string } -variable "crowdsec_dash_api_key" { type = string } +variable "crowdsec_db_password" { + type = string + sensitive = true +} +variable "crowdsec_dash_api_key" { + type = string + sensitive = true +} variable "crowdsec_dash_machine_id" { type = string } -variable "crowdsec_dash_machine_password" { type = string } +variable "crowdsec_dash_machine_password" { + type = string + sensitive = true +} variable "alertmanager_slack_api_url" { type = string } # --- cloudflared --- -variable "cloudflare_api_key" { type = string } +variable "cloudflare_api_key" { + type = string + sensitive = true +} variable "cloudflare_email" { type = string } variable "cloudflare_account_id" { type = string } variable "cloudflare_zone_id" { type = string } @@ -85,20 +124,47 @@ variable "cloudflare_tunnel_id" { type = string } variable "public_ip" { type = string } variable "cloudflare_proxied_names" {} variable "cloudflare_non_proxied_names" {} -variable "cloudflare_tunnel_token" { type = string } +variable "cloudflare_tunnel_token" { + type = string + sensitive = true +} # --- monitoring --- -variable "alertmanager_account_password" { type = string } +variable "alertmanager_account_password" { + type = string + sensitive = true +} variable "monitoring_idrac_username" { type = string } -variable "monitoring_idrac_password" { type = string } -variable "tiny_tuya_service_secret" { type = string } -variable "haos_api_token" { type = string } -variable "pve_password" { type = string } -variable "grafana_db_password" { type = string } -variable "grafana_admin_password" { type = string } +variable "monitoring_idrac_password" { + type = string + sensitive = true +} +variable "tiny_tuya_service_secret" { + type = string + sensitive = true +} +variable "haos_api_token" { + type = string + sensitive = true +} +variable "pve_password" { + type = string + sensitive = true +} +variable "grafana_db_password" { + type = string + sensitive = true +} +variable "grafana_admin_password" { + type = string + sensitive = true +} # --- vaultwarden --- -variable "vaultwarden_smtp_password" { type = string } +variable "vaultwarden_smtp_password" { + type = string + sensitive = true +} # --- wireguard --- variable "wireguard_wg_0_conf" { type = string } @@ -107,7 +173,10 @@ variable "wireguard_firewall_sh" { type = string } # --- xray --- variable "xray_reality_clients" { type = list(map(string)) } -variable "xray_reality_private_key" { type = string } +variable "xray_reality_private_key" { + type = string + sensitive = true +} variable "xray_reality_short_ids" { type = list(string) } # --- mailserver --- @@ -115,13 +184,22 @@ variable "mailserver_accounts" {} variable "mailserver_aliases" {} variable "mailserver_opendkim_key" {} variable "mailserver_sasl_passwd" {} -variable "mailserver_roundcubemail_db_password" { type = string } +variable "mailserver_roundcubemail_db_password" { + type = string + sensitive = true +} # --- infra-maintenance --- variable "webhook_handler_git_user" { type = string } -variable "webhook_handler_git_token" { type = string } +variable "webhook_handler_git_token" { + type = string + sensitive = true +} variable "technitium_username" { type = string } -variable "technitium_password" { type = string } +variable "technitium_password" { + type = string + sensitive = true +} # --- iscsi-csi --- variable "truenas_api_key" { diff --git a/stacks/platform/modules/crowdsec/main.tf b/stacks/platform/modules/crowdsec/main.tf index 1acf36bd..2f6fb9ae 100644 --- a/stacks/platform/modules/crowdsec/main.tf +++ b/stacks/platform/modules/crowdsec/main.tf @@ -3,9 +3,15 @@ variable "homepage_username" {} variable "homepage_password" {} variable "db_password" {} variable "enroll_key" {} -variable "crowdsec_dash_api_key" { type = string } # used for web dash +variable "crowdsec_dash_api_key" { + type = string + sensitive = true +} variable "crowdsec_dash_machine_id" { type = string } # used for web dash -variable "crowdsec_dash_machine_password" { type = string } # used for web dash +variable "crowdsec_dash_machine_password" { + type = string + sensitive = true +} variable "tier" { type = string } variable "slack_webhook_url" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/platform/modules/dbaas/main.tf b/stacks/platform/modules/dbaas/main.tf index 47fda94c..359e4cd5 100644 --- a/stacks/platform/modules/dbaas/main.tf +++ b/stacks/platform/modules/dbaas/main.tf @@ -12,7 +12,10 @@ variable "prod" { type = bool } variable "nfs_server" { type = string } -variable "kube_config_path" { type = string } +variable "kube_config_path" { + type = string + sensitive = true +} resource "kubernetes_namespace" "dbaas" { metadata { diff --git a/stacks/platform/modules/mailserver/roundcubemail.tf b/stacks/platform/modules/mailserver/roundcubemail.tf index d5be55c3..09ef5fb0 100644 --- a/stacks/platform/modules/mailserver/roundcubemail.tf +++ b/stacks/platform/modules/mailserver/roundcubemail.tf @@ -1,4 +1,7 @@ -variable "roundcube_db_password" { type = string } +variable "roundcube_db_password" { + type = string + sensitive = true +} variable "mysql_host" { type = string } module "nfs_roundcube_html" { diff --git a/stacks/platform/modules/monitoring/main.tf b/stacks/platform/modules/monitoring/main.tf index b112f46b..082523df 100644 --- a/stacks/platform/modules/monitoring/main.tf +++ b/stacks/platform/modules/monitoring/main.tf @@ -8,13 +8,29 @@ variable "idrac_username" { } variable "idrac_password" { default = "calvin" + sensitive = true } variable "alertmanager_slack_api_url" {} -variable "tiny_tuya_service_secret" { type = string } -variable "haos_api_token" { type = string } -variable "pve_password" { type = string } -variable "grafana_db_password" { type = string } -variable "grafana_admin_password" { type = string } +variable "tiny_tuya_service_secret" { + type = string + sensitive = true +} +variable "haos_api_token" { + type = string + sensitive = true +} +variable "pve_password" { + type = string + sensitive = true +} +variable "grafana_db_password" { + type = string + sensitive = true +} +variable "grafana_admin_password" { + type = string + sensitive = true +} variable "tier" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/platform/modules/reverse_proxy/factory/main.tf b/stacks/platform/modules/reverse_proxy/factory/main.tf index 1af42844..cfbcf9c2 100644 --- a/stacks/platform/modules/reverse_proxy/factory/main.tf +++ b/stacks/platform/modules/reverse_proxy/factory/main.tf @@ -17,6 +17,7 @@ variable "protected" { variable "ingress_path" { type = list(string) default = ["/"] + sensitive = true } variable "max_body_size" { type = string diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf index 7490e422..9d6c7a9b 100644 --- a/stacks/platform/modules/technitium/main.tf +++ b/stacks/platform/modules/technitium/main.tf @@ -5,7 +5,10 @@ variable "technitium_db_password" {} variable "nfs_server" { type = string } variable "mysql_host" { type = string } variable "technitium_username" { type = string } -variable "technitium_password" { type = string } +variable "technitium_password" { + type = string + sensitive = true +} resource "kubernetes_namespace" "technitium" { metadata { diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf index 68fcf00a..d7cf1c9c 100644 --- a/stacks/platform/modules/traefik/main.tf +++ b/stacks/platform/modules/traefik/main.tf @@ -1,5 +1,8 @@ variable "tier" { type = string } -variable "crowdsec_api_key" { type = string } +variable "crowdsec_api_key" { + type = string + sensitive = true +} variable "redis_host" { type = string } variable "tls_secret_name" {} variable "auth_fallback_htpasswd" { diff --git a/stacks/platform/modules/vpa/main.tf b/stacks/platform/modules/vpa/main.tf index b5854ab7..11d04a6c 100644 --- a/stacks/platform/modules/vpa/main.tf +++ b/stacks/platform/modules/vpa/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "tier" { type = string } resource "kubernetes_namespace" "vpa" { diff --git a/stacks/platform/modules/xray/main.tf b/stacks/platform/modules/xray/main.tf index 7cbb2995..3097d110 100644 --- a/stacks/platform/modules/xray/main.tf +++ b/stacks/platform/modules/xray/main.tf @@ -1,7 +1,10 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "xray_reality_clients" { type = list(map(string)) } -variable "xray_reality_private_key" { type = string } +variable "xray_reality_private_key" { + type = string + sensitive = true +} variable "xray_reality_short_ids" { type = list(string) } # Github repo - https://github.com/teddysun/across/blob/master/docker/xray/README.md diff --git a/stacks/platform/providers.tf b/stacks/platform/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/platform/providers.tf +++ b/stacks/platform/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index 9be1de57..64d8e7e8 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "plotting_book_session_secret" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "plotting_book_session_secret" { + type = string + sensitive = true +} resource "kubernetes_namespace" "plotting-book" { diff --git a/stacks/plotting-book/providers.tf b/stacks/plotting-book/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/plotting-book/providers.tf +++ b/stacks/plotting-book/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 1897163b..83813f50 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf index cf1d08a7..4bbac650 100644 --- a/stacks/privatebin/main.tf +++ b/stacks/privatebin/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/privatebin/providers.tf b/stacks/privatebin/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/privatebin/providers.tf +++ b/stacks/privatebin/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index eba835b4..bfb91352 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "realestate_crawler_db_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "realestate_crawler_db_password" { + type = string + sensitive = true +} variable "realestate_crawler_notification_settings" { type = map(string) } variable "nfs_server" { type = string } variable "redis_host" { type = string } diff --git a/stacks/real-estate-crawler/providers.tf b/stacks/real-estate-crawler/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/real-estate-crawler/providers.tf +++ b/stacks/real-estate-crawler/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/reloader/providers.tf b/stacks/reloader/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/reloader/providers.tf +++ b/stacks/reloader/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index 929f7b1b..4b3d67b1 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -1,6 +1,12 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "resume_database_url" { type = string } -variable "resume_auth_secret" { type = string } +variable "resume_auth_secret" { + type = string + sensitive = true +} variable "mailserver_accounts" { type = map(any) } variable "nfs_server" { type = string } variable "mail_host" { type = string } diff --git a/stacks/resume/providers.tf b/stacks/resume/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/resume/providers.tf +++ b/stacks/resume/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 8987a0f5..97fa1f4d 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "clickhouse_password" { type = string } -variable "clickhouse_postgres_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "clickhouse_password" { + type = string + sensitive = true +} +variable "clickhouse_postgres_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "postgresql_host" { type = string } diff --git a/stacks/rybbit/providers.tf b/stacks/rybbit/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/rybbit/providers.tf +++ b/stacks/rybbit/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/send/main.tf b/stacks/send/main.tf index 7fe70325..fe9f3e32 100644 --- a/stacks/send/main.tf +++ b/stacks/send/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "redis_host" { type = string } diff --git a/stacks/send/providers.tf b/stacks/send/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/send/providers.tf +++ b/stacks/send/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 69562b8a..4ed827de 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "aiostreams_database_connection_string" { type = string } variable "nfs_server" { type = string } diff --git a/stacks/servarr/providers.tf b/stacks/servarr/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/servarr/providers.tf +++ b/stacks/servarr/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 18a8442b..01caa7eb 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -1,4 +1,7 @@ -variable "shadowsocks_password" { type = string } +variable "shadowsocks_password" { + type = string + sensitive = true +} variable "method" { diff --git a/stacks/shadowsocks/providers.tf b/stacks/shadowsocks/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/shadowsocks/providers.tf +++ b/stacks/shadowsocks/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 91813314..8c636154 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "speedtest_db_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "speedtest_db_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "mysql_host" { type = string } diff --git a/stacks/speedtest/providers.tf b/stacks/speedtest/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/speedtest/providers.tf +++ b/stacks/speedtest/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf index a9ee0b05..6769a2c5 100644 --- a/stacks/stirling-pdf/main.tf +++ b/stacks/stirling-pdf/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/stirling-pdf/providers.tf b/stacks/stirling-pdf/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/stirling-pdf/providers.tf +++ b/stacks/stirling-pdf/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index 69407ad9..5e4b4de7 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -1,8 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "tandoor_database_password" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "tandoor_database_password" { + type = string + sensitive = true +} variable "tandoor_email_password" { type = string default = "" + sensitive = true } variable "nfs_server" { type = string } variable "postgresql_host" { type = string } diff --git a/stacks/tandoor/providers.tf b/stacks/tandoor/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/tandoor/providers.tf +++ b/stacks/tandoor/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/tor-proxy/main.tf b/stacks/tor-proxy/main.tf index 9377b502..2ff91a0d 100644 --- a/stacks/tor-proxy/main.tf +++ b/stacks/tor-proxy/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "tor-proxy" { diff --git a/stacks/tor-proxy/providers.tf b/stacks/tor-proxy/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/tor-proxy/providers.tf +++ b/stacks/tor-proxy/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index d4295ef1..c0232067 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -1,17 +1,44 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "postgresql_host" { type = string } variable "redis_host" { type = string } variable "ollama_host" { type = string } -variable "dbaas_postgresql_root_password" { type = string } -variable "trading_bot_db_password" { type = string } -variable "trading_bot_alpaca_api_key" { type = string } -variable "trading_bot_alpaca_secret_key" { type = string } -variable "trading_bot_jwt_secret" { type = string } +variable "dbaas_postgresql_root_password" { + type = string + sensitive = true +} +variable "trading_bot_db_password" { + type = string + sensitive = true +} +variable "trading_bot_alpaca_api_key" { + type = string + sensitive = true +} +variable "trading_bot_alpaca_secret_key" { + type = string + sensitive = true +} +variable "trading_bot_jwt_secret" { + type = string + sensitive = true +} variable "trading_bot_reddit_client_id" { type = string } -variable "trading_bot_reddit_client_secret" { type = string } -variable "trading_bot_alpha_vantage_api_key" { type = string } -variable "trading_bot_fmp_api_key" { type = string } +variable "trading_bot_reddit_client_secret" { + type = string + sensitive = true +} +variable "trading_bot_alpha_vantage_api_key" { + type = string + sensitive = true +} +variable "trading_bot_fmp_api_key" { + type = string + sensitive = true +} locals { common_env = { diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index cfc22ad6..1823b621 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} resource "kubernetes_namespace" "travel-blog" { diff --git a/stacks/travel_blog/providers.tf b/stacks/travel_blog/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/travel_blog/providers.tf +++ b/stacks/travel_blog/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index 875b3d30..7ba1cdac 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -1,7 +1,19 @@ -variable "tls_secret_name" { type = string } -variable "tiny_tuya_api_key" { type = string } -variable "tiny_tuya_api_secret" { type = string } -variable "tiny_tuya_service_secret" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "tiny_tuya_api_key" { + type = string + sensitive = true +} +variable "tiny_tuya_api_secret" { + type = string + sensitive = true +} +variable "tiny_tuya_service_secret" { + type = string + sensitive = true +} variable "tiny_tuya_slack_url" { type = string } diff --git a/stacks/tuya-bridge/providers.tf b/stacks/tuya-bridge/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/tuya-bridge/providers.tf +++ b/stacks/tuya-bridge/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 87206463..3c157216 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -1,7 +1,16 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "url_shortener_geolite_license_key" { type = string } -variable "url_shortener_api_key" { type = string } -variable "url_shortener_mysql_password" { type = string } +variable "url_shortener_api_key" { + type = string + sensitive = true +} +variable "url_shortener_mysql_password" { + type = string + sensitive = true +} variable "mysql_host" { type = string } diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index 4177fe23..5db6574c 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -1,5 +1,11 @@ -variable "tls_secret_name" { type = string } -variable "wealthfolio_password_hash" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "wealthfolio_password_hash" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/wealthfolio/providers.tf b/stacks/wealthfolio/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/wealthfolio/providers.tf +++ b/stacks/wealthfolio/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index 1095e71d..aede18e5 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -1,11 +1,32 @@ -variable "tls_secret_name" { type = string } -variable "webhook_handler_secret" { type = string } -variable "webhook_handler_fb_verify_token" { type = string } -variable "webhook_handler_fb_page_token" { type = string } -variable "webhook_handler_fb_app_secret" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "webhook_handler_secret" { + type = string + sensitive = true +} +variable "webhook_handler_fb_verify_token" { + type = string + sensitive = true +} +variable "webhook_handler_fb_page_token" { + type = string + sensitive = true +} +variable "webhook_handler_fb_app_secret" { + type = string + sensitive = true +} variable "webhook_handler_git_user" { type = string } -variable "webhook_handler_git_token" { type = string } -variable "webhook_handler_ssh_key" { type = string } +variable "webhook_handler_git_token" { + type = string + sensitive = true +} +variable "webhook_handler_ssh_key" { + type = string + sensitive = true +} resource "kubernetes_namespace" "webhook-handler" { diff --git a/stacks/webhook_handler/providers.tf b/stacks/webhook_handler/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/webhook_handler/providers.tf +++ b/stacks/webhook_handler/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/whisper/main.tf b/stacks/whisper/main.tf index b6ae610a..551e3fc4 100644 --- a/stacks/whisper/main.tf +++ b/stacks/whisper/main.tf @@ -1,4 +1,7 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "nfs_server" { type = string } diff --git a/stacks/whisper/providers.tf b/stacks/whisper/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/whisper/providers.tf +++ b/stacks/whisper/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" { diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index ea0a7d10..3ab435d1 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -1,13 +1,31 @@ -variable "tls_secret_name" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} variable "woodpecker_github_client_id" { type = string } -variable "woodpecker_github_client_secret" { type = string } -variable "woodpecker_agent_secret" { type = string } -variable "woodpecker_db_password" { type = string } -variable "dbaas_postgresql_root_password" { type = string } +variable "woodpecker_github_client_secret" { + type = string + sensitive = true +} +variable "woodpecker_agent_secret" { + type = string + sensitive = true +} +variable "woodpecker_db_password" { + type = string + sensitive = true +} +variable "dbaas_postgresql_root_password" { + type = string + sensitive = true +} variable "nfs_server" { type = string } variable "postgresql_host" { type = string } variable "woodpecker_forgejo_client_id" { type = string } -variable "woodpecker_forgejo_client_secret" { type = string } +variable "woodpecker_forgejo_client_secret" { + type = string + sensitive = true +} variable "woodpecker_forgejo_url" { type = string } diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index 3f3d05f8..baab8535 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -1,6 +1,15 @@ -variable "tls_secret_name" { type = string } -variable "openrouter_api_key" { type = string } -variable "slack_bot_token" { type = string } +variable "tls_secret_name" { + type = string + sensitive = true +} +variable "openrouter_api_key" { + type = string + sensitive = true +} +variable "slack_bot_token" { + type = string + sensitive = true +} variable "slack_channel" { type = string } variable "nfs_server" { type = string } variable "redis_host" { type = string } diff --git a/stacks/ytdlp/providers.tf b/stacks/ytdlp/providers.tf index 516f9fed..7b5cc7b8 100644 --- a/stacks/ytdlp/providers.tf +++ b/stacks/ytdlp/providers.tf @@ -2,6 +2,7 @@ variable "kube_config_path" { type = string default = "~/.kube/config" + sensitive = true } provider "kubernetes" {