Ronni Baslund
35bc7b6c31
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
53 lines
2.3 KiB
YAML
53 lines
2.3 KiB
YAML
# ─────────────────────────────────────────────────────────────────────────
|
|
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
|
|
#
|
|
# These are placeholders. In production, manage the real Secrets out-of-band
|
|
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
|
|
# fill in real values, and apply it separately — or render SealedSecrets from
|
|
# it. The Deployments reference these Secrets by name via envFrom.
|
|
#
|
|
# Generate strong values with: openssl rand -hex 32
|
|
# ─────────────────────────────────────────────────────────────────────────
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: platform-api-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Mongo connection string for the in-cluster MongoDB (data tier namespace).
|
|
MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
|
|
# AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
|
|
SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
|
|
# MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
|
|
STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
|
|
# MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
|
|
STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: portal-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Authentik OIDC client provisioned for the portal.
|
|
NUXT_OIDC_CLIENT_ID: "REPLACE"
|
|
NUXT_OIDC_CLIENT_SECRET: "REPLACE"
|
|
NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/callback"
|
|
# Public base URL of Authentik (used for login redirects + full sign-out).
|
|
NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
|
|
# nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
|
|
NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: booking-secrets
|
|
namespace: dezky-apps
|
|
type: Opaque
|
|
stringData:
|
|
# Cloudflare Turnstile site key for the public booking form (public value,
|
|
# env-injected so it can rotate without a rebuild).
|
|
NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
|