Remove unnecessary extra variable definitions

The world could do with a bit less YAML!
2023-12-14 22:03:23 +00:00 · 2023-12-14 22:03:23 +00:00 · b33e19e152
commit b33e19e152
parent 7ad5d6e51e
40 changed files with 81 additions and 158 deletions
--- a/ansible/host_vars/restic/main.yml
+++ b/ansible/host_vars/restic/main.yml
@ -3,7 +3,5 @@ restic_backup_locations:
  - /mnt/host/mnt/speed
  - /mnt/host/etc/pve
  - /mnt/home-assistant
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"

 restic_forget: true
-restic_forget_healthchecks_id: "{{ vault_restic_forget_healthchecks_id }}"
--- a/ansible/host_vars/walker/main.yml
+++ b/ansible/host_vars/walker/main.yml
@ -1,3 +1,2 @@
 restic_backup_locations:
  - /opt
-restic_healthchecks_id: "{{ vault_restic_healthchecks_id }}"
--- a/ansible/roles/authentik/files/docker-compose.yml
+++ b/ansible/roles/authentik/files/docker-compose.yml
@ -6,18 +6,18 @@ x-env: &env
  - AUTHENTIK_POSTGRESQL__HOST=db
  - AUTHENTIK_POSTGRESQL__USER=authentik
  - AUTHENTIK_POSTGRESQL__NAME=authentik
-  - AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
-  - AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
+  - AUTHENTIK_POSTGRESQL__PASSWORD={{ vault_authentik_db_password }}
+  - AUTHENTIK_SECRET_KEY={{ vault_authentik_secret_key }}
  - AUTHENTIK_WEB__WORKERS=1
  - AUTHENTIK_DISABLE_UPDATE_CHECK=true
  - AUTHENTIK_ERROR_REPORTING__ENABLED=false
  - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
  - AUTHENTIK_EMAIL__HOST=smtp.eu.mailgun.org
  - AUTHENTIK_EMAIL__PORT=465
-  - AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
-  - AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
+  - AUTHENTIK_EMAIL__USERNAME={{ vault_authentik_email_username }}
+  - AUTHENTIK_EMAIL__PASSWORD={{ vault_authentik_email_password }}
  - AUTHENTIK_EMAIL__USE_TLS=true
-  - AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
+  - AUTHENTIK_EMAIL__FROM={{ vault_authentik_email_from }}

 services:
  server:
@ -64,7 +64,7 @@ services:
    volumes:
      - /mnt/speed/dbs/postgres/authentik:/var/lib/postgresql/data
    environment:
-      - POSTGRES_PASSWORD={{ authentik_db_password }}
+      - POSTGRES_PASSWORD={{ vault_authentik_db_password }}
      - POSTGRES_USER=authentik

  redis:
--- a/ansible/roles/authentik/vars/main.yml
+++ b/ansible/roles/authentik/vars/main.yml
@ -1,5 +0,0 @@
-authentik_db_password: "{{ vault_authentik_db_password }}"
-authentik_secret_key: "{{ vault_authentik_secret_key }}"
-authentik_email_username: "{{ vault_authentik_email_username }}"
-authentik_email_password: "{{ vault_authentik_email_password }}"
-authentik_email_from: "{{ vault_authentik_email_from }}"
--- a/ansible/roles/commento/files/docker-compose.yml
+++ b/ansible/roles/commento/files/docker-compose.yml
@ -17,15 +17,15 @@ services:
      - COMMENTO_ORIGIN=https://commento.theorangeone.net
      - COMMENTO_GZIP_STATIC=true
      - COMMENTO_FORBID_NEW_OWNERS=true
-      - COMMENTO_GITHUB_KEY={{ commento_github_client_id }}
-      - COMMENTO_GITHUB_SECRET={{ commento_github_client_secret }}
+      - COMMENTO_GITHUB_KEY={{ vault_commento_github_client_id }}
+      - COMMENTO_GITHUB_SECRET={{ vault_commento_github_client_secret }}
      - COMMENTO_SMTP_HOST=smtp.eu.mailgun.org
      - COMMENTO_SMTP_PORT=587
-      - COMMENTO_SMTP_USERNAME={{ commento_smtp_username }}
-      - COMMENTO_SMTP_PASSWORD={{ commento_smtp_password }}
-      - COMMENTO_SMTP_FROM_ADDRESS={{ commento_from_email }}
-      - COMMENTO_GITLAB_KEY={{ commento_gitlab_application_id }}
-      - COMMENTO_GITLAB_SECRET={{ commento_gitlab_application_secret }}
+      - COMMENTO_SMTP_USERNAME={{ vault_commento_smtp_username }}
+      - COMMENTO_SMTP_PASSWORD={{ vault_commento_smtp_password }}
+      - COMMENTO_SMTP_FROM_ADDRESS={{ vault_commento_from_email }}
+      - COMMENTO_GITLAB_KEY={{ vault_commento_gitlab_application_id }}
+      - COMMENTO_GITLAB_SECRET={{ vault_commento_gitlab_application_secret }}

  db:
    image: postgres:14-alpine
--- a/ansible/roles/commento/vars/main.yml
+++ b/ansible/roles/commento/vars/main.yml
@ -1,7 +0,0 @@
-commento_github_client_id: "{{ vault_commento_github_client_id }}"
-commento_github_client_secret: "{{ vault_commento_github_client_secret }}"
-commento_smtp_username: "{{ vault_commento_smtp_username }}"
-commento_smtp_password: "{{ vault_commento_smtp_password }}"
-commento_from_email: "{{ vault_commento_from_email }}"
-commento_gitlab_application_id: "{{ vault_commento_gitlab_application_id }}"
-commento_gitlab_application_secret: "{{ vault_commento_gitlab_application_secret }}"
--- a/ansible/roles/db_auto_backup/files/docker-compose.yml
+++ b/ansible/roles/db_auto_backup/files/docker-compose.yml
@ -8,7 +8,7 @@ services:
      - "{{ db_backups_dir }}:/var/backups"
    environment:
      - DOCKER_HOST=tcp://docker_proxy:2375
-      - HEALTHCHECKS_ID={{ db_auto_backup_healthchecks_id }}
+      - HEALTHCHECKS_ID={{ vault_db_auto_backup_healthchecks_id }}
    depends_on:
      - docker_proxy

--- a/ansible/roles/db_auto_backup/vars/main.yml
+++ b/ansible/roles/db_auto_backup/vars/main.yml
@ -1 +0,0 @@
-db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"
--- a/ansible/roles/forrest/files/grafana/docker-compose.yml
+++ b/ansible/roles/forrest/files/grafana/docker-compose.yml
@ -15,9 +15,9 @@ services:

      - GF_SMTP_ENABLED=true
      - GF_SMTP_HOST=smtp.eu.mailgun.org:465
-      - GF_SMTP_USER={{ grafana_smtp_user }}
-      - GF_SMTP_PASSWORD={{ grafana_smtp_password }}
-      - GF_SMTP_FROM_ADDRESS={{ grafana_from_email }}
+      - GF_SMTP_USER={{ vault_grafana_smtp_user }}
+      - GF_SMTP_PASSWORD={{ vault_grafana_smtp_password }}
+      - GF_SMTP_FROM_ADDRESS={{ vault_grafana_from_email }}
      - GF_SMTP_FROM_NAME=grafana
    volumes:
      - "{{ app_data_dir }}/grafana:/var/lib/grafana"
--- a/ansible/roles/forrest/files/prometheus/alertmanager.yml
+++ b/ansible/roles/forrest/files/prometheus/alertmanager.yml
@ -1,9 +1,9 @@
 global:
  resolve_timeout: 3m
  smtp_smarthost: smtp.eu.mailgun.org:465
-  smtp_from: "{{ alertmanager_from_address }}"
-  smtp_auth_username: "{{ alertmanager_from_address }}"
-  smtp_auth_password: "{{ alertmanager_smtp_password }}"
+  smtp_from: "{{ vault_alertmanager_from_address }}"
+  smtp_auth_username: "{{ vault_alertmanager_from_address }}"
+  smtp_auth_password: "{{ vault_alertmanager_smtp_password }}"

 route:
  receiver: default
@ -11,5 +11,5 @@ route:
 receivers:
  - name: default
    email_configs:
-      - to: "{{ alertmanager_to_address }}"
+      - to: "{{ vault_alertmanager_to_address }}"
        send_resolved: true
--- a/ansible/roles/forrest/files/prometheus/docker-compose.yml
+++ b/ansible/roles/forrest/files/prometheus/docker-compose.yml
@ -45,7 +45,7 @@ services:
    environment:
      - PVE_USER=prometheus@pve
      - PVE_TOKEN_NAME=prometheus
-      - PVE_TOKEN_VALUE={{ prometheus_api_token }}
+      - PVE_TOKEN_VALUE={{ vault_prometheus_api_token }}
      - PVE_VERIFY_SSL=false

  speedtest_exporter:
--- a/ansible/roles/forrest/files/prometheus/prometheus.yml
+++ b/ansible/roles/forrest/files/prometheus/prometheus.yml
@ -34,7 +34,7 @@ scrape_configs:
  - job_name: homeassistant
    metrics_path: /api/prometheus
    authorization:
-      credentials: "{{ homeassistant_token }}"
+      credentials: "{{ vault_homeassistant_token }}"
    metric_relabel_configs:
      - source_labels: [__name__]
        regex: python_.+
@ -121,7 +121,7 @@ scrape_configs:
      module: [http]
    static_configs:
      - targets:
-          - https://hc-ping.com/{{ prometheus_healthcheck_uuid }}
+          - https://hc-ping.com/{{ vault_prometheus_healthcheck_uuid }}
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
@ -132,7 +132,7 @@ scrape_configs:

  - job_name: healthchecks
    scheme: https
-    metrics_path: /projects/{{ healthchecks_project_uuid }}/metrics/{{ healthcheck_api_token }}
+    metrics_path: /projects/{{ vault_healthchecks_project_uuid }}/metrics/{{ vault_healthcheck_api_token }}
    static_configs:
      - targets: [healthchecks.io]

--- a/ansible/roles/forrest/vars/main.yml
+++ b/ansible/roles/forrest/vars/main.yml
@ -1,11 +0,0 @@
-grafana_smtp_password: "{{ vault_grafana_smtp_password }}"
-grafana_smtp_user: "{{ vault_grafana_smtp_user }}"
-grafana_from_email: "{{ vault_grafana_from_email }}"
-homeassistant_token: "{{ vault_homeassistant_token }}"
-prometheus_healthcheck_uuid: "{{ vault_prometheus_healthcheck_uuid }}"
-healthchecks_project_uuid: "{{ vault_healthchecks_project_uuid }}"
-healthcheck_api_token: "{{ vault_healthcheck_api_token }}"
-alertmanager_from_address: "{{ vault_alertmanager_from_address }}"
-alertmanager_smtp_password: "{{ vault_alertmanager_smtp_password }}"
-alertmanager_to_address: "{{ vault_alertmanager_to_address }}"
-prometheus_api_token: "{{ vault_prometheus_api_token }}"
--- a/ansible/roles/gitea/files/app.ini
+++ b/ansible/roles/gitea/files/app.ini
@ -21,7 +21,7 @@ PROTOCOL                = http  # TLS termination done by Traefik
 ENABLE_GZIP             = true
 OFFLINE_MODE            = true
 LANDING_PAGE            = explore
-LFS_JWT_SECRET          = {{ lfs_jwt_secret }}
+LFS_JWT_SECRET          = {{ vault_lfs_jwt_secret }}

 [database]
 DB_TYPE  = postgres
@ -39,8 +39,8 @@ LEVEL = warn

 [security]
 INSTALL_LOCK                  = true
-SECRET_KEY                    = {{ secret_key }}
-INTERNAL_TOKEN                = {{ internal_token }}
+SECRET_KEY                    = {{ vault_secret_key }}
+INTERNAL_TOKEN                = {{ vault_internal_token }}
 PASSWORD_HASH_ALGO            = pbkdf2
 COOKIE_USERNAME               = gitea_username
 COOKIE_REMEMBER_NAME          = gitea_remember
@ -118,9 +118,9 @@ ALLOW_LOCALNETWORKS = true
 ENABLED        = true
 SMTP_ADDR      = smtp.eu.mailgun.org
 SMTP_PORT      = 465
-FROM           = "{{ mailer_from_address }}"
-USER           = "{{ mailer_user }}"
-PASSWD         = "{{ mailer_password }}"
+FROM           = "{{ vault_mailer_from_address }}"
+USER           = "{{ vault_mailer_user }}"
+PASSWD         = "{{ vault_mailer_password }}"
 PROTOCOL    = smtps

 [packages]
@ -129,8 +129,8 @@ STORAGE_TYPE = backblaze
 [storage.backblaze]
 STORAGE_TYPE = minio
 MINIO_ENDPOINT = s3.eu-central-003.backblazeb2.com
-MINIO_ACCESS_KEY_ID = {{ backblaze_access_key_id }}
-MINIO_SECRET_ACCESS_KEY = {{ backblaze_secret_access_key }}
+MINIO_ACCESS_KEY_ID = {{ vault_backblaze_access_key_id }}
+MINIO_SECRET_ACCESS_KEY = {{ vault_backblaze_secret_access_key }}
 MINIO_BUCKET = 0rng-gitea
 MINIO_LOCATION = eu-central-003
 SERVE_DIRECT = true
@ -140,4 +140,4 @@ MINIO_USE_SSL = true
 PATH = /mnt/repo-archive

 [oauth2]
-JWT_SECRET = {{ oauth2_jwt_secret }}
+JWT_SECRET = {{ vault_oauth2_jwt_secret }}
--- a/ansible/roles/gitea/vars/main.yml
+++ b/ansible/roles/gitea/vars/main.yml
@ -1,9 +0,0 @@
-lfs_jwt_secret: "{{ vault_lfs_jwt_secret }}"
-secret_key: "{{ vault_secret_key }}"
-internal_token: "{{ vault_internal_token }}"
-oauth2_jwt_secret: "{{ vault_oauth2_jwt_secret }}"
-mailer_from_address: "{{ vault_mailer_from_address }}"
-mailer_user: "{{ vault_mailer_user }}"
-mailer_password: "{{ vault_mailer_password }}"
-backblaze_access_key_id: "{{ vault_backblaze_access_key_id }}"
-backblaze_secret_access_key: "{{ vault_backblaze_secret_access_key }}"
--- a/ansible/roles/gitea_runner/files/docker-compose.yml
+++ b/ansible/roles/gitea_runner/files/docker-compose.yml
@ -10,7 +10,7 @@ services:
    environment:
      - TZ={{ timezone }}
      - GITEA_INSTANCE_URL=https://git.theorangeone.net
-      - GITEA_RUNNER_REGISTRATION_TOKEN={{ gitea_runner_registration_token }}
+      - GITEA_RUNNER_REGISTRATION_TOKEN={{ vault_gitea_runner_registration_token }}
      - GITEA_RUNNER_NAME={{ ansible_hostname }}
      - GITEA_RUNNER_FETCH_INTERVAL=5s
      - GITEA_RUNNER_MAX_PARALLEL_JOBS={{ ansible_processor_nproc }}
--- a/ansible/roles/gitea_runner/vars/main.yml
+++ b/ansible/roles/gitea_runner/vars/main.yml
@ -1 +0,0 @@
-gitea_runner_registration_token: "{{ vault_gitea_runner_registration_token }}"
--- a/ansible/roles/mastodon/files/docker-compose.yml
+++ b/ansible/roles/mastodon/files/docker-compose.yml
@ -12,10 +12,10 @@ services:
      - DATABASE_URL=postgresql://mastodon:mastodon@db/mastodon
      - REDIS_URL=redis://redis
      - SIDEKIQ_REDIS_URL=redis://redis/1
-      - SECRET_KEY_BASE={{ secret_key_base }}
-      - OTP_SECRET={{ otp_secret }}
-      - VAPID_PRIVATE_KEY={{ vapid_private_key }}
-      - VAPID_PUBLIC_KEY={{ vapid_public_key }}
+      - SECRET_KEY_BASE={{ vault_secret_key_base }}
+      - OTP_SECRET={{ vault_otp_secret }}
+      - VAPID_PRIVATE_KEY={{ vault_vapid_private_key }}
+      - VAPID_PUBLIC_KEY={{ vault_vapid_public_key }}
      - TRUSTED_PROXY_IP=172.20.0.1
      - SINGLE_USER_MODE=true
      - DEFAULT_LOCALE=en
--- a/ansible/roles/mastodon/vars/main.yml
+++ b/ansible/roles/mastodon/vars/main.yml
@ -1,4 +0,0 @@
-secret_key_base: "{{ vault_secret_key_base }}"
-otp_secret: "{{ vault_otp_secret }}"
-vapid_private_key: "{{ vault_vapid_private_key }}"
-vapid_public_key: "{{ vault_vapid_public_key }}"
--- a/ansible/roles/minio/files/docker-compose.yml
+++ b/ansible/roles/minio/files/docker-compose.yml
@ -8,7 +8,7 @@ services:
    environment:
      - TZ=Europe/London
      - MINIO_ROOT_USER=jake
-      - MINIO_ROOT_PASSWORD={{ minio_root_password }}
+      - MINIO_ROOT_PASSWORD={{ vault_minio_root_password }}
    restart: unless-stopped
    labels:
      - traefik.enable=true
--- a/ansible/roles/minio/vars/main.yml
+++ b/ansible/roles/minio/vars/main.yml
@ -1 +0,0 @@
-minio_root_password: "{{ vault_minio_root_password }}"
--- a/ansible/roles/pihole/files/setup-vars.conf
+++ b/ansible/roles/pihole/files/setup-vars.conf
@ -7,7 +7,7 @@ CACHE_SIZE=10000
 DNS_FQDN_REQUIRED=true
 DNS_BOGUS_PRIV=true
 DNSMASQ_LISTENING=bind
-WEBPASSWORD={{ pihole_web_password | hash("sha256") | hash("sha256") }}
+WEBPASSWORD={{ vault_pihole_web_password | hash("sha256") | hash("sha256") }}
 BLOCKING_ENABLED=true
 DNSSEC=false
 REV_SERVER=false
--- a/ansible/roles/pihole/vars/main.yml
+++ b/ansible/roles/pihole/vars/main.yml
@ -1 +0,0 @@
-pihole_web_password: "{{ vault_pihole_web_password }}"
--- a/ansible/roles/plausible/files/docker-compose.yml
+++ b/ansible/roles/plausible/files/docker-compose.yml
@ -25,21 +25,21 @@ services:
      - traefik.http.routers.plausible-embed.middlewares=plausible-index

    environment:
-      - SECRET_KEY_BASE={{ plausible_secret_key }}
-      - SIGNING_SALT={{ plausible_signing_salt }}
+      - SECRET_KEY_BASE={{ vault_plausible_secret_key }}
+      - SIGNING_SALT={{ vault_plausible_signing_salt }}
      - DATABASE_URL=postgres://plausible:plausible@db:5432/plausible
      - DISABLE_REGISTRATION=true
      - DISABLE_SUBSCRIPTION=true
      - CLICKHOUSE_DATABASE_URL=http://clickhouse:8123/plausible
      - BASE_URL=https://elbisualp.theorangeone.net
-      - GOOGLE_CLIENT_ID={{ plausible_google_client_id }}
-      - GOOGLE_CLIENT_SECRET={{ plausible_google_client_secret }}
+      - GOOGLE_CLIENT_ID={{ vault_plausible_google_client_id }}
+      - GOOGLE_CLIENT_SECRET={{ vault_plausible_google_client_secret }}
      - RELEASE_DISTRIBUTION=none
-      - MAILER_EMAIL={{ plausible_from_email }}
+      - MAILER_EMAIL={{ vault_plausible_from_email }}
      - SMTP_HOST_ADDR=smtp.eu.mailgun.org
      - SMTP_HOST_PORT=465
-      - SMTP_USER_NAME={{ plausible_smtp_user }}
-      - SMTP_USER_PWD={{ plausible_smtp_password }}
+      - SMTP_USER_NAME={{ vault_plausible_smtp_user }}
+      - SMTP_USER_PWD={{ vault_plausible_smtp_password }}
      - SMTP_HOST_SSL_ENABLED=true

  clickhouse:
--- a/ansible/roles/plausible/vars/main.yml
+++ b/ansible/roles/plausible/vars/main.yml
@ -1,7 +0,0 @@
-plausible_secret_key: "{{ vault_plausible_secret_key }}"
-plausible_signing_salt: "{{ vault_plausible_signing_salt }}"
-plausible_google_client_id: "{{ vault_plausible_google_client_id }}"
-plausible_google_client_secret: "{{ vault_plausible_google_client_secret }}"
-plausible_from_email: "{{ vault_plausible_from_email }}"
-plausible_smtp_user: "{{ vault_plausible_smtp_user }}"
-plausible_smtp_password: "{{ vault_plausible_smtp_password }}"
--- a/ansible/roles/remark42/files/docker-compose.yml
+++ b/ansible/roles/remark42/files/docker-compose.yml
@ -13,15 +13,15 @@ services:
    environment:
      - APP_UID={{ docker_user.id }}
      - REMARK_URL=https://remark.theorangeone.net
-      - SECRET={{ remark_secret }}
-      - ADMIN_PASSWD={{ remark_admin_password }}
+      - SECRET={{ vault_remark_secret }}
+      - ADMIN_PASSWD={{ vault_remark_admin_password }}
      - SITE=theorangeone
      - TIME_ZONE={{ timezone }}
      - SMTP_HOST=smtp.eu.mailgun.org
-      - SMTP_USERNAME={{ remark_smtp_username }}
-      - SMTP_PASSWORD={{ remark_smtp_password }}
-      - NOTIFY_EMAIL_FROM={{ remark_from_email }}
-      - AUTH_EMAIL_FROM={{ remark_from_email }}
+      - SMTP_USERNAME={{ vault_remark_smtp_username }}
+      - SMTP_PASSWORD={{ vault_remark_smtp_password }}
+      - NOTIFY_EMAIL_FROM={{ vault_remark_from_email }}
+      - AUTH_EMAIL_FROM={{ vault_remark_from_email }}
      - SMTP_TLS=true
      - SMTP_PORT=465
      - ADMIN_EDIT=true
@ -30,10 +30,10 @@ services:
      - EMOJI=true
      - DISABLE_SIGNATURE=true
      - AUTH_ANON=true
-      - AUTH_GITHUB_CID={{ remark_github_client_id }}
-      - AUTH_GITHUB_CSEC={{ remark_github_client_secret }}
+      - AUTH_GITHUB_CID={{ vault_remark_github_client_id }}
+      - AUTH_GITHUB_CSEC={{ vault_remark_github_client_secret }}
      - ALLOWED_HOSTS=remark.theorangeone.net,theorangeone.net
-      - ADMIN_SHARED_EMAIL={{ remark_admin_email }}
+      - ADMIN_SHARED_EMAIL={{ vault_remark_admin_email }}
    volumes:
      - ./remark:/srv/var

--- a/ansible/roles/remark42/vars/main.yml
+++ b/ansible/roles/remark42/vars/main.yml
@ -1,8 +0,0 @@
-remark_github_client_id: "{{ vault_remark_github_client_id }}"
-remark_github_client_secret: "{{ vault_remark_github_client_secret }}"
-remark_smtp_username: "{{ vault_remark_smtp_username }}"
-remark_smtp_password: "{{ vault_remark_smtp_password }}"
-remark_from_email: "{{ vault_remark_from_email }}"
-remark_secret: "{{ vault_remark_secret }}"
-remark_admin_password: "{{ vault_remark_admin_password }}"
-remark_admin_email: "{{ vault_remark_admin_email }}"
--- a/ansible/roles/renovate/files/config.js
+++ b/ansible/roles/renovate/files/config.js
@ -1,6 +1,6 @@
 module.exports = {
  endpoint: 'https://git.theorangeone.net/',
-  token: '{{ renovate_gitea_token }}',
+  token: '{{ vault_renovate_gitea_token }}',
  platform: 'gitea',
  //dryRun: true,
  autodiscover: true,
--- a/ansible/roles/renovate/files/docker-compose.yml
+++ b/ansible/roles/renovate/files/docker-compose.yml
@ -6,7 +6,7 @@ services:
    user: "{{ docker_user.id }}"
    environment:
      - TZ={{ timezone }}
-      - GITHUB_COM_TOKEN={{ renovate_github_token }}
+      - GITHUB_COM_TOKEN={{ vault_renovate_github_token }}
      - DOCKER_HOST=tcp://docker_proxy:2375
      - LOG_LEVEL=debug  # Noisy, but required for debugging
    restart: unless-stopped
--- a/ansible/roles/renovate/vars/main.yml
+++ b/ansible/roles/renovate/vars/main.yml
@ -1,2 +0,0 @@
-renovate_gitea_token: "{{ vault_renovate_gitea_token }}"
-renovate_github_token: "{{ vault_renovate_github_token }}"
--- a/ansible/roles/restic/files/backrest.sh
+++ b/ansible/roles/restic/files/backrest.sh
@ -17,10 +17,10 @@ mkdir -p "$RESTIC_LOG_DIR"

 # Run backup, and capture logs to file
 cron_backup() {
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_healthchecks_id }}/start
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_healthchecks_id }}/start
    restic --verbose backup --files-from=$HOME/restic-include.txt --exclude-file=$HOME/restic-excludes.txt | tee -a $RESTIC_LOG_FILE
    exit_code=${PIPESTATUS[0]}
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
    echo "Exit code: $exit_code"
 }

@ -32,10 +32,10 @@ backup() {
 {% if restic_forget %}
 # Run forget and prune, and capture logs to file
 cron_forget() {
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_forget_healthchecks_id }}/start
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_forget_healthchecks_id }}/start
    restic forget --prune $FORGET_OPTIONS | tee -a $RESTIC_LOG_FILE
    exit_code=${PIPESTATUS[0]}
-    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ restic_forget_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
+    curl -fsS -m 10 --retry 5 -o /dev/null {{ healthchecks_host }}/{{ vault_restic_forget_healthchecks_id }}/$exit_code --data-binary "@$RESTIC_LOG_FILE"
    echo "Exit code: $exit_code"
 }
 {% endif %}
--- a/ansible/roles/tandoor/files/docker-compose.yml
+++ b/ansible/roles/tandoor/files/docker-compose.yml
@ -7,7 +7,7 @@ services:
      - TIMEZONE={{ timezone }}
      - DEBUG=0
      - ALLOWED_HOSTS=recipes.jakehoward.tech
-      - SECRET_KEY={{ tandoor_secret_key }}
+      - SECRET_KEY={{ vault_tandoor_secret_key }}
      - DATABASE_URL=postgres://tandoor:tandoor@db:5432/tandoor
      - DB_ENGINE=django.db.backends.postgresql
      - POSTGRES_HOST=db
@ -17,10 +17,10 @@ services:
      - GUNICORN_MEDIA=1
      - EMAIL_HOST=smtp.eu.mailgun.org
      - EMAIL_PORT=465
-      - EMAIL_HOST_USER={{ tandoor_email_user }}
-      - EMAIL_HOST_PASSWORD={{ tandoor_email_password }}
+      - EMAIL_HOST_USER={{ vault_tandoor_email_user }}
+      - EMAIL_HOST_PASSWORD={{ vault_tandoor_email_password }}
      - EMAIL_USE_TLS=1
-      - DEFAULT_FROM_EMAIL={{ tandoor_email_from }}
+      - DEFAULT_FROM_EMAIL={{ vault_tandoor_email_from }}
    restart: unless-stopped
    labels:
      - traefik.enable=true
--- a/ansible/roles/tandoor/vars/main.yml
+++ b/ansible/roles/tandoor/vars/main.yml
@ -1,4 +0,0 @@
-tandoor_secret_key: "{{ vault_tandoor_secret_key }}"
-tandoor_email_user: "{{ vault_tandoor_email_user }}"
-tandoor_email_password: "{{ vault_tandoor_email_password }}"
-tandoor_email_from: "{{ vault_tandoor_email_from }}"
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@ -5,8 +5,8 @@ services:
    image: traefik:v2.10
    user: "{{ docker_user.id }}"
    environment:
-      - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
-      - GANDIV5_API_KEY={{ gandi_api_key }}
+      - CF_DNS_API_TOKEN={{ vault_cloudflare_api_token }}
+      - GANDIV5_API_KEY={{ vault_gandi_api_key }}
    volumes:
      - /tmp/traefik-logs:/var/log/traefik
      - ./traefik:/etc/traefik
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -54,7 +54,7 @@ api:
 certificatesResolvers:
  le:
    acme:
-      email: "{{ letsencrypt_email }}"
+      email: "{{ vault_letsencrypt_email }}"
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
@ -65,7 +65,7 @@ certificatesResolvers:

  gandi:
    acme:
-      email: "{{ letsencrypt_email }}"
+      email: "{{ vault_letsencrypt_email }}"
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: gandiv5
--- a/ansible/roles/traefik/vars/main.yml
+++ b/ansible/roles/traefik/vars/main.yml
@ -1,3 +0,0 @@
-gandi_api_key: "{{ vault_gandi_api_key }}"
-letsencrypt_email: "{{ vault_letsencrypt_email }}"
-cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
--- a/ansible/roles/vikunja/files/docker-compose.yml
+++ b/ansible/roles/vikunja/files/docker-compose.yml
@ -11,7 +11,7 @@ services:
      - VIKUNJA_DATABASE_USER=vikunja
      - VIKUNJA_DATABASE_DATABASE=vikunja
      - VIKUNJA_SERVICE_FRONTENDURL=https://tasks.jakehoward.tech
-      - VIKUNJA_SERVICE_JWTSECRET="{{ jwt_secret }}"
+      - VIKUNJA_SERVICE_JWTSECRET="{{ vault_jwt_secret }}"
      - VIKUNJA_SERVICE_ENABLEREGISTRATION=false
      - VIKUNJA_SERVICE_TIMEZONE={{ timezone }}
      - VIKUNJA_REDIS_HOST=redis:6379
@ -19,9 +19,9 @@ services:
      - VIKUNJA_LOG_PATH=/dev/stdout
      - VIKUNJA_KEYVALUE_TYPE=redis
      - VIKUNJA_MAILER_ENABLED=true
-      - VIKUNJA_MAIL_FROMEMAIL={{ from_email }}
-      - VIKUNJA_MAILER_USERNAME={{ smtp_username }}
-      - VIKUNJA_MAILER_PASSWORD={{ smtp_password }}
+      - VIKUNJA_MAIL_FROMEMAIL={{ vault_from_email }}
+      - VIKUNJA_MAILER_USERNAME={{ vault_smtp_username }}
+      - VIKUNJA_MAILER_PASSWORD={{ vault_smtp_password }}
      - VIKUNJA_MAILER_HOST=smtp.eu.mailgun.org
      - TZ={{ timezone }}
      - PUID={{ docker_user.id }}
--- a/ansible/roles/vikunja/vars/main.yml
+++ b/ansible/roles/vikunja/vars/main.yml
@ -1,4 +0,0 @@
-jwt_secret: "{{ vault_jwt_secret }}"
-from_email: "{{ vault_from_email }}"
-smtp_username: "{{ vault_smtp_username }}"
-smtp_password: "{{ vault_smtp_password }}"
--- a/ansible/roles/website/files/docker-compose.yml
+++ b/ansible/roles/website/files/docker-compose.yml
@ -8,14 +8,14 @@ x-website: &website
  environment:
    - TZ={{ timezone }}
    - DEBUG=false
-    - SECRET_KEY={{ website_secret_key }}
+    - SECRET_KEY={{ vault_website_secret_key }}
    - DATABASE_URL=postgres://website:website@db/website?conn_max_age=600
    - CACHE_URL=redis://redis/0
    - QUEUE_STORE_URL=redis://redis/1
    - RENDITION_CACHE_URL=redis://redis/2
    - SPOTIFY_PROXY_URL=http://spotify_public_proxy
-    - UNSPLASH_CLIENT_ID={{ unsplash_client_id }}
-    - SENTRY_DSN={{ website_sentry_dsn }}
+    - UNSPLASH_CLIENT_ID={{ vault_unsplash_client_id }}
+    - SENTRY_DSN={{ vault_website_sentry_dsn }}
    - BASE_HOSTNAME=theorangeone.net
    - WEB_CONCURRENCY=3
    - SEO_INDEX=true
@ -80,9 +80,9 @@ services:
    restart: unless-stopped
    environment:
      - PORT=80
-      - SPOTIFY_CLIENT_ID={{ spotify_client_id }}
-      - SPOTIFY_CLIENT_SECRET={{ spotify_client_secret }}
-      - SENTRY_DSN={{ spotify_sentry_dsn }}
+      - SPOTIFY_CLIENT_ID={{ vault_spotify_client_id }}
+      - SPOTIFY_CLIENT_SECRET={{ vault_spotify_client_secret }}
+      - SENTRY_DSN={{ vault_spotify_sentry_dsn }}

 networks:
  traefik:
--- a/ansible/roles/website/vars/main.yml
+++ b/ansible/roles/website/vars/main.yml
@ -1,6 +0,0 @@
-website_secret_key: "{{ vault_website_secret_key }}"
-website_sentry_dsn: "{{ vault_website_sentry_dsn }}"
-unsplash_client_id: "{{ vault_unsplash_client_id }}"
-spotify_client_id: "{{ vault_spotify_client_id }}"
-spotify_client_secret: "{{ vault_spotify_client_secret }}"
-spotify_sentry_dsn: "{{ vault_spotify_sentry_dsn }}"
				`@ -1 +0,0 @@`
				`db_auto_backup_healthchecks_id: "{{ vault_db_auto_backup_healthchecks_id }}"`
				`@ -1 +0,0 @@`
				`gitea_runner_registration_token: "{{ vault_gitea_runner_registration_token }}"`
				`@ -1 +0,0 @@`
				`minio_root_password: "{{ vault_minio_root_password }}"`
				`@ -1 +0,0 @@`
				`pihole_web_password: "{{ vault_pihole_web_password }}"`