From 6ff842aa9efe5cebd9bf07b5e8c8085177896b5e Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:31:21 -0500
Subject: [PATCH] docs: update .env.example and README documentation

---
 .env.example | 41 +++++++++++++++++------------------------
 README.md    | 18 +++++++++++-------
 2 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/.env.example b/.env.example
index 5017b96..fbfc298 100644
--- a/.env.example
+++ b/.env.example
@@ -3,46 +3,39 @@ ANSIBLE_PRIVATE_KEY_FILE=
 TF_VAR_region=ca-central
 TF_VAR_instance_type=g6-nanode-1
 TF_VAR_image=linode/debian13
+TF_VAR_group=
 TF_VAR_ssh_port=22
 TF_VAR_timezone=America/Toronto
 TF_VAR_add_cloudflare_ips=false
 
 TF_VAR_enable_cloudflare_dns=false
 TF_VAR_enable_services_wildcard=true
-TF_VAR_object_storage_bucket=
-TF_VAR_object_storage_region=us-east-1
 
-S3_BUCKET=
-S3_REGION=us-east-1
-S3_ENDPOINT=https://us-east-1.linodeobjects.com
-
-RESTIC_REPOSITORY=
-RESTIC_AWS_DEFAULT_REGION=us-east-1
-INFRA_BACKUP_ONCALENDAR=daily
-RESTIC_KEEP_DAILY=7
-RESTIC_KEEP_WEEKLY=4
-RESTIC_KEEP_MONTHLY=6
-
-ALERTMANAGER_SLACK_CHANNEL=#alerts
-ALERTMANAGER_SLACK_USERNAME=alertmanager
+TF_VAR_tf_state_bucket=
+TF_VAR_tf_state_region=us-east-1
 
 AUTHELIA_SMTP_ADDRESS=
-AUTHELIA_SMTP_USERNAME=
-AUTHELIA_SMTP_PASSWORD=
 AUTHELIA_SMTP_SENDER=
 AUTHELIA_SMTP_IDENTIFIER=
 AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS=
-AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK=false
-# AUTHELIA_NOTIFIER_TYPE=filesystem
+AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK=true
+AUTHELIA_NOTIFIER_TYPE=smtp
 
-# Postmark SMTP Configuration
+INFRA_BACKUP_ONCALENDAR=daily
+RESTIC_KEEP_WEEKLY=4
+
+# Vault-managed variables (defined in vault.yml)
+# AUTHELIA_SMTP_USERNAME=
+# AUTHELIA_SMTP_PASSWORD=
+# RESTIC_KEEP_DAILY=7
+# RESTIC_KEEP_MONTHLY=6
+# VAULT_DEPLOY_TOKEN=
+
+# Optional: Postmark SMTP Configuration
 # POSTFIX_RELAYHOST=smtp.postmarkapp.com
 # POSTFIX_RELAYHOST_PORT=2525
 # POSTFIX_RELAYHOST_USERNAME=your-postmark-server-token
 # POSTFIX_RELAYHOST_PASSWORD=your-postmark-server-token
 # POSTFIX_SMTP_TLS_SECURITY_LEVEL=may
 # POSTFIX_ALLOWED_SENDER_DOMAINS=yourdomain.com
-# POSTFIX_ALLOW_EMPTY_SENDER_DOMAINS=true
-
-# Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos)
-VAULT_DEPLOY_TOKEN=
\ No newline at end of file
+# POSTFIX_ALLOW_EMPTY_SENDER_DOMAINS=true
\ No newline at end of file
diff --git a/README.md b/README.md
index 1174891..54bae3f 100644
--- a/README.md
+++ b/README.md
@@ -284,27 +284,30 @@ ansible-playbook playbooks/web.yml --ask-vault-pass
 
 ## Notes
 
-- **Grafana/Prometheus/Loki**: Deployed but DNS records commented out in Terraform. Enable by uncommenting in `terraform/main.tf`.
+- **Grafana/Prometheus/Loki**: Available as optional roles but not deployed by default (commented out in `services.yml`). Enable by uncommenting the role entries.
 - Loki is exposed on `services:3100` but allowlisted in UFW to `web` only.
 - Watchtower is enabled with label-based updates.
-- Airflow/Spark are intentionally optional and can be enabled later via `deploy_airflow` / `deploy_spark`.
-- **Traefik**: Uses file provider as fallback due to Docker API version mismatch (client 1.24 vs server 1.44). Services have static router definitions in `/opt/traefik/dynamic/base.yml`.
+- **Traefik**: Uses file provider exclusively (Docker socket access removed). Services have static router definitions in `/opt/traefik/dynamic/base.yml`.
 - **Postfix**: Relays through Postmark port 2525 (avoids ISP blocking on 587).
+- **Hardening**: SSH config and unattended-upgrades managed via `hardening` role to prevent StackScript drift.
 
 ## Role layout
 
 Services host (`services`):
 
-- `roles/traefik` (with file provider fallback for Docker API compatibility)
+- `roles/traefik` (file provider only - no Docker socket)
 - `roles/postfix` (Postmark SMTP relay for transactional email)
 - `roles/exporters` (node-exporter + cAdvisor)
 - `roles/app` (active - DNS enabled)
-- `roles/prometheus` (deployed but DNS commented out)
-- `roles/loki` (deployed but DNS commented out)
-- `roles/grafana` (deployed but DNS commented out)
+- `roles/prometheus` (optional - commented out in services.yml)
+- `roles/loki` (optional - commented out in services.yml)
+- `roles/grafana` (optional - commented out in services.yml)
 - `roles/forgejo`
 - `roles/alertmanager` (uses localhost:25 Postfix relay)
 - `roles/watchtower`
+- `roles/hardening` (SSH hardening, unattended-upgrades)
+- `roles/backups`
+- `roles/fail2ban` (Docker-based fail2ban)
 
 Web host (`web`):
 
@@ -312,6 +315,7 @@ Web host (`web`):
 - `roles/app_core` (optional shared Postgres/Redis)
 - `roles/forgejo_runner`
 - `roles/app_deployer` (CI/CD webhook and deployment automation)
+- `roles/hardening` (SSH hardening, unattended-upgrades)
 
 ## App Deployment