ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ansible/inventories/production/group_vars/all/vault.example.yml
ilia de49b34cdc
Some checks failed
CI / skip-ci-check (pull_request) Successful in 6s
Details
CI / lint-and-test (pull_request) Failing after 9s
Details
CI / ansible-validation (pull_request) Failing after 6s
Details
CI / secret-scanning (pull_request) Successful in 5s
Details
CI / dependency-scan (pull_request) Successful in 8s
Details
CI / sast-scan (pull_request) Failing after 5s
Details
CI / license-check (pull_request) Successful in 11s
Details
CI / vault-check (pull_request) Failing after 6s
Details
CI / playbook-test (pull_request) Failing after 6s
Details
CI / container-scan (pull_request) Failing after 6s
Details
CI / sonar-analysis (pull_request) Failing after 2s
Details
CI / workflow-summary (pull_request) Successful in 4s
Details
Add homelab monitoring, portfolio site, and vault tooling. 
Document pve10 static IPs, monitoring stack, and site LXCs; add portfolio
to inventory; Mailcow mailbox automation; vault import/export scripts;
security audit guides and UniFi DHCP reference.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-22 16:25:07 -04:00

115 lines
4.5 KiB
YAML
Raw Blame History

---
# Example vault values for Proxmox app projects.
#
# Copy required keys into your encrypted vault:
# make edit-group-vault
#
# Never commit real secrets unencrypted.
# Proxmox API
vault_proxmox_host: "10.0.10.201"
vault_proxmox_user: "root@pam"
vault_proxmox_node: "pve"
vault_proxmox_password: "CHANGE_ME"
# Optional token auth (recommended if you use it)
# vault_proxmox_token_id: "root@pam!ansible"
# vault_proxmox_token: "CHANGE_ME"
# SSH public key for appuser (workstation key)
vault_ssh_public_key: "ssh-ed25519 AAAA... you@example"
# LXC create bootstrap password (often required by Proxmox)
vault_lxc_root_password: "CHANGE_ME"
# Mailcow API — System → Configuration → Access → API (read/write)
vault_mailcow_api_key: "CHANGE_ME"
# Per-mailbox passwords (make mailcow-mailbox MAILBOX=<key>)
vault_mailcow_mailbox_passwords:
alerts: "CHANGE_ME"
# Legacy alias (optional)
vault_alerts_mailbox_password: "CHANGE_ME"
# Uptime Kuma + SMTP (monitoring LXC)
vault_uptime_kuma_url: "http://10.0.10.22:3001"
vault_uptime_kuma_user: "admin"
vault_uptime_kuma_password: "CHANGE_ME"
vault_kuma_smtp_host: "mail.levkine.ca"
vault_kuma_smtp_port: "587"
vault_kuma_smtp_user: "alerts@levkine.ca"
vault_kuma_smtp_password: "CHANGE_ME"
vault_kuma_smtp_to: "idobkin@gmail.com"
# Umami (monitoring LXC /opt/monitoring/.env)
vault_umami_db_password: "CHANGE_ME"
vault_umami_app_secret: "CHANGE_ME"
# Hermes Mattermost (not Telegram)
vault_mattermost_url: "https://slack.levkin.ca"
vault_mattermost_token: "CHANGE_ME"
vault_mattermost_allowed_users: "CHANGE_ME"
# -----------------------------------------------------------------------------
# POTE (python/venv + cron) secrets
# -----------------------------------------------------------------------------
# Private key used for cloning from Gitea (deploy key). Store as a multi-line block.
vault_pote_git_ssh_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
CHANGE_ME
-----END OPENSSH PRIVATE KEY-----
# Environment-specific DB passwords (used by roles/pote)
vault_pote_db_password_dev: "CHANGE_ME"
vault_pote_db_password_qa: "CHANGE_ME"
vault_pote_db_password_prod: "CHANGE_ME"
# SMTP password for reports
vault_pote_smtp_password: "CHANGE_ME"
# -----------------------------------------------------------------------------
# Mirrormatch (Prisma/Node backend) secrets
# -----------------------------------------------------------------------------
# Optional deploy key for private repo access
vault_mirrormatch_git_ssh_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
CHANGE_ME
-----END OPENSSH PRIVATE KEY-----
# Per-environment database URLs (use external Postgres VM/cluster)
vault_mirrormatch_database_url_dev: "postgresql://mm_dev_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_dev"
vault_mirrormatch_database_url_qa: "postgresql://mm_qa_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_qa"
vault_mirrormatch_database_url_prod: "postgresql://mm_prod_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_prod"
# Optional shadow DB URLs if your Prisma workflow needs them
vault_mirrormatch_shadow_database_url_dev: "postgresql://mm_dev_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_dev_shadow"
vault_mirrormatch_shadow_database_url_qa: "postgresql://mm_qa_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_qa_shadow"
vault_mirrormatch_shadow_database_url_prod: "postgresql://mm_prod_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_prod_shadow"
# NEXTAUTH secrets per env
vault_mirrormatch_nextauth_secret_dev: "CHANGE_ME"
vault_mirrormatch_nextauth_secret_qa: "CHANGE_ME"
vault_mirrormatch_nextauth_secret_prod: "CHANGE_ME"
# SMTP (prod)
vault_mirrormatch_smtp_host: "smtp.example.com"
vault_mirrormatch_smtp_port: "587"
vault_mirrormatch_smtp_user: "smtp-user"
vault_mirrormatch_smtp_password: "CHANGE_ME"
vault_mirrormatch_smtp_from: "MirrorMatch <noreply@mirrormatch.com>"
# -----------------------------------------------------------------------------
# punimTag (monorepo) secrets
# -----------------------------------------------------------------------------
# Optional deploy key for private repo access
vault_punimtag_git_ssh_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
CHANGE_ME
-----END OPENSSH PRIVATE KEY-----
# Per-environment database URLs (use external Postgres at 10.0.10.181:5432)
vault_punimtag_database_url_dev: "postgresql://punimtag_dev_user:CHANGE_ME@10.0.10.181:5432/punimtag_dev"
vault_punimtag_database_url_qa: "postgresql://punimtag_qa_user:CHANGE_ME@10.0.10.181:5432/punimtag_qa"
vault_punimtag_database_url_prod: "postgresql://punimtag_prod_user:CHANGE_ME@10.0.10.181:5432/punimtag_prod"
Reference in New Issue View Git Blame Copy Permalink