[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars

Phase 5 — CI pipelines:
- default.yml: add SOPS decrypt in prepare step, change git add . to
  specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure
- renew-tls.yml: change git add . to git add secrets/ state/

Phase 6 — sensitive=true:
- Add sensitive = true to 256 variable declarations across 149 stack files
- Prevents secret values from appearing in terraform plan output
- Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid
  breaking module interface contracts

Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret
to be created before the pipeline will work with SOPS. Until then, the old
terraform.tfvars path continues to function.

stacks/platform/main.tf

@@ -22,7 +22,10 @@
 # =============================================================================
 
 # --- Core ---
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
@@ -35,12 +38,24 @@ variable "prod" {
 }
 
 # --- dbaas ---
-variable "dbaas_root_password" { type = string }
-variable "dbaas_postgresql_root_password" { type = string }
-variable "dbaas_pgadmin_password" { type = string }
+variable "dbaas_root_password" {
+  type = string
+  sensitive = true
+}
+variable "dbaas_postgresql_root_password" {
+  type = string
+  sensitive = true
+}
+variable "dbaas_pgadmin_password" {
+  type = string
+  sensitive = true
+}
 
 # --- traefik ---
-variable "ingress_crowdsec_api_key" { type = string }
+variable "ingress_crowdsec_api_key" {
+  type = string
+  sensitive = true
+}
 variable "auth_fallback_htpasswd" {
   type      = string
   sensitive = true
@@ -48,16 +63,28 @@ variable "auth_fallback_htpasswd" {
 }
 
 # --- technitium ---
-variable "technitium_db_password" { type = string }
-variable "homepage_credentials" { type = map(any) }
+variable "technitium_db_password" {
+  type = string
+  sensitive = true
+}
+variable "homepage_credentials" {
+  type = map(any)
+  sensitive = true
+}
 
 # --- headscale ---
 variable "headscale_config" { type = string }
 variable "headscale_acl" { type = string }
 
 # --- authentik / rbac / k8s-portal ---
-variable "authentik_secret_key" { type = string }
-variable "authentik_postgres_password" { type = string }
+variable "authentik_secret_key" {
+  type = string
+  sensitive = true
+}
+variable "authentik_postgres_password" {
+  type = string
+  sensitive = true
+}
 variable "k8s_users" {
   type    = map(any)
   default = {}
@@ -70,14 +97,26 @@ variable "ssh_private_key" {
 
 # --- crowdsec ---
 variable "crowdsec_enroll_key" { type = string }
-variable "crowdsec_db_password" { type = string }
-variable "crowdsec_dash_api_key" { type = string }
+variable "crowdsec_db_password" {
+  type = string
+  sensitive = true
+}
+variable "crowdsec_dash_api_key" {
+  type = string
+  sensitive = true
+}
 variable "crowdsec_dash_machine_id" { type = string }
-variable "crowdsec_dash_machine_password" { type = string }
+variable "crowdsec_dash_machine_password" {
+  type = string
+  sensitive = true
+}
 variable "alertmanager_slack_api_url" { type = string }
 
 # --- cloudflared ---
-variable "cloudflare_api_key" { type = string }
+variable "cloudflare_api_key" {
+  type = string
+  sensitive = true
+}
 variable "cloudflare_email" { type = string }
 variable "cloudflare_account_id" { type = string }
 variable "cloudflare_zone_id" { type = string }
@@ -85,20 +124,47 @@ variable "cloudflare_tunnel_id" { type = string }
 variable "public_ip" { type = string }
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
-variable "cloudflare_tunnel_token" { type = string }
+variable "cloudflare_tunnel_token" {
+  type = string
+  sensitive = true
+}
 
 # --- monitoring ---
-variable "alertmanager_account_password" { type = string }
+variable "alertmanager_account_password" {
+  type = string
+  sensitive = true
+}
 variable "monitoring_idrac_username" { type = string }
-variable "monitoring_idrac_password" { type = string }
-variable "tiny_tuya_service_secret" { type = string }
-variable "haos_api_token" { type = string }
-variable "pve_password" { type = string }
-variable "grafana_db_password" { type = string }
-variable "grafana_admin_password" { type = string }
+variable "monitoring_idrac_password" {
+  type = string
+  sensitive = true
+}
+variable "tiny_tuya_service_secret" {
+  type = string
+  sensitive = true
+}
+variable "haos_api_token" {
+  type = string
+  sensitive = true
+}
+variable "pve_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_db_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_admin_password" {
+  type = string
+  sensitive = true
+}
 
 # --- vaultwarden ---
-variable "vaultwarden_smtp_password" { type = string }
+variable "vaultwarden_smtp_password" {
+  type = string
+  sensitive = true
+}
 
 # --- wireguard ---
 variable "wireguard_wg_0_conf" { type = string }
@@ -107,7 +173,10 @@ variable "wireguard_firewall_sh" { type = string }
 
 # --- xray ---
 variable "xray_reality_clients" { type = list(map(string)) }
-variable "xray_reality_private_key" { type = string }
+variable "xray_reality_private_key" {
+  type = string
+  sensitive = true
+}
 variable "xray_reality_short_ids" { type = list(string) }
 
 # --- mailserver ---
@@ -115,13 +184,22 @@ variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
 variable "mailserver_opendkim_key" {}
 variable "mailserver_sasl_passwd" {}
-variable "mailserver_roundcubemail_db_password" { type = string }
+variable "mailserver_roundcubemail_db_password" {
+  type = string
+  sensitive = true
+}
 
 # --- infra-maintenance ---
 variable "webhook_handler_git_user" { type = string }
-variable "webhook_handler_git_token" { type = string }
+variable "webhook_handler_git_token" {
+  type = string
+  sensitive = true
+}
 variable "technitium_username" { type = string }
-variable "technitium_password" { type = string }
+variable "technitium_password" {
+  type = string
+  sensitive = true
+}
 
 # --- iscsi-csi ---
 variable "truenas_api_key" {

stacks/platform/modules/crowdsec/main.tf

@@ -3,9 +3,15 @@ variable "homepage_username" {}
 variable "homepage_password" {}
 variable "db_password" {}
 variable "enroll_key" {}
-variable "crowdsec_dash_api_key" { type = string }          # used for web dash
+variable "crowdsec_dash_api_key" {
+  type = string
+  sensitive = true
+}
 variable "crowdsec_dash_machine_id" { type = string }       # used for web dash
-variable "crowdsec_dash_machine_password" { type = string } # used for web dash
+variable "crowdsec_dash_machine_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "slack_webhook_url" { type = string }
 variable "mysql_host" { type = string }

stacks/platform/modules/dbaas/main.tf

@@ -12,7 +12,10 @@ variable "prod" {
   type    = bool
 }
 variable "nfs_server" { type = string }
-variable "kube_config_path" { type = string }
+variable "kube_config_path" {
+  type = string
+  sensitive = true
+}
 
 resource "kubernetes_namespace" "dbaas" {
   metadata {

stacks/platform/modules/mailserver/roundcubemail.tf

@@ -1,4 +1,7 @@
-variable "roundcube_db_password" { type = string }
+variable "roundcube_db_password" {
+  type = string
+  sensitive = true
+}
 variable "mysql_host" { type = string }
 
 module "nfs_roundcube_html" {

stacks/platform/modules/monitoring/main.tf

@@ -8,13 +8,29 @@ variable "idrac_username" {
 }
 variable "idrac_password" {
   default = "calvin"
+  sensitive = true
 }
 variable "alertmanager_slack_api_url" {}
-variable "tiny_tuya_service_secret" { type = string }
-variable "haos_api_token" { type = string }
-variable "pve_password" { type = string }
-variable "grafana_db_password" { type = string }
-variable "grafana_admin_password" { type = string }
+variable "tiny_tuya_service_secret" {
+  type = string
+  sensitive = true
+}
+variable "haos_api_token" {
+  type = string
+  sensitive = true
+}
+variable "pve_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_db_password" {
+  type = string
+  sensitive = true
+}
+variable "grafana_admin_password" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 variable "mysql_host" { type = string }
 

stacks/platform/modules/reverse_proxy/factory/main.tf

@@ -17,6 +17,7 @@ variable "protected" {
 variable "ingress_path" {
   type    = list(string)
   default = ["/"]
+  sensitive = true
 }
 variable "max_body_size" {
   type    = string

stacks/platform/modules/technitium/main.tf

@@ -5,7 +5,10 @@ variable "technitium_db_password" {}
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }
 variable "technitium_username" { type = string }
-variable "technitium_password" { type = string }
+variable "technitium_password" {
+  type = string
+  sensitive = true
+}
 
 resource "kubernetes_namespace" "technitium" {
   metadata {

stacks/platform/modules/traefik/main.tf

@@ -1,5 +1,8 @@
 variable "tier" { type = string }
-variable "crowdsec_api_key" { type = string }
+variable "crowdsec_api_key" {
+  type = string
+  sensitive = true
+}
 variable "redis_host" { type = string }
 variable "tls_secret_name" {}
 variable "auth_fallback_htpasswd" {

stacks/platform/modules/vpa/main.tf

@@ -1,4 +1,7 @@
-variable "tls_secret_name" { type = string }
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "tier" { type = string }
 
 resource "kubernetes_namespace" "vpa" {

stacks/platform/modules/xray/main.tf

@@ -1,7 +1,10 @@
 variable "tls_secret_name" {}
 variable "tier" { type = string }
 variable "xray_reality_clients" { type = list(map(string)) }
-variable "xray_reality_private_key" { type = string }
+variable "xray_reality_private_key" {
+  type = string
+  sensitive = true
+}
 variable "xray_reality_short_ids" { type = list(string) }
 
 # Github repo - https://github.com/teddysun/across/blob/master/docker/xray/README.md

stacks/platform/providers.tf

@@ -2,6 +2,7 @@
 variable "kube_config_path" {
   type    = string
   default = "~/.kube/config"
+  sensitive = true
 }
 
 provider "kubernetes" {