migrate all secrets from SOPS to Vault KV

- Add vault provider to root terragrunt.hcl (generated providers.tf) - Delete stacks/vault/vault_provider.tf (now in generated providers.tf) - Add 124 variable declarations + 43 vault_kv_secret_v2 resources to vault/main.tf to populate Vault KV at secret/<stack-name> - Migrate 43 consuming stacks to read secrets from Vault KV via data "vault_kv_secret_v2" instead of SOPS var-file - Add dependency "vault" to all migrated stacks' terragrunt.hcl - Complex types (maps/lists) stored as JSON strings, decoded with jsondecode() in locals blocks Bootstrap secrets (vault_root_token, vault_authentik_client_id, vault_authentik_client_secret) remain in SOPS permanently. Apply order: vault stack first (populates KV), then all others.
2026-03-14 17:15:48 +00:00 · 2026-03-14 17:15:48 +00:00 · a8d944eb9b
commit a8d944eb9b
parent 39b7dac1a9
126 changed files with 1635 additions and 817 deletions
--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@ -2,12 +2,17 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "actualbudget_credentials" {
  type      = map(any)
  sensitive = true
 }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "actualbudget"
 }
 locals {
  credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"])
 }
 # To create a new deployment:
 /**
@ -42,8 +47,8 @@ module "viktor" {
  nfs_server                 = var.nfs_server
  depends_on                 = [kubernetes_namespace.actualbudget]
  tier                       = local.tiers.edge
-  budget_encryption_password = lookup(var.actualbudget_credentials["viktor"], "password", null)
+  budget_encryption_password = lookup(local.credentials["viktor"], "password", null)
-  sync_id                    = lookup(var.actualbudget_credentials["viktor"], "sync_id", null)
+  sync_id                    = lookup(local.credentials["viktor"], "sync_id", null)
  homepage_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Budget Viktor"
@ -63,8 +68,8 @@ module "anca" {
  nfs_server                 = var.nfs_server
  depends_on                 = [kubernetes_namespace.actualbudget]
  tier                       = local.tiers.edge
-  budget_encryption_password = lookup(var.actualbudget_credentials["anca"], "password", null)
+  budget_encryption_password = lookup(local.credentials["anca"], "password", null)
-  sync_id                    = lookup(var.actualbudget_credentials["anca"], "sync_id", null)
+  sync_id                    = lookup(local.credentials["anca"], "sync_id", null)
  homepage_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Budget Anca"
@ -84,8 +89,8 @@ module "emo" {
  nfs_server                 = var.nfs_server
  depends_on                 = [kubernetes_namespace.actualbudget]
  tier                       = local.tiers.edge
-  budget_encryption_password = lookup(var.actualbudget_credentials["emo"], "password", null)
+  budget_encryption_password = lookup(local.credentials["emo"], "password", null)
-  sync_id                    = lookup(var.actualbudget_credentials["emo"], "sync_id", null)
+  sync_id                    = lookup(local.credentials["emo"], "sync_id", null)
  homepage_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Budget Emo"
--- a/stacks/actualbudget/providers.tf
+++ b/stacks/actualbudget/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/actualbudget/terragrunt.hcl
+++ b/stacks/actualbudget/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -2,12 +2,16 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "affine_postgresql_password" {
  type      = string
  sensitive = true
 }
 variable "mailserver_accounts" { type = map(any) }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "affine"
 }
 locals {
  mailserver_accounts = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"])
 }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
 variable "mail_host" { type = string }
@ -32,7 +36,7 @@ locals {
  common_env = [
    {
      name  = "DATABASE_URL"
-      value = "postgresql://affine:${var.affine_postgresql_password}@${var.postgresql_host}:5432/affine"
+      value = "postgresql://affine:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.postgresql_host}:5432/affine"
    },
    {
      name  = "REDIS_SERVER_HOST"
@ -70,7 +74,7 @@ locals {
    },
    {
      name  = "MAILER_PASSWORD"
-      value = var.mailserver_accounts["info@viktorbarzin.me"]
+      value = local.mailserver_accounts["info@viktorbarzin.me"]
    },
    {
      name  = "MAILER_SENDER"
--- a/stacks/affine/providers.tf
+++ b/stacks/affine/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/affine/terragrunt.hcl
+++ b/stacks/affine/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/audiobookshelf/main.tf
+++ b/stacks/audiobookshelf/main.tf
@ -3,9 +3,13 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
-variable "homepage_credentials" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = map(any)
+  mount = "secret"
-  sensitive = true
+  name  = "audiobookshelf"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -205,6 +209,6 @@ module "ingress" {
    "gethomepage.dev/pod-selector" = ""
    "gethomepage.dev/widget.type"  = "audiobookshelf"
    "gethomepage.dev/widget.url"   = "http://audiobookshelf.audiobookshelf.svc.cluster.local"
-    "gethomepage.dev/widget.key"   = var.homepage_credentials["audiobookshelf"]["token"]
+    "gethomepage.dev/widget.key"   = local.homepage_credentials["audiobookshelf"]["token"]
  }
 }
--- a/stacks/audiobookshelf/providers.tf
+++ b/stacks/audiobookshelf/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/audiobookshelf/terragrunt.hcl
+++ b/stacks/audiobookshelf/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/blog/providers.tf
+++ b/stacks/blog/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/calibre/main.tf
+++ b/stacks/calibre/main.tf
@ -2,12 +2,17 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "homepage_credentials" {
  type      = map(any)
  sensitive = true
 }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "calibre"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
 resource "kubernetes_namespace" "calibre" {
  metadata {
@ -194,6 +199,24 @@ resource "kubernetes_deployment" "calibre-web-automated" {
          port {
            container_port = 8083
          }
          # Startup probe: allow up to 10 min for calibre binary install on first boot
          startup_probe {
            http_get {
              path = "/"
              port = 8083
            }
            initial_delay_seconds = 30
            period_seconds        = 10
            failure_threshold     = 54
          }
          liveness_probe {
            http_get {
              path = "/"
              port = 8083
            }
            period_seconds    = 30
            failure_threshold = 3
          }
          resources {
            requests = {
              cpu    = "50m"
@ -274,8 +297,8 @@ module "ingress" {
    "gethomepage.dev/name"            = "Calibre"
    "gethomepage.dev/widget.type"     = "calibreweb"
    "gethomepage.dev/widget.url"      = "http://calibre.calibre.svc.cluster.local"
-    "gethomepage.dev/widget.username" = var.homepage_credentials["calibre-web"]["username"]
+    "gethomepage.dev/widget.username" = local.homepage_credentials["calibre-web"]["username"]
-    "gethomepage.dev/widget.password" = var.homepage_credentials["calibre-web"]["password"]
+    "gethomepage.dev/widget.password" = local.homepage_credentials["calibre-web"]["password"]
    "gethomepage.dev/pod-selector"    = ""
    # gethomepage.dev/weight: 10 # optional
    # gethomepage.dev/instance: "public" # optional
--- a/stacks/calibre/providers.tf
+++ b/stacks/calibre/providers.tf
@ -1,8 +1,22 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "~> 4.0"
    }
  }
 }
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
 }
 variable "vault_root_token" {
  type      = string
  sensitive = true
  default   = ""
 }
 provider "kubernetes" {
@ -14,3 +28,9 @@ provider "helm" {
    config_path = var.kube_config_path
  }
 }
 provider "vault" {
  address          = "https://vault.viktorbarzin.me"
  token            = var.vault_root_token
  skip_child_token = true
 }
--- a/stacks/calibre/terragrunt.hcl
+++ b/stacks/calibre/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@ -3,9 +3,13 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
-variable "homepage_credentials" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = map(any)
+  mount = "secret"
-  sensitive = true
+  name  = "changedetection"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -171,6 +175,6 @@ module "ingress" {
    "gethomepage.dev/pod-selector" = ""
    "gethomepage.dev/widget.type"  = "changedetectionio"
    "gethomepage.dev/widget.url"   = "http://changedetection.changedetection.svc.cluster.local"
-    "gethomepage.dev/widget.key"   = var.homepage_credentials["changedetection"]["api_key"]
+    "gethomepage.dev/widget.key"   = local.homepage_credentials["changedetection"]["api_key"]
  }
 }
--- a/stacks/changedetection/providers.tf
+++ b/stacks/changedetection/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/changedetection/terragrunt.hcl
+++ b/stacks/changedetection/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/city-guesser/providers.tf
+++ b/stacks/city-guesser/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@ -3,17 +3,14 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "postgresql_host" { type = string }
 variable "dbaas_postgresql_root_password" {
  type      = string
  sensitive = true
 }
 variable "claude_memory_db_password" {
  type      = string
  sensitive = true
 }
-variable "claude_memory_api_key" {
+
-  type      = string
+data "vault_kv_secret_v2" "secrets" {
-  sensitive = true
+  mount = "secret"
  name  = "claude-memory"
 }
 resource "kubernetes_namespace" "claude-memory" {
@ -48,11 +45,11 @@ resource "kubernetes_job" "db_init" {
            "sh", "-c",
            <<-EOT
              set -e
-              PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='claude_memory'" | grep -q 1 || \
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='claude_memory'" | grep -q 1 || \
-                PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -c "CREATE ROLE claude_memory WITH LOGIN PASSWORD '${var.claude_memory_db_password}'"
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "CREATE ROLE claude_memory WITH LOGIN PASSWORD '${var.claude_memory_db_password}'"
-              PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_database WHERE datname='claude_memory'" | grep -q 1 || \
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_database WHERE datname='claude_memory'" | grep -q 1 || \
-                PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -c "CREATE DATABASE claude_memory OWNER claude_memory"
+                PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "CREATE DATABASE claude_memory OWNER claude_memory"
-              PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -c "GRANT ALL PRIVILEGES ON DATABASE claude_memory TO claude_memory"
+              PGPASSWORD='${data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]}' psql -h ${var.postgresql_host} -U root -c "GRANT ALL PRIVILEGES ON DATABASE claude_memory TO claude_memory"
              echo "Database init complete"
            EOT
          ]
@ -79,7 +76,7 @@ resource "kubernetes_deployment" "claude-memory" {
    }
  }
  spec {
-    replicas = 1
+    replicas = 2
    selector {
      match_labels = {
        app = "claude-memory"
@ -92,6 +89,18 @@ resource "kubernetes_deployment" "claude-memory" {
        }
      }
      spec {
        affinity {
          pod_anti_affinity {
            required_during_scheduling_ignored_during_execution {
              label_selector {
                match_labels = {
                  app = "claude-memory"
                }
              }
              topology_key = "kubernetes.io/hostname"
            }
          }
        }
        container {
          name  = "claude-memory"
          image = "viktorbarzin/claude-memory-mcp:latest"
@ -106,9 +115,17 @@ resource "kubernetes_deployment" "claude-memory" {
          }
          env {
            name  = "API_KEY"
-            value = var.claude_memory_api_key
+            value = data.vault_kv_secret_v2.secrets.data["api_key"]
          }
          startup_probe {
            http_get {
              path = "/health"
              port = 8000
            }
            failure_threshold = 30
            period_seconds    = 2
          }
          liveness_probe {
            http_get {
              path = "/health"
@ -146,6 +163,21 @@ resource "kubernetes_deployment" "claude-memory" {
  }
 }
 resource "kubernetes_pod_disruption_budget_v1" "claude-memory" {
  metadata {
    name      = "claude-memory"
    namespace = kubernetes_namespace.claude-memory.metadata[0].name
  }
  spec {
    min_available = "1"
    selector {
      match_labels = {
        app = "claude-memory"
      }
    }
  }
 }
 resource "kubernetes_service" "claude-memory" {
  metadata {
    name      = "claude-memory"
--- a/stacks/claude-memory/terragrunt.hcl
+++ b/stacks/claude-memory/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@ -2,12 +2,12 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "coturn_turn_secret" {
  type      = string
  sensitive = true
 }
 variable "public_ip" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "coturn"
 }
 locals {
  turn_realm = "viktorbarzin.me"
@ -45,7 +45,7 @@ resource "kubernetes_config_map" "coturn_config" {
      fingerprint
      lt-cred-mech
      use-auth-secret
-      static-auth-secret=${var.coturn_turn_secret}
+      static-auth-secret=${data.vault_kv_secret_v2.secrets.data["turn_secret"]}
      realm=${local.turn_realm}
      server-name=turn.${local.turn_realm}
--- a/stacks/coturn/providers.tf
+++ b/stacks/coturn/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/coturn/terragrunt.hcl
+++ b/stacks/coturn/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/cyberchef/providers.tf
+++ b/stacks/cyberchef/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@ -2,15 +2,6 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "dawarich_database_password" {
  type      = string
  sensitive = true
 }
 variable "geoapify_api_key" {
  type      = string
  sensitive = true
 }
 variable "image_version" {
  type    = string
@ -20,6 +11,11 @@ variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "dawarich"
 }
 resource "kubernetes_namespace" "dawarich" {
  metadata {
    name = "dawarich"
@ -97,7 +93,7 @@ resource "kubernetes_deployment" "dawarich" {
          }
          env {
            name  = "DATABASE_PASSWORD"
-            value = var.dawarich_database_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "DATABASE_NAME"
@ -178,7 +174,7 @@ resource "kubernetes_deployment" "dawarich" {
        #   }
        #   env {
        #     name  = "DATABASE_PASSWORD"
-        #     value = var.dawarich_database_password
+        #     value = data.vault_kv_secret_v2.secrets.data["db_password"]
        #   }
        #   env {
        #     name  = "DATABASE_NAME"
@ -219,7 +215,7 @@ resource "kubernetes_deployment" "dawarich" {
        #   # }
        #   env {
        #     name  = "GEOAPIFY_API_KEY"
-        #     value = var.geoapify_api_key
+        #     value = data.vault_kv_secret_v2.secrets.data["geoapify_api_key"]
        #   }
        #   env {
        #     name  = "SELF_HOSTED"
--- a/stacks/dawarich/providers.tf
+++ b/stacks/dawarich/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/dawarich/terragrunt.hcl
+++ b/stacks/dawarich/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/descheduler/providers.tf
+++ b/stacks/descheduler/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@ -2,13 +2,12 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "diun_nfty_token" {
  type      = string
  sensitive = true
 }
 variable "diun_slack_url" { type = string }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "diun"
 }
 resource "kubernetes_namespace" "diun" {
  metadata {
@ -154,11 +153,11 @@ resource "kubernetes_deployment" "diun" {
          # }
          # env {
          #   name  = "DIUN_NOTIF_NTFY_TOKEN"
-          #   value = var.diun_nfty_token
+          #   value = data.vault_kv_secret_v2.secrets.data["nfty_token"]
          # }
          env {
            name  = "DIUN_NOTIF_SLACK_WEBHOOKURL"
-            value = var.diun_slack_url
+            value = data.vault_kv_secret_v2.secrets.data["slack_url"]
          }
          env {
            name = "LOG_LEVEL"
--- a/stacks/diun/providers.tf
+++ b/stacks/diun/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/diun/terragrunt.hcl
+++ b/stacks/diun/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/ebook2audiobook/providers.tf
+++ b/stacks/ebook2audiobook/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/echo/providers.tf
+++ b/stacks/echo/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/excalidraw/providers.tf
+++ b/stacks/excalidraw/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -3,13 +3,13 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "discord_user_token" {
  type      = string
  sensitive = true
 }
 variable "discord_f1_guild_id" { type = string }
 variable "discord_f1_channel_ids" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "f1-stream"
 }
 resource "kubernetes_namespace" "f1-stream" {
  metadata {
@ -70,7 +70,7 @@ resource "kubernetes_deployment" "f1-stream" {
          }
          env {
            name  = "DISCORD_TOKEN"
-            value = var.discord_user_token
+            value = data.vault_kv_secret_v2.secrets.data["discord_user_token"]
          }
          env {
            name  = "DISCORD_CHANNELS"
--- a/stacks/f1-stream/providers.tf
+++ b/stacks/f1-stream/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/f1-stream/terragrunt.hcl
+++ b/stacks/f1-stream/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@ -3,12 +3,11 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "forgejo_authentik_client_id" { type = string }
 variable "forgejo_authentik_client_secret" {
  type      = string
  sensitive = true
 }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "forgejo"
 }
 resource "kubernetes_namespace" "forgejo" {
  metadata {
--- a/stacks/forgejo/providers.tf
+++ b/stacks/forgejo/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/forgejo/terragrunt.hcl
+++ b/stacks/forgejo/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -2,9 +2,13 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
-variable "freedify_credentials" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = map(any)
+  mount = "secret"
-  sensitive = true
+  name  = "freedify"
 }
 locals {
  credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"])
 }
@ -40,11 +44,11 @@ module "viktor" {
  depends_on         = [kubernetes_namespace.freedify]
  tier               = local.tiers.aux
  protected          = true
-  listenbrainz_token = lookup(var.freedify_credentials["viktor"], "listenbrainz_token", null)
+  listenbrainz_token = lookup(local.credentials["viktor"], "listenbrainz_token", null)
-  genius_token       = lookup(var.freedify_credentials["viktor"], "genius_token", null)
+  genius_token       = lookup(local.credentials["viktor"], "genius_token", null)
-  dab_session        = lookup(var.freedify_credentials["viktor"], "dab_session", null)
+  dab_session        = lookup(local.credentials["viktor"], "dab_session", null)
-  dab_visitor_id     = lookup(var.freedify_credentials["viktor"], "dab_visitor_id", null)
+  dab_visitor_id     = lookup(local.credentials["viktor"], "dab_visitor_id", null)
-  gemini_api_key     = lookup(var.freedify_credentials["viktor"], "gemini_api_key", null)
+  gemini_api_key     = lookup(local.credentials["viktor"], "gemini_api_key", null)
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Freedify (Viktor)"
@ -64,8 +68,8 @@ module "emo" {
  depends_on      = [kubernetes_namespace.freedify]
  tier            = local.tiers.aux
  protected       = true
-  genius_token    = lookup(var.freedify_credentials["emo"], "genius_token", null)
+  genius_token    = lookup(local.credentials["emo"], "genius_token", null)
-  gemini_api_key  = lookup(var.freedify_credentials["emo"], "gemini_api_key", null)
+  gemini_api_key  = lookup(local.credentials["emo"], "gemini_api_key", null)
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Freedify (Emo)"
--- a/stacks/freedify/providers.tf
+++ b/stacks/freedify/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/freedify/terragrunt.hcl
+++ b/stacks/freedify/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -3,9 +3,13 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
-variable "homepage_credentials" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = map(any)
+  mount = "secret"
-  sensitive = true
+  name  = "freshrss"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -159,7 +163,7 @@ module "ingress" {
    "gethomepage.dev/pod-selector"    = ""
    "gethomepage.dev/widget.type"     = "freshrss"
    "gethomepage.dev/widget.url"      = "http://freshrss.freshrss.svc.cluster.local"
-    "gethomepage.dev/widget.username" = var.homepage_credentials["freshrss"]["username"]
+    "gethomepage.dev/widget.username" = local.homepage_credentials["freshrss"]["username"]
-    "gethomepage.dev/widget.password" = var.homepage_credentials["freshrss"]["password"]
+    "gethomepage.dev/widget.password" = local.homepage_credentials["freshrss"]["password"]
  }
 }
--- a/stacks/freshrss/providers.tf
+++ b/stacks/freshrss/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/freshrss/terragrunt.hcl
+++ b/stacks/freshrss/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/frigate/providers.tf
+++ b/stacks/frigate/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -2,8 +2,16 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "mailserver_accounts" { type = map(any) }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "grampsweb"
 }
 locals {
  mailserver_accounts = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"])
 }
 variable "redis_host" { type = string }
 variable "ollama_host" { type = string }
 variable "mail_host" { type = string }
@ -81,7 +89,7 @@ locals {
    },
    {
      name  = "GRAMPSWEB_EMAIL_HOST_PASSWORD"
-      value = var.mailserver_accounts["info@viktorbarzin.me"]
+      value = local.mailserver_accounts["info@viktorbarzin.me"]
    },
    {
      name  = "GRAMPSWEB_EMAIL_USE_SSL"
--- a/stacks/grampsweb/providers.tf
+++ b/stacks/grampsweb/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/grampsweb/terragrunt.hcl
+++ b/stacks/grampsweb/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@ -1,13 +1,13 @@
 variable "hackmd_db_password" {
  type      = string
  sensitive = true
 }
 variable "tls_secret_name" {
  type = string
 }
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "hackmd"
 }
 resource "kubernetes_namespace" "hackmd" {
  metadata {
@ -103,7 +103,7 @@ resource "kubernetes_deployment" "hackmd" {
          env {
            name = "CMD_DB_URL"
            # value = format("%s%s%s", "postgres://codimd:", var.hackmd_db_password, "@localhost/codimd")
-            value = format("%s%s%s", "mysql://codimd:", var.hackmd_db_password, "@${var.mysql_host}/codimd")
+            value = format("%s%s%s", "mysql://codimd:", data.vault_kv_secret_v2.secrets.data["db_password"], "@${var.mysql_host}/codimd")
          }
          env {
            name  = "CMD_USECDN"
--- a/stacks/hackmd/providers.tf
+++ b/stacks/hackmd/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/hackmd/terragrunt.hcl
+++ b/stacks/hackmd/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -2,17 +2,13 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "health_postgresql_password" {
  type      = string
  sensitive = true
 }
 variable "health_secret_key" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "health"
 }
 resource "kubernetes_namespace" "health" {
  metadata {
@ -70,11 +66,11 @@ resource "kubernetes_deployment" "health" {
          env {
            name  = "DATABASE_URL"
-            value = "postgresql+asyncpg://health:${var.health_postgresql_password}@${var.postgresql_host}:5432/health"
+            value = "postgresql+asyncpg://health:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.postgresql_host}:5432/health"
          }
          env {
            name  = "SECRET_KEY"
-            value = var.health_secret_key
+            value = data.vault_kv_secret_v2.secrets.data["secret_key"]
          }
          env {
            name  = "UPLOAD_DIR"
--- a/stacks/health/providers.tf
+++ b/stacks/health/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/health/terragrunt.hcl
+++ b/stacks/health/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/homepage/providers.tf
+++ b/stacks/homepage/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/immich/frame.tf
+++ b/stacks/immich/frame.tf
@ -23,7 +23,7 @@ resource "kubernetes_config_map" "mailserver_config" {
        ShowProgressBar: false
    Accounts:
        - ImmichServerUrl: http://immich.viktorbarzin.me
-          ApiKey: ${var.immich_frame_api_key}
+          ApiKey: ${data.vault_kv_secret_v2.secrets.data["frame_api_key"]}
          Albums: 
            - 1aa98849-bbd5-452b-aac0-310b210a8597 # china
    EOF
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@ -2,17 +2,13 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
-variable "immich_postgresql_password" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = string
+  mount = "secret"
-  sensitive = true
+  name  = "immich"
 }
-variable "immich_frame_api_key" {
+
-  type      = string
+locals {
-  sensitive = true
+  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
 variable "homepage_credentials" {
  type      = map(any)
  sensitive = true
 }
@ -168,7 +164,7 @@ resource "kubernetes_deployment" "immich_server" {
          }
          env {
            name  = "DB_PASSWORD"
-            value = var.immich_postgresql_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "IMMICH_MACHINE_LEARNING_URL"
@ -357,7 +353,7 @@ resource "kubernetes_deployment" "immich-postgres" {
          }
          env {
            name  = "POSTGRES_PASSWORD"
-            value = var.immich_postgresql_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "POSTGRES_USER"
@ -428,7 +424,7 @@ resource "kubernetes_service" "immich-postgresql" {
 #   version    = "0.9.3"
 #   timeout    = 6000
-#   values = [templatefile("${path.module}/chart_values.tpl", { postgresql_password = var.immich_postgresql_password, version = var.immich_version })]
+#   values = [templatefile("${path.module}/chart_values.tpl", { postgresql_password = data.vault_kv_secret_v2.secrets.data["db_password"], version = var.immich_version })]
 # }
 # The helm one cannot be customized to use affinity settings to use the gpu node
@ -595,7 +591,7 @@ module "ingress-immich" {
    "gethomepage.dev/widget.url"     = "http://immich-server.immich.svc.cluster.local:2283"
    "gethomepage.dev/widget.version" = "2"
    "gethomepage.dev/pod-selector"   = ""
-    "gethomepage.dev/widget.key"     = var.homepage_credentials["immich"]["token"]
+    "gethomepage.dev/widget.key"     = local.homepage_credentials["immich"]["token"]
  }
 }
@ -625,7 +621,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
              image = "postgres:16.4-bullseye"
              command = ["/bin/sh", "-c", <<-EOT
                export now=$(date +"%Y_%m_%d_%H_%M")
-                PGPASSWORD=${var.immich_postgresql_password} pg_dumpall  -h immich-postgresql -U immich > /backup/dump_$now.sql
+                PGPASSWORD=${data.vault_kv_secret_v2.secrets.data["db_password"]} pg_dumpall  -h immich-postgresql -U immich > /backup/dump_$now.sql
                # Rotate - delete last log file
                cd /backup
@ -710,7 +706,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
 #           }
 #           env {
 #             name  = "DB_PASSWORD"
-#             value = var.immich_postgresql_password
+#             value = data.vault_kv_secret_v2.secrets.data["db_password"]
 #           }
 #           env {
 #             name = "DB_HOST"
--- a/stacks/immich/providers.tf
+++ b/stacks/immich/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/immich/terragrunt.hcl
+++ b/stacks/immich/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/infra/providers.tf
+++ b/stacks/infra/providers.tf
@ -9,18 +9,18 @@ terraform {
 }
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
 variable "proxmox_pm_api_url" { type = string }
 variable "proxmox_pm_api_token_id" {
-  type = string
+  type      = string
  sensitive = true
 }
 variable "proxmox_pm_api_token_secret" {
-  type = string
+  type      = string
  sensitive = true
 }
--- a/stacks/isponsorblocktv/providers.tf
+++ b/stacks/isponsorblocktv/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/jsoncrack/providers.tf
+++ b/stacks/jsoncrack/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/k8s-dashboard/providers.tf
+++ b/stacks/k8s-dashboard/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/kms/providers.tf
+++ b/stacks/kms/providers.tf
@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 variable "kube_config_path" {
-  type    = string
+  type      = string
-  default = "~/.kube/config"
+  default   = "~/.kube/config"
  sensitive = true
 }
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -2,19 +2,15 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "linkwarden_postgresql_password" {
  type      = string
  sensitive = true
 }
 variable "linkwarden_authentik_client_id" { type = string }
 variable "linkwarden_authentik_client_secret" {
  type      = string
  sensitive = true
 }
 variable "postgresql_host" { type = string }
-variable "homepage_credentials" {
+
-  type      = map(any)
+data "vault_kv_secret_v2" "secrets" {
-  sensitive = true
+  mount = "secret"
  name  = "linkwarden"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -78,7 +74,7 @@ resource "kubernetes_deployment" "linkwarden" {
          }
          env {
            name  = "DATABASE_URL"
-            value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@${var.postgresql_host}:5432/linkwarden"
+            value = "postgresql://linkwarden:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.postgresql_host}:5432/linkwarden"
          }
          env {
            name  = "NEXT_PUBLIC_AUTHENTIK_ENABLED"
@ -98,11 +94,11 @@ resource "kubernetes_deployment" "linkwarden" {
          }
          env {
            name  = "AUTHENTIK_CLIENT_ID"
-            value = var.linkwarden_authentik_client_id
+            value = data.vault_kv_secret_v2.secrets.data["authentik_client_id"]
          }
          env {
            name  = "AUTHENTIK_CLIENT_SECRET"
-            value = var.linkwarden_authentik_client_secret
+            value = data.vault_kv_secret_v2.secrets.data["authentik_client_secret"]
          }
          resources {
            requests = {
@ -153,6 +149,6 @@ module "ingress" {
    "gethomepage.dev/pod-selector" = ""
    "gethomepage.dev/widget.type"  = "linkwarden"
    "gethomepage.dev/widget.url"   = "http://linkwarden.linkwarden.svc.cluster.local"
-    "gethomepage.dev/widget.key"   = var.homepage_credentials["linkwarden"]["api_key"]
+    "gethomepage.dev/widget.key"   = local.homepage_credentials["linkwarden"]["api_key"]
  }
 }
--- a/stacks/linkwarden/providers.tf
+++ b/stacks/linkwarden/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/linkwarden/terragrunt.hcl
+++ b/stacks/linkwarden/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@ -2,13 +2,13 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "n8n_postgresql_password" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "n8n"
 }
 module "tls_secret" {
  source          = "../../modules/kubernetes/setup_tls_secret"
@ -125,7 +125,7 @@ resource "kubernetes_deployment" "n8n" {
          }
          env {
            name  = "DB_POSTGRESDB_PASSWORD"
-            value = var.n8n_postgresql_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "GENERIC_TIMEZONE"
--- a/stacks/n8n/providers.tf
+++ b/stacks/n8n/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/n8n/terragrunt.hcl
+++ b/stacks/n8n/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@ -3,9 +3,13 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "nfs_server" { type = string }
-variable "homepage_credentials" {
+data "vault_kv_secret_v2" "secrets" {
-  type      = map(any)
+  mount = "secret"
-  sensitive = true
+  name  = "navidrome"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -164,8 +168,8 @@ module "ingress" {
    "gethomepage.dev/pod-selector" = ""
    "gethomepage.dev/widget.type"  = "navidrome"
    "gethomepage.dev/widget.url"   = "http://navidrome.navidrome.svc.cluster.local"
-    "gethomepage.dev/widget.user"  = var.homepage_credentials["navidrome"]["user"]
+    "gethomepage.dev/widget.user"  = local.homepage_credentials["navidrome"]["user"]
-    "gethomepage.dev/widget.token" = var.homepage_credentials["navidrome"]["token"]
+    "gethomepage.dev/widget.token" = local.homepage_credentials["navidrome"]["token"]
-    "gethomepage.dev/widget.salt"  = var.homepage_credentials["navidrome"]["salt"]
+    "gethomepage.dev/widget.salt"  = local.homepage_credentials["navidrome"]["salt"]
  }
 }
--- a/stacks/navidrome/terragrunt.hcl
+++ b/stacks/navidrome/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@ -2,18 +2,14 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "netbox_db_password" {
  type      = string
  sensitive = true
 }
 variable "netbox_superuser_password" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "postgresql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "netbox"
 }
 resource "kubernetes_namespace" "netbox" {
  metadata {
@ -81,7 +77,7 @@ resource "kubernetes_deployment" "netbox" {
          }
          env {
            name  = "DB_PASSWORD"
-            value = var.netbox_db_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "DB_HOST"
@ -117,7 +113,7 @@ resource "kubernetes_deployment" "netbox" {
          }
          env {
            name  = "SUPERUSER_PASSWORD"
-            value = var.netbox_superuser_password
+            value = data.vault_kv_secret_v2.secrets.data["superuser_password"]
          }
          env {
            name  = "REMOTE_AUTH_ENABLED"
--- a/stacks/netbox/providers.tf
+++ b/stacks/netbox/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/netbox/terragrunt.hcl
+++ b/stacks/netbox/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -2,16 +2,17 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "nextcloud_db_password" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
-variable "homepage_credentials" {
+
-  type      = map(any)
+data "vault_kv_secret_v2" "secrets" {
-  sensitive = true
+  mount = "secret"
  name  = "nextcloud"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
@ -79,7 +80,7 @@ resource "helm_release" "nextcloud" {
  atomic     = true
  version    = "8.8.1"
-  values  = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password, redis_host = var.redis_host, mysql_host = var.mysql_host })]
+  values  = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = data.vault_kv_secret_v2.secrets.data["db_password"], redis_host = var.redis_host, mysql_host = var.mysql_host })]
  timeout = 6000
 }
@ -182,7 +183,7 @@ resource "kubernetes_deployment" "whiteboard" {
          }
          env {
            name  = "JWT_SECRET_KEY"
-            value = var.nextcloud_db_password # anything secret is fine
+            value = data.vault_kv_secret_v2.secrets.data["db_password"] # anything secret is fine
          }
        }
      }
@ -227,8 +228,8 @@ module "ingress" {
    "gethomepage.dev/pod-selector"    = ""
    "gethomepage.dev/widget.type"     = "nextcloud"
    "gethomepage.dev/widget.url"      = "https://nextcloud.viktorbarzin.me"
-    "gethomepage.dev/widget.username" = var.homepage_credentials["nextcloud"]["username"]
+    "gethomepage.dev/widget.username" = local.homepage_credentials["nextcloud"]["username"]
-    "gethomepage.dev/widget.password" = var.homepage_credentials["nextcloud"]["password"]
+    "gethomepage.dev/widget.password" = local.homepage_credentials["nextcloud"]["password"]
  }
 }
--- a/stacks/nextcloud/terragrunt.hcl
+++ b/stacks/nextcloud/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/ollama/main.tf
+++ b/stacks/ollama/main.tf
@ -2,13 +2,18 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "ollama_api_credentials" {
  type      = map(string)
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "ollama_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "ollama"
 }
 locals {
  api_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["api_credentials"])
 }
 resource "kubernetes_namespace" "ollama" {
  metadata {
@ -167,11 +172,11 @@ module "ollama-ingress" {
 # Ollama API ingress for external access (basicAuth protected)
 locals {
-  ollama_api_htpasswd = join("\n", [for name, pass in var.ollama_api_credentials : "${name}:${bcrypt(pass, 10)}"])
+  ollama_api_htpasswd = join("\n", [for name, pass in local.api_credentials : "${name}:${bcrypt(pass, 10)}"])
 }
 resource "kubernetes_secret" "ollama_api_basic_auth" {
-  count = length(var.ollama_api_credentials) > 0 ? 1 : 0
+  count = length(local.api_credentials) > 0 ? 1 : 0
  metadata {
    name      = "ollama-api-basic-auth-secret"
    namespace = kubernetes_namespace.ollama.metadata[0].name
@ -188,7 +193,7 @@ resource "kubernetes_secret" "ollama_api_basic_auth" {
 }
 resource "kubernetes_manifest" "ollama_api_basic_auth_middleware" {
-  count = length(var.ollama_api_credentials) > 0 ? 1 : 0
+  count = length(local.api_credentials) > 0 ? 1 : 0
  manifest = {
    apiVersion = "traefik.io/v1alpha1"
    kind       = "Middleware"
--- a/stacks/ollama/providers.tf
+++ b/stacks/ollama/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/ollama/terragrunt.hcl
+++ b/stacks/ollama/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@ -2,18 +2,14 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "onlyoffice_db_password" {
  type      = string
  sensitive = true
 }
 variable "onlyoffice_jwt_token" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "onlyoffice"
 }
 resource "kubernetes_namespace" "onlyoffice" {
  metadata {
@ -140,7 +136,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
          }
          env {
            name  = "DB_PWD"
-            value = var.onlyoffice_db_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "REDIS_SERVER_HOST"
@ -152,7 +148,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
          }
          env {
            name  = "JWT_SECRET"
-            value = var.onlyoffice_jwt_token
+            value = data.vault_kv_secret_v2.secrets.data["jwt_token"]
          }
          volume_mount {
--- a/stacks/onlyoffice/terragrunt.hcl
+++ b/stacks/onlyoffice/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -2,48 +2,17 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "openclaw_ssh_key" {
  type      = string
  sensitive = true
 }
 variable "openclaw_skill_secrets" {
  type      = map(string)
  sensitive = true
 }
 variable "llama_api_key" {
  type      = string
  sensitive = true
 }
 variable "brave_api_key" {
  type      = string
  sensitive = true
 }
 variable "openrouter_api_key" {
  type      = string
  sensitive = true
 }
 variable "nvidia_api_key" {
  type      = string
  sensitive = true
 }
 variable "anthropic_api_key" {
  type      = string
  sensitive = true
 }
 variable "openclaw_telegram_bot_token" {
  type      = string
  sensitive = true
 }
 variable "forgejo_api_token" {
  type      = string
  sensitive = true
 }
 variable "claude_memory_api_key" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "openclaw"
 }
 locals {
  skill_secrets = jsondecode(data.vault_kv_secret_v2.secrets.data["skill_secrets"])
 }
 resource "kubernetes_namespace" "openclaw" {
  metadata {
@ -89,7 +58,7 @@ resource "kubernetes_secret" "ssh_key" {
    namespace = kubernetes_namespace.openclaw.metadata[0].name
  }
  data = {
-    "id_rsa" = var.openclaw_ssh_key
+    "id_rsa" = data.vault_kv_secret_v2.secrets.data["ssh_key"]
  }
  type = "generic"
 }
@ -166,7 +135,7 @@ resource "kubernetes_config_map" "openclaw_config" {
          search = {
            enabled    = true
            provider   = "brave"
-            apiKey     = var.brave_api_key
+            apiKey     = data.vault_kv_secret_v2.secrets.data["brave_api_key"]
            maxResults = 5
          }
          fetch = {
@ -192,7 +161,7 @@ resource "kubernetes_config_map" "openclaw_config" {
      channels = {
        telegram = {
          enabled     = true
-          botToken    = var.openclaw_telegram_bot_token
+          botToken    = data.vault_kv_secret_v2.secrets.data["telegram_bot_token"]
          dmPolicy    = "allowlist"
          allowFrom   = ["tg:8281953845"]
          groupPolicy = "allowlist"
@ -213,7 +182,7 @@ resource "kubernetes_config_map" "openclaw_config" {
          anthropic = {
            baseUrl = "https://api.anthropic.com/v1"
            api     = "anthropic-messages"
-            apiKey  = var.anthropic_api_key
+            apiKey  = data.vault_kv_secret_v2.secrets.data["anthropic_api_key"]
            models = [
              { id = "claude-sonnet-4-20250514", name = "Claude Sonnet 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.003, output = 0.015, cacheRead = 0.0003, cacheWrite = 0.00375 } },
              { id = "claude-opus-4-20250514", name = "Claude Opus 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.015, output = 0.075, cacheRead = 0.0015, cacheWrite = 0.01875 } },
@ -223,7 +192,7 @@ resource "kubernetes_config_map" "openclaw_config" {
          nim = {
            baseUrl = "https://integrate.api.nvidia.com/v1"
            api     = "openai-completions"
-            apiKey  = var.nvidia_api_key
+            apiKey  = data.vault_kv_secret_v2.secrets.data["nvidia_api_key"]
            models = [
              { id = "deepseek-ai/deepseek-v3.2", name = "DeepSeek V3.2", reasoning = false, input = ["text"], contextWindow = 164000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
              { id = "qwen/qwen3.5-397b-a17b", name = "Qwen 3.5", reasoning = true, input = ["text"], contextWindow = 262000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
@ -236,7 +205,7 @@ resource "kubernetes_config_map" "openclaw_config" {
          openrouter = {
            baseUrl = "https://openrouter.ai/api/v1"
            api     = "openai-completions"
-            apiKey  = var.openrouter_api_key
+            apiKey  = data.vault_kv_secret_v2.secrets.data["openrouter_api_key"]
            models = [
              { id = "stepfun/step-3.5-flash:free", name = "Step 3.5 Flash", reasoning = true, input = ["text"], contextWindow = 256000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
              { id = "arcee-ai/trinity-large-preview:free", name = "Trinity Large", reasoning = false, input = ["text"], contextWindow = 131000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
@ -244,7 +213,7 @@ resource "kubernetes_config_map" "openclaw_config" {
          }
          llama-as-openai = {
            baseUrl = "https://api.llama.com/compat/v1"
-            apiKey  = var.llama_api_key
+            apiKey  = data.vault_kv_secret_v2.secrets.data["llama_api_key"]
            api     = "openai-completions"
            models = [
              { id = "Llama-4-Maverick-17B-128E-Instruct-FP8", name = "Llama 4 Maverick", reasoning = false, input = ["text"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
@ -574,7 +543,7 @@ resource "kubernetes_deployment" "openclaw" {
          }
          env {
            name  = "HOME_ASSISTANT_TOKEN"
-            value = var.openclaw_skill_secrets["home_assistant_token"]
+            value = local.skill_secrets["home_assistant_token"]
          }
          env {
            name  = "HOME_ASSISTANT_SOFIA_URL"
@ -582,17 +551,17 @@ resource "kubernetes_deployment" "openclaw" {
          }
          env {
            name  = "HOME_ASSISTANT_SOFIA_TOKEN"
-            value = var.openclaw_skill_secrets["home_assistant_sofia_token"]
+            value = local.skill_secrets["home_assistant_sofia_token"]
          }
          # Skill secrets - Uptime Kuma
          env {
            name  = "UPTIME_KUMA_PASSWORD"
-            value = var.openclaw_skill_secrets["uptime_kuma_password"]
+            value = local.skill_secrets["uptime_kuma_password"]
          }
          # Skill secrets - Slack
          env {
            name  = "SLACK_WEBHOOK_URL"
-            value = var.openclaw_skill_secrets["slack_webhook"]
+            value = local.skill_secrets["slack_webhook"]
          }
          # Memory API
          env {
@ -601,7 +570,7 @@ resource "kubernetes_deployment" "openclaw" {
          }
          env {
            name  = "MEMORY_API_KEY"
-            value = var.claude_memory_api_key
+            value = data.vault_kv_secret_v2.secrets.data["claude_memory_api_key"]
          }
          # Python packages path for skills
          env {
@ -659,11 +628,11 @@ resource "kubernetes_deployment" "openclaw" {
          }
          env {
            name  = "NVIDIA_API_KEY"
-            value = var.nvidia_api_key
+            value = data.vault_kv_secret_v2.secrets.data["nvidia_api_key"]
          }
          env {
            name  = "OPENROUTER_API_KEY"
-            value = var.openrouter_api_key
+            value = data.vault_kv_secret_v2.secrets.data["openrouter_api_key"]
          }
          volume_mount {
            name       = "tools"
@ -1122,11 +1091,11 @@ resource "kubernetes_cron_job_v1" "task_processor" {
              env {
                name  = "FORGEJO_TOKEN"
-                value = var.forgejo_api_token
+                value = data.vault_kv_secret_v2.secrets.data["forgejo_api_token"]
              }
              env {
                name  = "OPENCLAW_TOKEN"
-                value = var.nvidia_api_key
+                value = data.vault_kv_secret_v2.secrets.data["nvidia_api_key"]
              }
              resources {
--- a/stacks/openclaw/providers.tf
+++ b/stacks/openclaw/providers.tf
@ -2,7 +2,6 @@
 variable "kube_config_path" {
  type    = string
  default = "~/.kube/config"
  sensitive = true
 }
 provider "kubernetes" {
--- a/stacks/openclaw/terragrunt.hcl
+++ b/stacks/openclaw/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -2,12 +2,17 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "owntracks_credentials" {
  type      = map(string)
  sensitive = true
 }
 variable "nfs_server" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "owntracks"
 }
 locals {
  credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"])
 }
 resource "kubernetes_namespace" "owntracks" {
  metadata {
@ -27,7 +32,7 @@ module "tls_secret" {
 locals {
  username = "owntracks"
-  htpasswd = join("\n", [for name, pass in var.owntracks_credentials : "${name}:${bcrypt(pass, 10)}"])
+  htpasswd = join("\n", [for name, pass in local.credentials : "${name}:${bcrypt(pass, 10)}"])
 }
 resource "kubernetes_secret" "basic_auth" {
--- a/stacks/owntracks/terragrunt.hcl
+++ b/stacks/owntracks/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@ -2,18 +2,19 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "paperless_db_password" {
  type      = string
  sensitive = true
 }
 variable "homepage_credentials" {
  type      = map(any)
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "paperless-ngx"
 }
 locals {
  homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
 }
 resource "kubernetes_namespace" "paperless-ngx" {
  metadata {
@ -104,7 +105,7 @@ resource "kubernetes_deployment" "paperless-ngx" {
          }
          env {
            name  = "PAPERLESS_DBPASS"
-            value = var.paperless_db_password
+            value = data.vault_kv_secret_v2.secrets.data["db_password"]
          }
          env {
            name  = "PAPERLESS_CSRF_TRUSTED_ORIGINS"
@ -191,8 +192,8 @@ module "ingress" {
    "gethomepage.dev/widget.type" = "paperlessngx"
    "gethomepage.dev/widget.url"  = "http://paperless-ngx.paperless-ngx.svc.cluster.local"
    # "gethomepage.dev/widget.token"    = var.homepage_token
-    "gethomepage.dev/widget.username" = var.homepage_credentials["paperless-ngx"]["username"]
+    "gethomepage.dev/widget.username" = local.homepage_credentials["paperless-ngx"]["username"]
-    "gethomepage.dev/widget.password" = var.homepage_credentials["paperless-ngx"]["password"]
+    "gethomepage.dev/widget.password" = local.homepage_credentials["paperless-ngx"]["password"]
    "gethomepage.dev/widget.fields"   = "[\"total\"]"
    "gethomepage.dev/pod-selector"    = ""
    # gethomepage.dev/weight: 10 # optional
--- a/stacks/paperless-ngx/terragrunt.hcl
+++ b/stacks/paperless-ngx/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/platform/main.tf
+++ b/stacks/platform/main.tf
@ -21,7 +21,7 @@
 # Variable Declarations
 # =============================================================================
-# --- Core ---
+# --- Core (non-secret, from config.tfvars) ---
 variable "tls_secret_name" {
  type = string
 }
@ -35,91 +35,15 @@ variable "prod" {
  type    = bool
  default = false
 }
 # --- dbaas ---
 variable "dbaas_root_password" {
  type      = string
  sensitive = true
 }
 variable "dbaas_postgresql_root_password" {
  type      = string
  sensitive = true
 }
 variable "dbaas_pgadmin_password" {
  type      = string
  sensitive = true
 }
 # --- traefik ---
 variable "ingress_crowdsec_api_key" {
  type      = string
  sensitive = true
 }
 variable "auth_fallback_htpasswd" {
  type      = string
  sensitive = true
  default   = ""
 }
 # --- technitium ---
 variable "technitium_db_password" {
  type      = string
  sensitive = true
 }
 variable "homepage_credentials" {
  type      = map(any)
  sensitive = true
 }
 # --- headscale ---
 variable "headscale_config" { type = string }
 variable "headscale_acl" { type = string }
 variable "k8s_ca_cert" {
  type    = string
  default = ""
 }
 # --- authentik / rbac / k8s-portal ---
 variable "authentik_secret_key" {
  type      = string
  sensitive = true
 }
 variable "authentik_postgres_password" {
  type      = string
  sensitive = true
 }
 variable "k8s_users" {
  type    = map(any)
  default = {}
 }
 variable "ssh_private_key" {
  type      = string
  default   = ""
  sensitive = true
 }
 # --- crowdsec ---
 variable "crowdsec_enroll_key" { type = string }
 variable "crowdsec_db_password" {
  type      = string
  sensitive = true
 }
 variable "crowdsec_dash_api_key" {
  type      = string
  sensitive = true
 }
 variable "crowdsec_dash_machine_id" { type = string }
 variable "crowdsec_dash_machine_password" {
  type      = string
  sensitive = true
 }
 variable "alertmanager_slack_api_url" { type = string }
 # --- cloudflared ---
 variable "cloudflare_api_key" {
  type      = string
  sensitive = true
 }
 variable "cloudflare_email" { type = string }
 variable "cloudflare_account_id" { type = string }
 variable "cloudflare_zone_id" { type = string }
@ -127,91 +51,23 @@ variable "cloudflare_tunnel_id" { type = string }
 variable "public_ip" { type = string }
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 variable "cloudflare_tunnel_token" {
  type      = string
  sensitive = true
 }
 # --- monitoring ---
 variable "alertmanager_account_password" {
  type      = string
  sensitive = true
 }
 variable "monitoring_idrac_username" { type = string }
-variable "monitoring_idrac_password" {
+
-  type      = string
+# --- Vault KV secrets ---
-  sensitive = true
+data "vault_kv_secret_v2" "secrets" {
-}
+  mount = "secret"
-variable "tiny_tuya_service_secret" {
+  name  = "platform"
  type      = string
  sensitive = true
 }
 variable "haos_api_token" {
  type      = string
  sensitive = true
 }
 variable "pve_password" {
  type      = string
  sensitive = true
 }
 variable "grafana_db_password" {
  type      = string
  sensitive = true
 }
 variable "grafana_admin_password" {
  type      = string
  sensitive = true
 }
-# --- vaultwarden ---
+locals {
-variable "vaultwarden_smtp_password" {
+  homepage_credentials   = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"])
-  type      = string
+  k8s_users              = jsondecode(data.vault_kv_secret_v2.secrets.data["k8s_users"])
-  sensitive = true
+  xray_reality_clients   = jsondecode(data.vault_kv_secret_v2.secrets.data["xray_reality_clients"])
-}
+  xray_reality_short_ids = jsondecode(data.vault_kv_secret_v2.secrets.data["xray_reality_short_ids"])
-
+  mailserver_accounts    = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"])
-# --- wireguard ---
+  mailserver_aliases     = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_aliases"])
-variable "wireguard_wg_0_conf" { type = string }
+  mailserver_opendkim_key = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_opendkim_key"])
-variable "wireguard_wg_0_key" { type = string }
+  mailserver_sasl_passwd  = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_sasl_passwd"])
 variable "wireguard_firewall_sh" { type = string }
 # --- xray ---
 variable "xray_reality_clients" { type = list(map(string)) }
 variable "xray_reality_private_key" {
  type      = string
  sensitive = true
 }
 variable "xray_reality_short_ids" { type = list(string) }
 # --- mailserver ---
 variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
 variable "mailserver_opendkim_key" {}
 variable "mailserver_sasl_passwd" {}
 variable "mailserver_roundcubemail_db_password" {
  type      = string
  sensitive = true
 }
 # --- infra-maintenance ---
 variable "webhook_handler_git_user" { type = string }
 variable "webhook_handler_git_token" {
  type      = string
  sensitive = true
 }
 variable "technitium_username" { type = string }
 variable "technitium_password" {
  type      = string
  sensitive = true
 }
 # --- iscsi-csi ---
 variable "truenas_api_key" {
  type      = string
  sensitive = true
 }
 variable "truenas_ssh_private_key" {
  type      = string
  sensitive = true
 }
 # =============================================================================
@ -234,9 +90,9 @@ module "dbaas" {
  prod                     = var.prod
  tls_secret_name          = var.tls_secret_name
  nfs_server               = var.nfs_server
-  dbaas_root_password      = var.dbaas_root_password
+  dbaas_root_password      = data.vault_kv_secret_v2.secrets.data["dbaas_root_password"]
-  postgresql_root_password = var.dbaas_postgresql_root_password
+  postgresql_root_password = data.vault_kv_secret_v2.secrets.data["dbaas_postgresql_root_password"]
-  pgadmin_password         = var.dbaas_pgadmin_password
+  pgadmin_password         = data.vault_kv_secret_v2.secrets.data["dbaas_pgadmin_password"]
  kube_config_path         = var.kube_config_path
  tier                     = local.tiers.cluster
 }
@ -257,10 +113,10 @@ module "redis" {
 module "traefik" {
  source                 = "./modules/traefik"
  tier                   = local.tiers.core
-  crowdsec_api_key       = var.ingress_crowdsec_api_key
+  crowdsec_api_key       = data.vault_kv_secret_v2.secrets.data["ingress_crowdsec_api_key"]
  redis_host             = var.redis_host
  tls_secret_name        = var.tls_secret_name
-  auth_fallback_htpasswd = var.auth_fallback_htpasswd
+  auth_fallback_htpasswd = data.vault_kv_secret_v2.secrets.data["auth_fallback_htpasswd"]
 }
 # -----------------------------------------------------------------------------
@ -271,10 +127,10 @@ module "technitium" {
  tls_secret_name        = var.tls_secret_name
  nfs_server             = var.nfs_server
  mysql_host             = var.mysql_host
-  homepage_token         = var.homepage_credentials["technitium"]["token"]
+  homepage_token         = local.homepage_credentials["technitium"]["token"]
-  technitium_db_password = var.technitium_db_password
+  technitium_db_password = data.vault_kv_secret_v2.secrets.data["technitium_db_password"]
-  technitium_username    = var.technitium_username
+  technitium_username    = data.vault_kv_secret_v2.secrets.data["technitium_username"]
-  technitium_password    = var.technitium_password
+  technitium_password    = data.vault_kv_secret_v2.secrets.data["technitium_password"]
  tier                   = local.tiers.core
 }
@ -285,9 +141,9 @@ module "headscale" {
  source           = "./modules/headscale"
  tls_secret_name  = var.tls_secret_name
  nfs_server       = var.nfs_server
-  headscale_config = var.headscale_config
+  headscale_config = data.vault_kv_secret_v2.secrets.data["headscale_config"]
-  headscale_acl    = var.headscale_acl
+  headscale_acl    = data.vault_kv_secret_v2.secrets.data["headscale_acl"]
-  homepage_token   = try(var.homepage_credentials["headscale"]["api_key"], "")
+  homepage_token   = try(local.homepage_credentials["headscale"]["api_key"], "")
  tier             = local.tiers.core
 }
@ -298,10 +154,10 @@ module "authentik" {
  source            = "./modules/authentik"
  tier              = local.tiers.cluster
  tls_secret_name   = var.tls_secret_name
-  secret_key        = var.authentik_secret_key
+  secret_key        = data.vault_kv_secret_v2.secrets.data["authentik_secret_key"]
-  postgres_password = var.authentik_postgres_password
+  postgres_password = data.vault_kv_secret_v2.secrets.data["authentik_postgres_password"]
  redis_host        = var.redis_host
-  homepage_token    = try(var.homepage_credentials["authentik"]["token"], "")
+  homepage_token    = try(local.homepage_credentials["authentik"]["token"], "")
 }
 # -----------------------------------------------------------------------------
@ -311,7 +167,7 @@ module "rbac" {
  source          = "./modules/rbac"
  tier            = local.tiers.cluster
  tls_secret_name = var.tls_secret_name
-  k8s_users       = var.k8s_users
+  k8s_users       = local.k8s_users
  ssh_private_key = var.ssh_private_key
 }
@ -333,14 +189,14 @@ module "crowdsec" {
  tier                           = local.tiers.cluster
  tls_secret_name                = var.tls_secret_name
  mysql_host                     = var.mysql_host
-  homepage_username              = var.homepage_credentials["crowdsec"]["username"]
+  homepage_username              = local.homepage_credentials["crowdsec"]["username"]
-  homepage_password              = var.homepage_credentials["crowdsec"]["password"]
+  homepage_password              = local.homepage_credentials["crowdsec"]["password"]
-  enroll_key                     = var.crowdsec_enroll_key
+  enroll_key                     = data.vault_kv_secret_v2.secrets.data["crowdsec_enroll_key"]
-  db_password                    = var.crowdsec_db_password
+  db_password                    = data.vault_kv_secret_v2.secrets.data["crowdsec_db_password"]
-  crowdsec_dash_api_key          = var.crowdsec_dash_api_key
+  crowdsec_dash_api_key          = data.vault_kv_secret_v2.secrets.data["crowdsec_dash_api_key"]
-  crowdsec_dash_machine_id       = var.crowdsec_dash_machine_id
+  crowdsec_dash_machine_id       = data.vault_kv_secret_v2.secrets.data["crowdsec_dash_machine_id"]
-  crowdsec_dash_machine_password = var.crowdsec_dash_machine_password
+  crowdsec_dash_machine_password = data.vault_kv_secret_v2.secrets.data["crowdsec_dash_machine_password"]
-  slack_webhook_url              = var.alertmanager_slack_api_url
+  slack_webhook_url              = data.vault_kv_secret_v2.secrets.data["alertmanager_slack_api_url"]
 }
 # -----------------------------------------------------------------------------
@ -351,15 +207,15 @@ module "monitoring" {
  tls_secret_name               = var.tls_secret_name
  nfs_server                    = var.nfs_server
  mysql_host                    = var.mysql_host
-  alertmanager_account_password = var.alertmanager_account_password
+  alertmanager_account_password = data.vault_kv_secret_v2.secrets.data["alertmanager_account_password"]
  idrac_username                = var.monitoring_idrac_username
-  idrac_password                = var.monitoring_idrac_password
+  idrac_password                = data.vault_kv_secret_v2.secrets.data["monitoring_idrac_password"]
-  alertmanager_slack_api_url    = var.alertmanager_slack_api_url
+  alertmanager_slack_api_url    = data.vault_kv_secret_v2.secrets.data["alertmanager_slack_api_url"]
-  tiny_tuya_service_secret      = var.tiny_tuya_service_secret
+  tiny_tuya_service_secret      = data.vault_kv_secret_v2.secrets.data["tiny_tuya_service_secret"]
-  haos_api_token                = var.haos_api_token
+  haos_api_token                = data.vault_kv_secret_v2.secrets.data["haos_api_token"]
-  pve_password                  = var.pve_password
+  pve_password                  = data.vault_kv_secret_v2.secrets.data["pve_password"]
-  grafana_db_password           = var.grafana_db_password
+  grafana_db_password           = data.vault_kv_secret_v2.secrets.data["grafana_db_password"]
-  grafana_admin_password        = var.grafana_admin_password
+  grafana_admin_password        = data.vault_kv_secret_v2.secrets.data["grafana_admin_password"]
  tier                          = local.tiers.cluster
 }
@ -371,7 +227,7 @@ module "vaultwarden" {
  tls_secret_name = var.tls_secret_name
  nfs_server      = var.nfs_server
  mail_host       = var.mail_host
-  smtp_password   = var.vaultwarden_smtp_password
+  smtp_password   = data.vault_kv_secret_v2.secrets.data["vaultwarden_smtp_password"]
  tier            = local.tiers.edge
 }
@ -381,9 +237,9 @@ module "vaultwarden" {
 module "reverse-proxy" {
  source                 = "./modules/reverse_proxy"
  tls_secret_name        = var.tls_secret_name
-  truenas_homepage_token = var.homepage_credentials["reverse_proxy"]["truenas_token"]
+  truenas_homepage_token = local.homepage_credentials["reverse_proxy"]["truenas_token"]
-  pfsense_homepage_token = var.homepage_credentials["reverse_proxy"]["pfsense_token"]
+  pfsense_homepage_token = local.homepage_credentials["reverse_proxy"]["pfsense_token"]
-  haos_homepage_token    = try(var.homepage_credentials["home_assistant"]["token"], "")
+  haos_homepage_token    = try(local.homepage_credentials["home_assistant"]["token"], "")
 }
 # -----------------------------------------------------------------------------
@ -420,8 +276,8 @@ module "iscsi-csi" {
  source                  = "./modules/iscsi-csi"
  tier                    = local.tiers.cluster
  truenas_host            = var.nfs_server # Same TrueNAS host
-  truenas_api_key         = var.truenas_api_key
+  truenas_api_key         = data.vault_kv_secret_v2.secrets.data["truenas_api_key"]
-  truenas_ssh_private_key = var.truenas_ssh_private_key
+  truenas_ssh_private_key = data.vault_kv_secret_v2.secrets.data["truenas_ssh_private_key"]
 }
 # -----------------------------------------------------------------------------
@ -472,9 +328,9 @@ module "uptime-kuma" {
 module "wireguard" {
  source          = "./modules/wireguard"
  tls_secret_name = var.tls_secret_name
-  wg_0_conf       = var.wireguard_wg_0_conf
+  wg_0_conf       = data.vault_kv_secret_v2.secrets.data["wireguard_wg_0_conf"]
-  wg_0_key        = var.wireguard_wg_0_key
+  wg_0_key        = data.vault_kv_secret_v2.secrets.data["wireguard_wg_0_key"]
-  firewall_sh     = var.wireguard_firewall_sh
+  firewall_sh     = data.vault_kv_secret_v2.secrets.data["wireguard_firewall_sh"]
  tier            = local.tiers.core
 }
@ -486,9 +342,9 @@ module "xray" {
  tls_secret_name = var.tls_secret_name
  tier            = local.tiers.core
-  xray_reality_clients     = var.xray_reality_clients
+  xray_reality_clients     = local.xray_reality_clients
-  xray_reality_private_key = var.xray_reality_private_key
+  xray_reality_private_key = data.vault_kv_secret_v2.secrets.data["xray_reality_private_key"]
-  xray_reality_short_ids   = var.xray_reality_short_ids
+  xray_reality_short_ids   = local.xray_reality_short_ids
 }
 # -----------------------------------------------------------------------------
@ -499,11 +355,11 @@ module "mailserver" {
  tls_secret_name         = var.tls_secret_name
  nfs_server              = var.nfs_server
  mysql_host              = var.mysql_host
-  mailserver_accounts     = var.mailserver_accounts
+  mailserver_accounts     = local.mailserver_accounts
-  postfix_account_aliases = var.mailserver_aliases
+  postfix_account_aliases = local.mailserver_aliases
-  opendkim_key            = var.mailserver_opendkim_key
+  opendkim_key            = local.mailserver_opendkim_key
-  sasl_passwd             = var.mailserver_sasl_passwd
+  sasl_passwd             = local.mailserver_sasl_passwd
-  roundcube_db_password   = var.mailserver_roundcubemail_db_password
+  roundcube_db_password   = data.vault_kv_secret_v2.secrets.data["mailserver_roundcubemail_db_password"]
  tier                    = local.tiers.edge
 }
@ -515,7 +371,7 @@ module "cloudflared" {
  tier            = local.tiers.core
  tls_secret_name = var.tls_secret_name
-  cloudflare_api_key           = var.cloudflare_api_key
+  cloudflare_api_key           = data.vault_kv_secret_v2.secrets.data["cloudflare_api_key"]
  cloudflare_email             = var.cloudflare_email
  cloudflare_account_id        = var.cloudflare_account_id
  cloudflare_zone_id           = var.cloudflare_zone_id
@ -523,7 +379,7 @@ module "cloudflared" {
  public_ip                    = var.public_ip
  cloudflare_proxied_names     = var.cloudflare_proxied_names
  cloudflare_non_proxied_names = var.cloudflare_non_proxied_names
-  cloudflare_tunnel_token      = var.cloudflare_tunnel_token
+  cloudflare_tunnel_token      = data.vault_kv_secret_v2.secrets.data["cloudflare_tunnel_token"]
 }
 # -----------------------------------------------------------------------------
@ -532,10 +388,10 @@ module "cloudflared" {
 module "infra-maintenance" {
  source              = "./modules/infra-maintenance"
  nfs_server          = var.nfs_server
-  git_user            = var.webhook_handler_git_user
+  git_user            = data.vault_kv_secret_v2.secrets.data["webhook_handler_git_user"]
-  git_token           = var.webhook_handler_git_token
+  git_token           = data.vault_kv_secret_v2.secrets.data["webhook_handler_git_token"]
-  technitium_username = var.technitium_username
+  technitium_username = data.vault_kv_secret_v2.secrets.data["technitium_username"]
-  technitium_password = var.technitium_password
+  technitium_password = data.vault_kv_secret_v2.secrets.data["technitium_password"]
 }
 # =============================================================================
--- a/stacks/platform/terragrunt.hcl
+++ b/stacks/platform/terragrunt.hcl
@ -7,3 +7,8 @@ dependency "infra" {
  config_path  = "../infra"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@ -2,10 +2,6 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "plotting_book_session_secret" {
  type      = string
  sensitive = true
 }
 variable "plotting_book_google_client_id" {
  type      = string
  sensitive = true
@ -15,6 +11,10 @@ variable "plotting_book_google_client_secret" {
  sensitive = true
 }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "plotting-book"
 }
 resource "kubernetes_namespace" "plotting-book" {
  metadata {
@ -92,7 +92,7 @@ resource "kubernetes_deployment" "plotting-book" {
          image_pull_policy = "Always"
          env {
            name  = "SESSION_SECRET"
-            value = var.plotting_book_session_secret
+            value = data.vault_kv_secret_v2.secrets.data["session_secret"]
          }
          env {
            name  = "GOOGLE_CLIENT_ID"
--- a/stacks/plotting-book/terragrunt.hcl
+++ b/stacks/plotting-book/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@ -2,15 +2,19 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "realestate_crawler_db_password" {
  type      = string
  sensitive = true
 }
 variable "realestate_crawler_notification_settings" { type = map(string) }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
 variable "mysql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "real-estate-crawler"
 }
 locals {
  notification_settings = jsondecode(data.vault_kv_secret_v2.secrets.data["notification_settings"])
 }
 resource "kubernetes_namespace" "realestate-crawler" {
  metadata {
@ -150,7 +154,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
          }
          env {
            name  = "DB_CONNECTION_STRING"
-            value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
+            value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove"
          }
          # env {
@ -188,7 +192,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
          }
          env {
            name  = "SLACK_WEBHOOK_URL"
-            value = var.realestate_crawler_notification_settings["slack"]
+            value = local.notification_settings["slack"]
          }
          env {
            name  = "WEBAUTHN_RP_ID"
@ -339,7 +343,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
          }
          env {
            name  = "DB_CONNECTION_STRING"
-            value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
+            value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove"
          }
          env {
            name  = "CELERY_BROKER_URL"
@ -351,7 +355,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
          }
          env {
            name  = "SLACK_WEBHOOK_URL"
-            value = lookup(var.realestate_crawler_notification_settings, "slack", "")
+            value = lookup(local.notification_settings, "slack", "")
          }
          env {
            name  = "OSRM_FOOT_URL"
@ -447,7 +451,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
          }
          env {
            name  = "DB_CONNECTION_STRING"
-            value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
+            value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove"
          }
          env {
            name  = "CELERY_BROKER_URL"
@ -459,7 +463,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
          }
          env {
            name  = "SCRAPE_SCHEDULES"
-            value = lookup(var.realestate_crawler_notification_settings, "scrape_schedules", "")
+            value = lookup(local.notification_settings, "scrape_schedules", "")
          }
          volume_mount {
            name       = "data"
--- a/stacks/real-estate-crawler/terragrunt.hcl
+++ b/stacks/real-estate-crawler/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@ -3,18 +3,18 @@ variable "tls_secret_name" {
  sensitive = true
 }
 variable "resume_database_url" { type = string }
 variable "resume_auth_secret" {
  type      = string
  sensitive = true
 }
 variable "mailserver_accounts" { type = map(any) }
 variable "nfs_server" { type = string }
 variable "mail_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "resume"
 }
 locals {
-  namespace = "resume"
+  namespace          = "resume"
-  app_url   = "https://resume.viktorbarzin.me"
+  app_url            = "https://resume.viktorbarzin.me"
  mailserver_accounts = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"])
 }
 resource "kubernetes_namespace" "resume" {
@ -186,7 +186,7 @@ resource "kubernetes_deployment" "resume" {
          }
          env {
            name  = "AUTH_SECRET"
-            value = var.resume_auth_secret
+            value = data.vault_kv_secret_v2.secrets.data["auth_secret"]
          }
          # Server config
@ -210,7 +210,7 @@ resource "kubernetes_deployment" "resume" {
          }
          env {
            name  = "SMTP_PASS"
-            value = var.mailserver_accounts["info@viktorbarzin.me"]
+            value = local.mailserver_accounts["info@viktorbarzin.me"]
          }
          env {
            name  = "SMTP_FROM"
--- a/stacks/resume/terragrunt.hcl
+++ b/stacks/resume/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@ -2,17 +2,13 @@ variable "tls_secret_name" {
  type      = string
  sensitive = true
 }
 variable "clickhouse_password" {
  type      = string
  sensitive = true
 }
 variable "clickhouse_postgres_password" {
  type      = string
  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }
 data "vault_kv_secret_v2" "secrets" {
  mount = "secret"
  name  = "rybbit"
 }
 resource "kubernetes_namespace" "rybbit" {
  metadata {
@ -82,7 +78,7 @@ resource "kubernetes_deployment" "clickhouse" {
          }
          env {
            name  = "CLICKHOUSE_PASSWORD"
-            value = var.clickhouse_password
+            value = data.vault_kv_secret_v2.secrets.data["clickhouse_password"]
          }
          port {
            name           = "clickhouse"
@ -180,12 +176,12 @@ resource "kubernetes_cron_job_v1" "clickhouse_truncate_logs" {
              command = [
                "sh", "-c",
                join(" && ", [
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.metric_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.metric_log'",
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.trace_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.trace_log'",
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.text_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.text_log'",
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.asynchronous_metric_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.asynchronous_metric_log'",
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.query_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.query_log'",
-                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${var.clickhouse_password}' -d 'TRUNCATE TABLE IF EXISTS system.part_log'",
+                  "curl -s 'http://clickhouse.rybbit.svc.cluster.local:8123/?user=default&password=${data.vault_kv_secret_v2.secrets.data["clickhouse_password"]}' -d 'TRUNCATE TABLE IF EXISTS system.part_log'",
                  "echo 'System logs truncated'"
                ])
              ]
@ -242,7 +238,7 @@ resource "kubernetes_deployment" "rybbit" {
          }
          env {
            name  = "CLICKHOUSE_PASSWORD"
-            value = var.clickhouse_password
+            value = data.vault_kv_secret_v2.secrets.data["clickhouse_password"]
          }
          env {
            name  = "POSTGRES_HOST"
@ -262,7 +258,7 @@ resource "kubernetes_deployment" "rybbit" {
          }
          env {
            name  = "POSTGRES_PASSWORD"
-            value = var.clickhouse_postgres_password
+            value = data.vault_kv_secret_v2.secrets.data["postgres_password"]
          }
          env {
            name  = "BASE_URL"
--- a/stacks/rybbit/terragrunt.hcl
+++ b/stacks/rybbit/terragrunt.hcl
@ -6,3 +6,8 @@ dependency "platform" {
  config_path  = "../platform"
  skip_outputs = true
 }
 dependency "vault" {
  config_path  = "../vault"
  skip_outputs = true
 }
--- a/Show more
+++ b/Show more