Context
The Proxmox API token is stored in plaintext in two places:
ProxmoxHost.token_ref — plaintext column in SQLite, sent as PVEAPIToken={token_ref}.inventory/group_vars/proxmox.yml on the backend VM — the v0 Ansible path reads the Proxmox creds from plaintext here (and it's rewritten on deploy).
What
- Encrypt
ProxmoxHost.token_ref at rest (app-level encryption or a secret-store reference), keeping the PVEAPIToken={…} usage at the call site.
- Move the v0 group_vars Proxmox creds into
range42-deployment (vaulted); document the flow in range42-deployment/docs/.
Acceptance
- No plaintext Proxmox token in the DB or in the OSS repo inventory.
Companion issue: #75 covers the same "secrets at rest" theme for the git/Source PAT (Source.token_ref). These two together form the secrets-hardening cleanup; keep scopes separate (different subsystem, different token).
Context
The Proxmox API token is stored in plaintext in two places:
ProxmoxHost.token_ref— plaintext column in SQLite, sent asPVEAPIToken={token_ref}.inventory/group_vars/proxmox.ymlon the backend VM — the v0 Ansible path reads the Proxmox creds from plaintext here (and it's rewritten on deploy).What
ProxmoxHost.token_refat rest (app-level encryption or a secret-store reference), keeping thePVEAPIToken={…}usage at the call site.range42-deployment(vaulted); document the flow inrange42-deployment/docs/.Acceptance