[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars
Phase 5 — CI pipelines: - default.yml: add SOPS decrypt in prepare step, change git add . to specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure - renew-tls.yml: change git add . to git add secrets/ state/ Phase 6 — sensitive=true: - Add sensitive = true to 256 variable declarations across 149 stack files - Prevents secret values from appearing in terraform plan output - Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid breaking module interface contracts Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret to be created before the pipeline will work with SOPS. Until then, the old terraform.tfvars path continues to function.
This commit is contained in:
Viktor Barzin
parent
154f8ff0c1
commit
db68067925
146 changed files with 921 additions and 186 deletions
|
|
@ -22,7 +22,10 @@
|
|||
# =============================================================================
|
||||
|
||||
# --- Core ---
|
||||
variable "tls_secret_name" { type = string }
|
||||
variable "tls_secret_name" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "nfs_server" { type = string }
|
||||
variable "redis_host" { type = string }
|
||||
variable "postgresql_host" { type = string }
|
||||
|
|
@ -35,12 +38,24 @@ variable "prod" {
|
|||
}
|
||||
|
||||
# --- dbaas ---
|
||||
variable "dbaas_root_password" { type = string }
|
||||
variable "dbaas_postgresql_root_password" { type = string }
|
||||
variable "dbaas_pgadmin_password" { type = string }
|
||||
variable "dbaas_root_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "dbaas_postgresql_root_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "dbaas_pgadmin_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- traefik ---
|
||||
variable "ingress_crowdsec_api_key" { type = string }
|
||||
variable "ingress_crowdsec_api_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "auth_fallback_htpasswd" {
|
||||
type = string
|
||||
sensitive = true
|
||||
|
|
@ -48,16 +63,28 @@ variable "auth_fallback_htpasswd" {
|
|||
}
|
||||
|
||||
# --- technitium ---
|
||||
variable "technitium_db_password" { type = string }
|
||||
variable "homepage_credentials" { type = map(any) }
|
||||
variable "technitium_db_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "homepage_credentials" {
|
||||
type = map(any)
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- headscale ---
|
||||
variable "headscale_config" { type = string }
|
||||
variable "headscale_acl" { type = string }
|
||||
|
||||
# --- authentik / rbac / k8s-portal ---
|
||||
variable "authentik_secret_key" { type = string }
|
||||
variable "authentik_postgres_password" { type = string }
|
||||
variable "authentik_secret_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "authentik_postgres_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "k8s_users" {
|
||||
type = map(any)
|
||||
default = {}
|
||||
|
|
@ -70,14 +97,26 @@ variable "ssh_private_key" {
|
|||
|
||||
# --- crowdsec ---
|
||||
variable "crowdsec_enroll_key" { type = string }
|
||||
variable "crowdsec_db_password" { type = string }
|
||||
variable "crowdsec_dash_api_key" { type = string }
|
||||
variable "crowdsec_db_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "crowdsec_dash_api_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "crowdsec_dash_machine_id" { type = string }
|
||||
variable "crowdsec_dash_machine_password" { type = string }
|
||||
variable "crowdsec_dash_machine_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "alertmanager_slack_api_url" { type = string }
|
||||
|
||||
# --- cloudflared ---
|
||||
variable "cloudflare_api_key" { type = string }
|
||||
variable "cloudflare_api_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "cloudflare_email" { type = string }
|
||||
variable "cloudflare_account_id" { type = string }
|
||||
variable "cloudflare_zone_id" { type = string }
|
||||
|
|
@ -85,20 +124,47 @@ variable "cloudflare_tunnel_id" { type = string }
|
|||
variable "public_ip" { type = string }
|
||||
variable "cloudflare_proxied_names" {}
|
||||
variable "cloudflare_non_proxied_names" {}
|
||||
variable "cloudflare_tunnel_token" { type = string }
|
||||
variable "cloudflare_tunnel_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- monitoring ---
|
||||
variable "alertmanager_account_password" { type = string }
|
||||
variable "alertmanager_account_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "monitoring_idrac_username" { type = string }
|
||||
variable "monitoring_idrac_password" { type = string }
|
||||
variable "tiny_tuya_service_secret" { type = string }
|
||||
variable "haos_api_token" { type = string }
|
||||
variable "pve_password" { type = string }
|
||||
variable "grafana_db_password" { type = string }
|
||||
variable "grafana_admin_password" { type = string }
|
||||
variable "monitoring_idrac_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "tiny_tuya_service_secret" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "haos_api_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "pve_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "grafana_db_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "grafana_admin_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- vaultwarden ---
|
||||
variable "vaultwarden_smtp_password" { type = string }
|
||||
variable "vaultwarden_smtp_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- wireguard ---
|
||||
variable "wireguard_wg_0_conf" { type = string }
|
||||
|
|
@ -107,7 +173,10 @@ variable "wireguard_firewall_sh" { type = string }
|
|||
|
||||
# --- xray ---
|
||||
variable "xray_reality_clients" { type = list(map(string)) }
|
||||
variable "xray_reality_private_key" { type = string }
|
||||
variable "xray_reality_private_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "xray_reality_short_ids" { type = list(string) }
|
||||
|
||||
# --- mailserver ---
|
||||
|
|
@ -115,13 +184,22 @@ variable "mailserver_accounts" {}
|
|||
variable "mailserver_aliases" {}
|
||||
variable "mailserver_opendkim_key" {}
|
||||
variable "mailserver_sasl_passwd" {}
|
||||
variable "mailserver_roundcubemail_db_password" { type = string }
|
||||
variable "mailserver_roundcubemail_db_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- infra-maintenance ---
|
||||
variable "webhook_handler_git_user" { type = string }
|
||||
variable "webhook_handler_git_token" { type = string }
|
||||
variable "webhook_handler_git_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
variable "technitium_username" { type = string }
|
||||
variable "technitium_password" { type = string }
|
||||
variable "technitium_password" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
# --- iscsi-csi ---
|
||||
variable "truenas_api_key" {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue