Update secrets management and authentication scripts

- Update vault.example.yml with current secret structure
- Enhance gen-auth-secrets.sh for improved OIDC client generation

scripts/gen-auth-secrets.sh

@@ -19,6 +19,8 @@ AUTHELIA_OIDC_HMAC_SECRET=$(rand_hex 32)
 AUTHELIA_OIDC_GRAFANA_CLIENT_SECRET=$(rand_hex 20)
 AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET=$(rand_hex 20)
 
+VAULT_DEPLOY_TOKEN=$(rand_hex 32)
+
 OIDC_PRIVATE_KEY_PEM=$(openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 2>/dev/null)
 
 cat <<EOF
@@ -34,4 +36,5 @@ AUTHELIA_OIDC_PRIVATE_KEY_PEM: |
 $(printf '%s\n' "$OIDC_PRIVATE_KEY_PEM" | sed 's/^/  /')
 AUTHELIA_OIDC_GRAFANA_CLIENT_SECRET: "${AUTHELIA_OIDC_GRAFANA_CLIENT_SECRET}"
 AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET: "${AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET}"
+VAULT_DEPLOY_TOKEN: "${VAULT_DEPLOY_TOKEN}"
 EOF

secrets/vault.example.yml

@@ -7,8 +7,8 @@ TF_VAR_linode_token:
 TF_VAR_root_pass:
 TF_VAR_user_password:
 TF_VAR_ssh_public_key:
-TF_VAR_cloudflare_api_token:
-TF_VAR_cloudflare_zone_id:
+CF_DNS_API_TOKEN:
+CF_ZONE_API_TOKEN:
 LLDAP_ADMIN_PASSWORD:
 LLDAP_JWT_SECRET:
 LLDAP_KEY_SEED:
@@ -19,7 +19,29 @@ AUTHELIA_OIDC_HMAC_SECRET:
 AUTHELIA_OIDC_PRIVATE_KEY_PEM:
 AUTHELIA_OIDC_GRAFANA_CLIENT_SECRET:
 AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET:
+AUTHELIA_SMTP_ADDRESS:
+AUTHELIA_SMTP_USERNAME:
+AUTHELIA_SMTP_PASSWORD:
+AUTHELIA_SMTP_SENDER:
+AUTHELIA_SMTP_IDENTIFIER:
+AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS:
+# POSTFIX_RELAYHOST:
+# POSTFIX_RELAYHOST_USERNAME:
+# POSTFIX_RELAYHOST_PASSWORD:
 FORGEJO_RUNNER_REGISTRATION_TOKEN:
 FORGEJO_API_TOKEN:
+FORGEJO_BASE_URL:
+FORGEJO_RUNNER_REGISTRATION_TOKEN:
 SERVICE_SSH_REGISTER_PUBLIC_KEY:
 SERVICE_SSH_DEREGISTER_PUBLIC_KEY:
+
+RESTIC_PASSWORD:
+RESTIC_AWS_ACCESS_KEY_ID:
+RESTIC_AWS_SECRET_ACCESS_KEY:
+RESTIC_AWS_DEFAULT_REGION:
+
+ALERTMANAGER_SLACK_WEBHOOK_URL:
+ALERTMANAGER_DISCORD_WEBHOOK_URL:
+
+# Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos)
+VAULT_DEPLOY_TOKEN: