fix DB password desync + migrate remaining tfvars to Vault

DB desync fix: Stacks with Vault DB engine rotation (24h) now read the password from vault-database ClusterSecretStore instead of vault-kv. 9 stacks updated with db ExternalSecrets reading from static-creds/*. Stacks fixed: speedtest, hackmd, health, trading-bot, claude-memory, woodpecker, linkwarden, nextcloud, url. terraform.tfvars migration: - plotting-book: google_client_id/secret → Vault KV + secret_key_ref - tandoor: email_password var removed (was default="", now optional ESO) - infra: ssh_private_key, vm_wizard_password, dockerhub_registry_password → Vault KV at secret/infra + data source
2026-03-15 21:39:45 +00:00 · 2026-03-15 21:39:45 +00:00 · fca99fd418
commit fca99fd418
parent 19e0aef67b
12 changed files with 385 additions and 83 deletions
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -61,6 +61,45 @@ resource "kubernetes_manifest" "external_secret" {
  depends_on = [kubernetes_namespace.nextcloud]
 }

+# DB credentials from Vault database engine (rotated every 24h)
+# NOTE: Nextcloud Helm values use plan-time db_password from KV — the Helm
+# release will use the KV snapshot until the next terragrunt apply. This
+# ExternalSecret provides runtime-refreshed credentials for any future
+# migration to envFrom-based secret injection.
+resource "kubernetes_manifest" "db_external_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "nextcloud-db-creds"
+      namespace = "nextcloud"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-database"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "nextcloud-db-creds"
+        template = {
+          data = {
+            DB_PASSWORD = "{{ .password }}"
+          }
+        }
+      }
+      data = [{
+        secretKey = "password"
+        remoteRef = {
+          key      = "static-creds/mysql-nextcloud"
+          property = "password"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.nextcloud]
+}
+
 resource "kubernetes_resource_quota" "nextcloud" {
  metadata {
    name      = "nextcloud-quota"