Refactor the vault/secrets

playbooks/filter_plugins/gatus.py

@@ -2,7 +2,7 @@ class FilterModule(object):
     def filters(self):
         return {
             'hosts_to_gatus': self.hosts_to_gatus,
-            'vault_hosts_backup_to_gatus': self.vault_hosts_backup_to_gatus,
+            'hosts_backup_to_gatus': self.hosts_backup_to_gatus,
             'services_to_gatus': self.services_to_gatus,
         }
 
@@ -31,7 +31,7 @@ class FilterModule(object):
             })
         return result
 
-    def vault_hosts_backup_to_gatus(self, hostvars):
+    def hosts_backup_to_gatus(self, hostvars):
         result = []
         backup_alerts = []
         for a in self.default_alerts:

playbooks/roles/authentik/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+authentik_secret_key: "{{ undef() }}"
+
 authentik_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 9000
@@ -11,7 +13,7 @@ authentik_svc:
     database: "{{ opentofu.postgresql_data.authentik.database }}"
 
 authentik_env:
-  AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"
+  AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key | mandatory }}"
 
   AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
   AUTHENTIK_EMAIL__PORT: "{{ mailer.port }}"

playbooks/roles/backup/defaults/main.yml

@@ -2,6 +2,8 @@
 backup_list: "{{ host_services | services_get_attr('backup') | flatten }}"
 backup_list_all: "{{ all_services | services_get_attr('backup') | flatten }}"
 
+backup_backends: {}
+
 backup_msg_start: "Backup started"
 backup_msg_fail: "Backup failed"
 backup_msg_fail_location: "Backup failed for location: "
@@ -42,17 +44,17 @@ backup_global:
 backup_yml:
   version: 2
 
-  backends: "{{ vault_backup.backends }}"
+  backends: "{{ backup_backends | mandatory }}"
 
-  locations: "{{ backup_list | map_backup_locations(vault_backup.backends, backup_default_hooks) }}"
+  locations: "{{ backup_list | map_backup_locations(backup_backends | mandatory, backup_default_hooks) }}"
 
   global: "{{ backup_global }}"
 
 backup_yml_all:
   version: 2
 
-  backends: "{{ vault_backup.backends }}"
+  backends: "{{ backup_backends | mandatory }}"
 
-  locations: "{{ backup_list_all | map_backup_locations(vault_backup.backends, backup_default_hooks) }}"
+  locations: "{{ backup_list_all | map_backup_locations(backup_backends | mandatory, backup_default_hooks) }}"
 
   global: "{{ backup_global }}"

playbooks/roles/caddy/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
-caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
+caddy_acmedns_user: "{{ undef() }}"
-caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
+caddy_acmedns_pass: "{{ undef() }}"
-caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
+caddy_acmedns_subd: "{{ undef() }}"
 caddy_acmedns_url: "https://{{ acme_dns.host }}"
 
 caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"
@@ -9,9 +9,9 @@ caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services
 caddy_env:
   CADDY_ADMIN: unix//run/caddy-admin.sock
 
-  ACMEDNS_USER: "{{ caddy_acmedns_user }}"
+  ACMEDNS_USER: "{{ caddy_acmedns_user | mandatory }}"
-  ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
+  ACMEDNS_PASS: "{{ caddy_acmedns_pass | mandatory }}"
-  ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
+  ACMEDNS_SUBD: "{{ caddy_acmedns_subd | mandatory }}"
   ACMEDNS_URL: "{{ caddy_acmedns_url }}"
 
 caddy_compose:

playbooks/roles/deploy/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+deploy_reitanlage_oranienburg_token: "{{ undef() }}"
+
 deploy_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 9000
@@ -16,7 +18,7 @@ deploy_yml:
       and:
         - match:
             type: value
-            value: "{{ vault_deploy.reitanlage_oranienburg_token }}"
+            value: "{{ deploy_reitanlage_oranienburg_token | mandatory }}"
             parameter:
               source: header
               name: X-Webhook-Token

playbooks/roles/emgauwa/defaults/main.yml

@@ -1,18 +1,23 @@
 ---
 emgauwa_server_port: 4419
-emgauwa_server_token: "{{ vault_emgauwa.token }}"
+emgauwa_server_token: "{{ undef() }}"
+
+emgauwa_acmedns_user: "{{ undef() }}"
+emgauwa_acmedns_pass: "{{ undef() }}"
+emgauwa_acmedns_subd: "{{ undef() }}"
+emgauwa_acmedns_url: "https://{{ acme_dns.host }}"
 
 emgauwa_env:
-  ACMEDNS_USER: "{{ vault_emgauwa.acme_dns.user }}"
+  ACMEDNS_USER: "{{ emgauwa_acmedns_user | mandatory }}"
-  ACMEDNS_PASS: "{{ vault_emgauwa.acme_dns.pass }}"
+  ACMEDNS_PASS: "{{ emgauwa_acmedns_pass | mandatory }}"
-  ACMEDNS_SUBD: "{{ vault_emgauwa.acme_dns.subd }}"
+  ACMEDNS_SUBD: "{{ emgauwa_acmedns_subd | mandatory }}"
-  ACMEDNS_URL: "{{ vault_emgauwa.acme_dns.url }}"
+  ACMEDNS_URL: "{{ emgauwa_acmedns_url }}"
 
 emgauwa_core_yml:
   server:
     host: 0.0.0.0
     port: "{{ emgauwa_server_port }}"
-    token: "{{ emgauwa_server_token }}"
+    token: "{{ emgauwa_server_token | mandatory }}"
   database: sqlite:///data/core.sqlite
 
 emgauwa_controller_yml:

playbooks/roles/extra_services/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
 extra_services_svc:
-  extra_svcs: "{{ vault_extra_services }}"
+  extra_svcs: []

playbooks/roles/factorio/defaults/main.yml

@@ -1,12 +1,16 @@
 ---
 factorio_port: 34197
+factorio_username: "{{ undef() }}"
+factorio_token: "{{ undef() }}"
+factorio_game_password: "{{ undef() }}"
+
 factorio_uid: 845
 factorio_gid: 845
 
 factorio_env:
   PORT: "{{ factorio_port }}"
-  USERNAME: "{{ vault_factorio.username }}"
+  USERNAME: "{{ factorio_username | mandatory }}"
-  TOKEN: "{{ vault_factorio.token }}"
+  TOKEN: "{{ factorio_token | mandatory }}"
 
 factorio_json:
   name: "StammtischOnAutomation"
@@ -18,11 +22,11 @@ factorio_json:
     public: true
     lan: true
 
-  username: "{{ vault_factorio.username }}"
+  username: "{{ factorio_username | mandatory }}"
   password: ""
-  token: "{{ vault_factorio.token }}"
+  token: "{{ factorio_token | mandatory }}"
 
-  game_password: "{{ vault_factorio.game_password }}"
+  game_password: "{{ factorio_game_password | mandatory }}"
   require_user_verification: true
 
   max_upload_in_kilobytes_per_second: 0

playbooks/roles/forgejo/defaults/main.yml

@@ -1,4 +1,10 @@
 ---
+forgejo_server_lfs_jwt_secret: "{{ undef() }}"
+forgejo_security_internal_token: "{{ undef() }}"
+forgejo_security_secret_key: "{{ undef() }}"
+forgejo_oauth2_jwt_secret: "{{ undef() }}"
+forgejo_umami: "{{ undef() }}"
+
 forgejo_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 3000
@@ -37,13 +43,13 @@ forgejo_ini:
     SSH_PORT: "{{ svc.ssh_port }}"
     ROOT_URL: https://{{ svc.domain }}
     OFFLINE_MODE: true
-    LFS_JWT_SECRET: "{{ vault_forgejo.server_lfs_jwt_secret }}"
+    LFS_JWT_SECRET: "{{ forgejo_server_lfs_jwt_secret | mandatory }}"
     LFS_START_SERVER: true
 
   security:
     INSTALL_LOCK: true
-    INTERNAL_TOKEN: "{{ vault_forgejo.security_internal_token }}"
+    INTERNAL_TOKEN: "{{ forgejo_security_internal_token | mandatory }}"
-    SECRET_KEY: "{{ vault_forgejo.security_secret_key }}"
+    SECRET_KEY: "{{ forgejo_security_secret_key | mandatory }}"
 
   openid:
     ENABLE_OPENID_SIGNUP: true
@@ -75,14 +81,14 @@ forgejo_ini:
     MAX_FILES: 10
 
   oauth2:
-    JWT_SECRET: "{{ vault_forgejo.oauth2_jwt_secret }}"
+    JWT_SECRET: "{{ forgejo_oauth2_jwt_secret | mandatory }}"
 
   log.console:
     FLAGS: "level,medfile,shortfuncname"
 
   metrics:
     ENABLED: true
-    TOKEN: "{{ vault_metrics_token }}"
+    TOKEN: "{{ metrics_token | mandatory }}"
 
   actions:
     ENABLED: true

playbooks/roles/forgejo/templates/footer.tmpl.j2

@@ -1,2 +1,2 @@
-<script async src="/_a/script.js" data-website-id="{{ vault_forgejo.umami }}"></script>
+<script async src="/_a/script.js" data-website-id="{{ forgejo_umami | mandatory }}"></script>
 <script async src="/_a/track-external.js"></script>

playbooks/roles/gatus/defaults/main.yml

@@ -1,9 +1,5 @@
 ---
-gatus_svc:
+gatus_external_endpoints_backups: "{{ hostvars | hosts_backup_to_gatus() }}"
-  domain: "{{ all_services | service_get_domain(role_name) }}"
-  port: 8080
-
-gatus_external_endpoints_backups: "{{ hostvars | vault_hosts_backup_to_gatus() }}"
 
 gatus_endpoints_hosts: "{{ opentofu.hosts | hosts_to_gatus() }}"
 gatus_endpoints_services: "{{ all_services | services_to_gatus() }}"
@@ -34,6 +30,12 @@ gatus_endpoints_other:
     ui:
       hide-url: true
 
+gatus_alerting: "{{ undef() }}"
+
+gatus_svc:
+  domain: "{{ all_services | service_get_domain(role_name) }}"
+  port: 8080
+
 gatus_yml:
   storage:
     type: sqlite
@@ -49,9 +51,7 @@ gatus_yml:
       - name: Matrix Federation Tester
         link: "{{ gatus_federation_tester }}"
 
-  alerting:
+  alerting: "{{ gatus_alerting | mandatory }}"
-    email: "{{ vault_gatus.alerting.email }}"
-    ntfy: "{{ vault_gatus.alerting.ntfy }}"
 
   metrics: true
 

playbooks/roles/healthcheck/defaults/main.yml

@@ -1,4 +1,9 @@
 ---
+healthcheck_matrix_token: "{{ undef() }}"
+healthcheck_matrix_room: "{{ undef() }}"
+healthcheck_mailer_user: "{{ undef() }}"
+healthcheck_mailer_pass: "{{ undef() }}"
+
 healthcheck_svc:
   checks:
     - mail
@@ -10,11 +15,11 @@ healthcheck_env:
   MATRIX_SERVER: https://matrix.serguzim.me
   MATRIX_SERVER_FEDTESTER: msrg.cc
   MATRIX_HC_URL: "{{ opentofu.healthchecksio.healthcheck.matrix.ping_url }}"
-  MATRIX_TOKEN: "{{ vault_healthcheck.matrix.token }}"
+  MATRIX_TOKEN: "{{ healthcheck_matrix_token | mandatory }}"
-  MATRIX_ROOM: "{{ vault_healthcheck.matrix.room }}"
+  MATRIX_ROOM: "{{ healthcheck_matrix_room | mandatory }}"
 
   MAIL_HC_UID: "{{ opentofu.healthchecksio.healthcheck.mail.id }}"
   MAIL_HOST: "{{ mailer.host }}"
   MAIL_PORT: "{{ mailer.port }}"
-  MAIL_USER: "{{ vault_healthcheck.mailer.user }}"
+  MAIL_USER: "{{ healthcheck_mailer_user | mandatory }}"
-  MAIL_PASS: "{{ vault_healthcheck.mailer.pass }}"
+  MAIL_PASS: "{{ healthcheck_mailer_pass | mandatory }}"

playbooks/roles/immich/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 immich_db_host: database
 immich_db_db: immich
-immich_db_user: "{{ vault_immich.db.user }}"
+immich_db_user: "{{ undef() }}"
-immich_db_pass: "{{ vault_immich.db.pass }}"
+immich_db_pass: "{{ undef() }}"
 
 immich_docker_tag: v2.3.1
 
@@ -15,12 +15,12 @@ immich_env:
 
   DB_HOSTNAME: "{{ immich_db_host }}"
   DB_DATABASE_NAME: "{{ immich_db_db }}"
-  DB_USERNAME: "{{ immich_db_user }}"
+  DB_USERNAME: "{{ immich_db_user | mandatory }}"
-  DB_PASSWORD: "{{ immich_db_pass }}"
+  DB_PASSWORD: "{{ immich_db_pass | mandatory }}"
 
   POSTGRES_DB: "{{ immich_db_db }}"
-  POSTGRES_USER: "{{ immich_db_user }}"
+  POSTGRES_USER: "{{ immich_db_user | mandatory }}"
-  POSTGRES_PASSWORD: "{{ immich_db_pass }}"
+  POSTGRES_PASSWORD: "{{ immich_db_pass | mandatory }}"
 
   REDIS_HOSTNAME: redis
 

playbooks/roles/immich_worker/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 immich_worker_db_host: "{{ }}"
 immich_worker_db_db: immich
-immich_worker_db_user: "{{ vault_immich.db.user }}"
+immich_worker_db_user: "{{ immich_db_user | mandatory }}"
-immich_worker_db_pass: "{{ vault_immich.db.pass }}"
+immich_worker_db_pass: "{{ immich_db_pass | mandatory }}"
 
 immich_worker_docker_tag: v2.3.1
 

playbooks/roles/jitsi/defaults/main.yml

@@ -1,5 +1,7 @@
 ---
 jitsi_image_version: stable-10314
+jitsi_jicofo_auth_password: "{{ undef() }}"
+jitsi_jvb_auth_password: "{{ undef() }}"
 
 jitsi_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
@@ -17,8 +19,8 @@ jitsi_env:
   ENABLE_AUTH: 0
   ENABLE_GUESTS: 1
 
-  JICOFO_AUTH_PASSWORD: "{{ vault_jitsi.jicofo_auth_password }}"
+  JICOFO_AUTH_PASSWORD: "{{ jitsi_jicofo_auth_password | mandatory }}"
-  JVB_AUTH_PASSWORD: "{{ vault_jitsi.jvb_auth_password }}"
+  JVB_AUTH_PASSWORD: "{{ jitsi_jvb_auth_password | mandatory }}"
 
 
 jitsi_compose:

playbooks/roles/lego/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 lego_host_certificates: "{{ host_services | services_get_attr('certificates') | flatten }}"
+lego_acmedns_registered: "{{ undef() }}"
 
 lego_env:
   ACME_DNS_API_BASE: https://{{ acme_dns.host }}

playbooks/roles/lego/tasks/config.yml

@@ -10,7 +10,7 @@
 - name: Create the acme-dns-accounts
   ansible.builtin.copy:
     dest: "{{ (lego_config_path, 'acme-dns-accounts.json') | path_join }}"
-    content: '{{ vault_acmedns_registered | acmedns_to_lego | to_json }}'
+    content: '{{ lego_acmedns_registered | acmedns_to_lego | to_json }}'
     mode: "0644"
 - name: Copy the hook script
   ansible.builtin.copy:

playbooks/roles/lgtm_stack/defaults/main.yml

@@ -6,6 +6,8 @@ lgtm_stack_loki_domain: "{{ all_services | service_get_domain('loki') }}"
 
 lgtm_stack_alloy_jobs: "{{ all_services | services_to_alloy() }}"
 
+lgtm_stack_grafana_secret_key: "{{ undef() }}"
+
 
 lgtm_stack_svc:
   domain: "{{ lgtm_stack_domain }}"
@@ -35,7 +37,7 @@ lgtm_stack_env:
 
   GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true
   GF_SECURITY_ADMIN_USER: "{{ admin_email }}"
-  GF_SECURITY_SECRET_KEY: "{{ vault_lgtm_stack.grafana.secret_key }}"
+  GF_SECURITY_SECRET_KEY: "{{ lgtm_stack_grafana_secret_key | mandatory }}"
   GF_SECURITY_COOKIE_SECURE: true
   GF_SECURITY_COOKIE_SAMESITE: "strict"
 

playbooks/roles/mailcowdockerized/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
+mailcowdockerized_domains: "{{ undef }}"
+
 mailcowdockerized_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   docker_host: host.docker.internal
   port: 3004
-  additional_domains: "{{ ['autodiscover', 'autoconfig'] | product(vault_mailcowdockerized.domains) | map('join', '.') }}"
+  additional_domains: "{{ ['autodiscover', 'autoconfig'] | product(mailcowdockerized_domains | mandatory) | map('join', '.') }}"

playbooks/roles/minecraft_2/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+minecraft_2_seed: "{{ undef() }}"
+minecraft_2_ops: "{{ undef() }}"
+minecraft_2_whitelist: "{{ undef() }}"
+
 minecraft_2_env:
   ALLOW_FLIGHT: true
   ALLOW_NETHER: true
@@ -40,16 +44,16 @@ minecraft_2_env:
   TYPE: PAPER
   ONLINE_MODE: true
   OP_PERMISSION_LEVEL: 4
-  OPS: "{{ vault_minecraft_2.ops }}"
+  OPS: "{{ minecraft_2_ops | mandatory }}"
   OVERRIDE_ICON: true
   OVERRIDE_SERVER_PROPERTIES: true
   PLAYER_IDLE_TIMEOUT: 0
   PREVENT_PROXY_CONNECTIONS: false
-  SEED: "{{ vault_minecraft_2.seed }}"
+  SEED: "{{ minecraft_2_seed | mandatory }}"
   USE_NATIVE_TRANSPORT: true
   VERSION: LATEST
   VIEW_DISTANCE: 10
-  WHITELIST: "{{ vault_minecraft_2.whitelist }}"
+  WHITELIST: "{{ minecraft_2_whitelist | mandatory }}"
 
 minecraft_2_compose:
   watchtower: false

playbooks/roles/minecraft_3/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+minecraft_3_seed: "{{ undef() }}"
+minecraft_3_ops: "{{ undef() }}"
+minecraft_3_whitelist: "{{ undef() }}"
+
 minecraft_3_env:
   ALLOW_FLIGHT: true
   ALLOW_NETHER: true
@@ -40,16 +44,16 @@ minecraft_3_env:
   TYPE: VANILLA
   ONLINE_MODE: true
   OP_PERMISSION_LEVEL: 4
-  OPS: "{{ vault_minecraft_3.ops }}"
+  OPS: "{{ minecraft_3_ops | mandatory }}"
   OVERRIDE_ICON: true
   OVERRIDE_SERVER_PROPERTIES: true
   PLAYER_IDLE_TIMEOUT: 0
   PREVENT_PROXY_CONNECTIONS: false
-  SEED: "{{ vault_minecraft_3.seed }}"
+  SEED: "{{ minecraft_3_seed | mandatory }}"
   USE_NATIVE_TRANSPORT: true
   VERSION: LATEST
   VIEW_DISTANCE: 10
-  WHITELIST: "{{ vault_minecraft_3.whitelist }}"
+  WHITELIST: "{{ minecraft_3_whitelist | mandatory }}"
 
 minecraft_3_compose:
   watchtower: false

playbooks/roles/minio/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+minio_user: "{{ undef() }}"
+minio_pass: "{{ undef() }}"
+
 minio_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 9000
@@ -17,8 +20,8 @@ minio_env:
   MINIO_BROWSER_REDIRECT_URL: https://console.{{ svc.domain }}
   MINIO_VOLUMES: /data
 
-  MINIO_ROOT_USER: "{{ vault_minio.user }}"
+  MINIO_ROOT_USER: "{{ minio_user | mandatory }}"
-  MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
+  MINIO_ROOT_PASSWORD: "{{ minio_pass | mandatory }}"
 
 
 minio_compose:

playbooks/roles/paperless/defaults/main.yml

@@ -2,6 +2,8 @@
 paperless_uid: 1000
 paperless_gid: 1000
 
+paperless_secret_key: "{{ undef() }}"
+
 paperless_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 8000
@@ -11,7 +13,7 @@ paperless_env:
   USERMAP_GID: "{{ paperless_gid }}"
 
   PAPERLESS_URL: "https://{{ paperless_svc.domain }}"
-  PAPERLESS_SECRET_KEY: "{{ vault_paperless.secret_key }}"
+  PAPERLESS_SECRET_KEY: "{{ paperless_secret_key | mandatory }}"
   PAPERLESS_TIME_ZONE: "{{ timezone }}"
   PAPERLESS_OCR_LANGUAGE: deu
 

playbooks/roles/phpvms/defaults/main.yml

@@ -2,6 +2,8 @@
 phpvms_version: 7.0.5
 phpvms_docker_image: ghcr.io/phpvms/phpvms:{{ phpvms_version }}-gd
 
+phpvms_db_password: "{{ undef() }}"
+
 phpvms_uid: 1000
 phpvms_gid: 1000
 
@@ -35,7 +37,7 @@ phpvms_env:
   DB_PORT: 3306
   DB_DATABASE: phpvms
   DB_USERNAME: phpvms
-  DB_PASSWORD: "{{ vault_phpvms.db.pass }}"
+  DB_PASSWORD: "{{ phpvms_db_pass | mandatory }}"
 
   ## CACHE SETTINGS
   CACHE_DRIVER: redis
@@ -82,10 +84,10 @@ phpvms_compose:
         user: "${WWWUSER:-1000}:${WWWGROUP:-1000}"
         image: "{{ phpvms_docker_image }}"
         restart: always
-        command: sh -c sed -i
+        command: sh -c "sed -i
           's/Paginator::useBootstrap();/Paginator::useBootstrap();
           \\\\Illuminate\\\\Support\\\\Facades\\\\URL::forceScheme(\"https\");/'
-          app/Providers/AppServiceProvider.php && php-fpm
+          app/Providers/AppServiceProvider.php && php-fpm"
         environment:
           PHP_OPCACHE_ENABLE: 1
           # some basic laravel stuff

playbooks/roles/shlink/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+shlink_geolite_key: "{{ undef() }}"
+
 shlink_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   additional_domains:
@@ -23,7 +25,7 @@ shlink_env:
   DB_USER: "{{ opentofu.postgresql_data.shlink.user }}"
   DB_PASSWORD: "{{ opentofu.postgresql_data.shlink.pass }}"
 
-  GEOLITE_LICENSE_KEY: "{{ vault_shlink.geolite_key }}"
+  GEOLITE_LICENSE_KEY: "{{ shlink_geolite_key | mandatory }}"
 
 shlink_compose:
   watchtower: update

playbooks/roles/synapse/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+synapse_macaroon_secret_key: "{{ undef() }}"
+synapse_form_secret: "{{ undef() }}"
+synapse_signing_key: "{{ undef() }}"
+
 synapse_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   docker_host: synapse-admin
@@ -66,8 +70,8 @@ synapse_yml:
   enable_metrics: true
   report_stats: true
 
-  macaroon_secret_key: "{{ vault_synapse.macaroon_secret_key }}"
+  macaroon_secret_key: "{{ synapse_macaroon_secret_key | mandatory }}"
-  form_secret: "{{ vault_synapse.form_secret }}"
+  form_secret: "{{ synapse_form_secret | mandatory }}"
   signing_key_path: "{{ (svc.config_path, 'msrg.cc.signing.key') | path_join }}"
 
   trusted_key_servers:

playbooks/roles/synapse/tasks/main.yml

@@ -37,7 +37,7 @@
 
     - name: Copy the signing key
       ansible.builtin.copy:
-        content: "{{ vault_synapse.signing_key }}"
+        content: "{{ synapse_signing_key | mandatory }}"
         dest: "{{ (synapse_config_path, 'msrg.cc.signing.key') | path_join }}"
         mode: "0644"
       notify: Restart service {{ role_name }}

playbooks/roles/tandoor/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+tandoor_secret_key: "{{ undef() }}"
 tandoor_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 80
@@ -14,7 +15,7 @@ tandoor_env:
   SQL_DEBUG: 0
 
   ALLOWED_HOSTS: recipes.serguzim.me
-  SECRET_KEY: "{{ vault_tandoor.secret_key }}"
+  SECRET_KEY: "{{ tandoor_secret_key | mandatory }}"
   TZ: "{{ timezone }}"
 
   DB_ENGINE: django.db.backends.postgresql

playbooks/roles/teamspeak_fallback/defaults/main.yml

@@ -2,7 +2,7 @@
 teamspeak_fallback_check_server: ts.sneiso.eu
 teamspeak_fallback_check_port: 30033
 
-teamspeak_fallback_webhook_token: "{{ vault_teamspeak_fallback.webhook_token }}"
+teamspeak_fallback_webhook_token: "{{ undef() }}"
 
 teamspeak_fallback_user: 9987
 teamspeak_fallback_group: 9987
@@ -28,7 +28,7 @@ teamspeak_fallback_yml:
       and:
         - match:
             type: value
-            value: "{{ teamspeak_fallback_webhook_token }}"
+            value: "{{ teamspeak_fallback_webhook_token | mandatory }}"
             parameter:
               source: header
               name: X-Webhook-Token

playbooks/roles/umami/defaults/main.yml

@@ -4,7 +4,7 @@ umami_db_user: "{{ opentofu.postgresql_data.umami.user }}"
 umami_db_pass: "{{ opentofu.postgresql_data.umami.pass }}"
 umami_db_database: "{{ opentofu.postgresql_data.umami.database }}"
 
-umami_hash_salt: "{{ vault_umami.hash_salt }}"
+umami_hash_salt: "{{ undef() }}"
 
 umami_docker_image: docker.umami.dev/umami-software/umami:3
 
@@ -29,7 +29,7 @@ umami_svc:
 
 umami_env:
   DATABASE_URL: postgres://{{ umami_db_user }}:{{ umami_db_pass }}@{{ umami_db_host }}/{{ umami_db_database }}?sslmode=full-verify
-  HASH_SALT: "{{ umami_hash_salt }}"
+  HASH_SALT: "{{ umami_hash_salt | mandatory }}"
   CLIENT_IP_HEADER: X-Analytics-IP
 
 umami_compose:

playbooks/roles/vikunja/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+vikunja_jwt_secret: "{{ undef() }}"
+
 vikunja_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 3456
@@ -11,7 +13,7 @@ vikunja_svc:
 
 vikunja_yml:
   service:
-    JWTSecret: "{{ vault_vikunja.jwt_secret }}"
+    JWTSecret: "{{ vikunja_jwt_secret | mandatory }}"
     publicurl: https://{{ svc.domain }}
     enableregistration: false
     timezone: "{{ timezone }}"

playbooks/roles/woodpecker/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+woodpecker_agent_secret: "{{ undef() }}"
+woodpecker_gitea_client: "{{ undef() }}"
+woodpecker_gitea_secret: "{{ undef() }}"
+
 woodpecker_svc:
   domain: "{{ all_services | service_get_domain(role_name) }}"
   port: 8000
@@ -17,16 +21,16 @@ woodpecker_env:
   WOODPECKER_OPEN: true
   WOODPECKER_HOST: https://{{ svc.domain }}
   WOODPECKER_ADMIN: serguzim
-  WOODPECKER_AGENT_SECRET: "{{ vault_woodpecker.agent_secret }}"
+  WOODPECKER_AGENT_SECRET: "{{ woodpecker_agent_secret | mandatory }}"
-  WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ vault_metrics_token }}"
+  WOODPECKER_PROMETHEUS_AUTH_TOKEN: "{{ metrics_token | mandatory }}"
 
   WOODPECKER_SERVER: "{{ svc.extra_svcs[0].domain }}:443"
   WOODPECKER_GRPC_SECURE: true
 
   WOODPECKER_GITEA: true
   WOODPECKER_GITEA_URL: https://git.serguzim.me
-  WOODPECKER_GITEA_CLIENT: "{{ vault_woodpecker.gitea.client }}"
+  WOODPECKER_GITEA_CLIENT: "{{ woodpecker_gitea_client | mandatory }}"
-  WOODPECKER_GITEA_SECRET: "{{ vault_woodpecker.gitea.secret }}"
+  WOODPECKER_GITEA_SECRET: "{{ woodpecker_gitea_secret | mandatory }}"
 
   WOODPECKER_DATABASE_DRIVER: postgres
   WOODPECKER_DATABASE_DATASOURCE: postgres://{{ svc.db.user }}:{{ svc.db.pass }}@{{ svc.db.host }}:{{ svc.db.port }}/{{ svc.db.database }}?sslmode=verify-full