-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecrets.enc.yaml.example
More file actions
90 lines (79 loc) · 3.62 KB
/
Copy pathsecrets.enc.yaml.example
File metadata and controls
90 lines (79 loc) · 3.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
---
# SOPS secrets template for ansible-proxmox-apps
# Copy to secrets.enc.yaml, fill in real values, then encrypt:
# cp secrets.enc.yaml.example secrets.enc.yaml
# sops --encrypt --in-place secrets.enc.yaml
#
# To edit encrypted values:
# sops secrets.enc.yaml
#
# These variables are consumed via `sops exec-env` which exports
# them as environment variables before running ansible-playbook.
# Proxmox connection
# (no global Proxmox host: each LXC's node host is derived from the inventory
# as {node-role}.{domain})
PROXMOX_VE_NODE: pve
PROXMOX_VE_GATEWAY: "192.168.0.1"
PROXMOX_DOMAIN: example.local
PROXMOX_SSH_KEY_PATH: /path/to/your/ssh/key
PROXMOX_DKR_SSH_KEY_PATH: /path/to/your/docker-vm/ssh/key
# Splunk
SPLUNK_HEC_TOKEN: your-token-here
SPLUNK_PASSWORD: your-token-here
# HAProxy
HAPROXY_STATS_PASSWORD: your-token-here
# Technitium DNS
TECHNITIUM_DNS_API_TOKEN: your-token-here
# Mailpit SMTP relay
MAILPIT_RELAY_HOST: smtp.gmail.com
MAILPIT_RELAY_PORT: "587"
MAILPIT_RELAY_USERNAME: your-email@gmail.com
MAILPIT_RELAY_PASSWORD: your-app-password-here
# SQL Server
MSSQL_SA_PASSWORD: your-strong-sa-password-here
# GitHub Actions Runner
# DEPRECATED: GITHUB_RUNNER_TOKEN is replaced by GH_PAT_RUNNER_TOKEN.
# The admin token is a fine-grained PAT stored in Doppler (not SOPS) that
# auto-generates ephemeral registration tokens at container startup.
# See CLAUDE.md for details.
# GITHUB_RUNNER_TOKEN: no-longer-needed
# Qdrant Vector Database
QDRANT_API_KEY: your-qdrant-api-key-here
# n8n (AI orchestration tier — Community Edition)
# N8N_DB_PASSWORD: openssl rand -base64 24
# N8N_OWNER_PASSWORD: the console owner login; needs >=8 chars, 1 number, 1 capital
# N8N_OWNER_EMAIL is optional (role default admin@n8n.local; override via env).
# The N8N_ENCRYPTION_KEY is generated + persisted ON the host (/opt/n8n/.encryption_key),
# not stored here.
N8N_DB_PASSWORD: your-strong-db-password-here
N8N_OWNER_PASSWORD: your-Owner-Pass1-here
# OpenProject Community Edition
# Generate with: openssl rand -hex 64
# This value MUST be stable across restarts — rotating it invalidates all
# Rails sessions and existing cookies.
OPENPROJECT_SECRET_KEY_BASE: your-128-char-hex-secret-here
# download_vpn (qBittorrent + Prowlarr behind Proton WireGuard)
#
# Proton WireGuard credentials live in Doppler (NOT SOPS) — the role reads
# them via lookup('env', ...). Variable names mirror the .conf section
# structure Proton ships, so copying values out of the downloaded .conf
# into Doppler is mechanical:
#
# [Interface] PrivateKey -> PROTON_WG_IFACE_PRIVATE_KEY
# [Interface] Address -> PROTON_WG_IFACE_ADDRESS (e.g. "10.2.0.2/32,fd00::.../128")
# [Peer] PublicKey -> PROTON_WG_PEER_PUBLIC_KEY
# [Peer] Endpoint -> PROTON_WG_PEER_ENDPOINT (e.g. "host.protonvpn.net:51820")
#
# Proton issues a DUAL-STACK config: the Address line contains an IPv4 AND
# an IPv6 address. The role keeps only the IPv4 half and kills IPv6 entirely
# — paste the full Address as Proton gives it or just the IPv4 entry, either
# works. The [Interface] DNS resolver (10.2.0.1) is a stable Proton tunnel
# constant hardcoded in defaults/main.yml; not an env var.
#
# QBITTORRENT_ADMIN_PASSWORD, DOWNLOAD_VPN_HEALTHCHECK_URL, SONARR_API_KEY,
# RADARR_API_KEY, PROWLARR_API_KEY, SEERR_API_KEY, and PLEX_TOKEN moved out of
# this file — they now arrive as plain environment variables from whatever
# wraps the `sops exec-env`/`doppler run` chain (this repo's own setup uses
# `scripts/fetch-openbao-secrets.sh media`; swap it for anything that lands
# the same variables, e.g. a `.env` you source). The roles' own
# `lookup('env', ...)` calls are unchanged either way.