From 825ed29b25105a4ae5f53d2d31c267cb75e178d6 Mon Sep 17 00:00:00 2001
From: Pieter <pieter@kolabnow.com>
Date: Tue, 20 Jan 2026 21:46:18 +0100
Subject: [PATCH] security: Remove exposed Kuma API key from defaults
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The API key was not used by the automation (which uses username/password
from shared_secrets instead) and should not be in version control.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ansible/roles/kuma/defaults/main.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ansible/roles/kuma/defaults/main.yml b/ansible/roles/kuma/defaults/main.yml
index 97ca4c0..bb1d59c 100644
--- a/ansible/roles/kuma/defaults/main.yml
+++ b/ansible/roles/kuma/defaults/main.yml
@@ -3,13 +3,10 @@
 kuma_enabled: true
 kuma_url: "https://status.vrije.cloud"
 
-# Authentication options:
-# Option 1: Username/Password (required for Socket.io API used by Python library)
-kuma_username: ""  # Set this for automated registration
-kuma_password: ""  # Set this for automated registration
-
-# Option 2: API Key (only for REST endpoints like /metrics, not for monitor management)
-kuma_api_key: "uk1_H2YjQsSG8em8GG9G9c0arQogSizXI1CRPNgTEUlU"
+# Authentication - credentials loaded from shared_secrets in tasks/main.yml
+# Uses username/password (required for Socket.io API used by Python library)
+kuma_username: ""  # Loaded from shared_secrets.kuma_username
+kuma_password: ""  # Loaded from shared_secrets.kuma_password
 
 # Monitors to create for each client
 kuma_monitors: