tofu fmt

apps/example-dev.tfvars

@@ -1,11 +1,11 @@
 # ─── Remote Host ──────────────────────────────────────────────────────────────
-ssh_host     = "dev-server.example.com"
-ssh_user     = "deploy"
+ssh_host = "dev-server.example.com"
+ssh_user = "deploy"
 # ssh_key_path is supplied at runtime by CI/CD from gopass — not stored here.
 
 # ─── App Identity ─────────────────────────────────────────────────────────────
 app_name    = "myapp"
-environment = "dev"   # ephemeral containers, no persistent volumes
+environment = "dev" # ephemeral containers, no persistent volumes
 
 # ─── OpenResty: bind_mount mode ───────────────────────────────────────────────
 # Mount a directory that already exists on the remote server.
@@ -17,7 +17,7 @@ openresty_external_port      = 8080
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────
 db_name     = "myapp_dev"
 db_user     = "myapp"
-db_password = "changeme-dev"   # use gopass / CI secret for real deployments
+db_password = "changeme-dev" # use gopass / CI secret for real deployments
 
 # ─── Images (optional overrides) ──────────────────────────────────────────────
 # postgres_image = "postgres:16-alpine"

apps/example-prod.tfvars

@@ -1,25 +1,25 @@
 # ─── Remote Host ──────────────────────────────────────────────────────────────
-ssh_host     = "prod-server.example.com"
-ssh_user     = "deploy"
+ssh_host = "prod-server.example.com"
+ssh_user = "deploy"
 # ssh_key_path is supplied at runtime by CI/CD from gopass — not stored here.
 
 # ─── App Identity ─────────────────────────────────────────────────────────────
 app_name    = "myapp"
-environment = "prod"  # named Docker volumes, data persists across container restarts
+environment = "prod" # named Docker volumes, data persists across container restarts
 
 # ─── OpenResty: git_clone mode ────────────────────────────────────────────────
 # The OpenResty Alpine image starts, installs git via apk, then clones the repo.
 # Pin to a tag or full commit SHA — never use a branch name in prod.
 # The repo must contain an 'openresty/' directory with a valid nginx.conf.
-openresty_source_type   = "git_clone"
-openresty_git_repo      = "https://gitea.example.com/myorg/myapp-openresty.git"
-openresty_git_ref       = "v1.4.2"           # pinned tag — never 'main' in prod
+openresty_source_type = "git_clone"
+openresty_git_repo    = "https://gitea.example.com/myorg/myapp-openresty.git"
+openresty_git_ref     = "v1.4.2" # pinned tag — never 'main' in prod
 # openresty_git_token is supplied at runtime by CI/CD from gopass — not stored here.
 openresty_external_port = 80
 
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────
-db_name     = "myapp_prod"
-db_user     = "myapp"
+db_name = "myapp_prod"
+db_user = "myapp"
 # db_password is supplied at runtime by CI/CD from gopass — not stored here.
 
 # ─── Images (optional overrides) ──────────────────────────────────────────────

k8s/apps/example-nodered.tfvars

@@ -16,7 +16,7 @@ init_container_image = "gitea.example.com/myorg/mynodered-init:v1.2.0"
 init_data_src_path   = "/app-data"
 
 # ─── Storage ──────────────────────────────────────────────────────────────────
-storage_class = "local-path"   # k3s default provisioner
+storage_class = "local-path" # k3s default provisioner
 app_pvc_size  = "2Gi"
 
 # ─── Ingress (Traefik) ────────────────────────────────────────────────────────

k8s/tests/k8s_validation.tftest.hcl

@@ -48,8 +48,8 @@ run "valid_with_rabbitmq" {
 run "valid_prod_environment" {
   command = plan
   variables {
-    environment     = "prod"
-    enable_rabbitmq = true
+    environment       = "prod"
+    enable_rabbitmq   = true
     rabbitmq_password = "rabbit-secret"
   }
 }

k8s/variables.tf

@@ -92,9 +92,9 @@ variable "loki_endpoint" {
 
 variable "loki_auth_token" {
   description = "Bearer token for Loki. Leave empty for unauthenticated Loki."
-  type      = string
-  default   = ""
-  sensitive = true
+  type        = string
+  default     = ""
+  sensitive   = true
 }
 
 # ─── RabbitMQ ─────────────────────────────────────────────────────────────────
@@ -119,9 +119,9 @@ variable "rabbitmq_user" {
 
 variable "rabbitmq_password" {
   description = "RabbitMQ default user password."
-  type      = string
-  sensitive = true
-  default   = ""
+  type        = string
+  sensitive   = true
+  default     = ""
 }
 
 variable "rabbitmq_vhost" {

modules/app-k8s-nodered-rabbitmq/variables.tf

@@ -83,9 +83,9 @@ variable "loki_endpoint" {
 
 variable "loki_auth_token" {
   description = "Bearer token for Loki authentication. Leave empty for unauthenticated Loki."
-  type      = string
-  default   = ""
-  sensitive = true
+  type        = string
+  default     = ""
+  sensitive   = true
 }
 
 # ─── RabbitMQ (optional) ──────────────────────────────────────────────────────
@@ -110,9 +110,9 @@ variable "rabbitmq_user" {
 
 variable "rabbitmq_password" {
   description = "RabbitMQ default user password."
-  type      = string
-  sensitive = true
-  default   = ""
+  type        = string
+  sensitive   = true
+  default     = ""
 }
 
 variable "rabbitmq_vhost" {

modules/app-openresty-pg-redis/variables.tf

@@ -48,8 +48,8 @@ variable "openresty_remote_config_path" {
     Absolute path on the REMOTE HOST to mount as /usr/local/openresty/nginx/conf inside the container.
     Only used when openresty_source_type = 'bind_mount'.
   EOT
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
 }
 
 # ─── OpenResty: local_build options ───────────────────────────────────────────
@@ -60,8 +60,8 @@ variable "openresty_local_build_context" {
     The context is transferred to the remote Docker daemon over SSH and built there.
     Only used when openresty_source_type = 'local_build'.
   EOT
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
 }
 
 variable "openresty_dockerfile" {
@@ -78,8 +78,8 @@ variable "openresty_git_repo" {
     Only used when openresty_source_type = 'git_clone'.
     The cloned repo must contain an 'openresty/' directory with a valid nginx.conf.
   EOT
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
 }
 
 variable "openresty_git_ref" {
@@ -89,8 +89,8 @@ variable "openresty_git_ref" {
     could contain different code each time the container is recreated).
     Only used when openresty_source_type = 'git_clone'.
   EOT
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
 
   validation {
     condition = var.openresty_git_ref == "" || !contains(
@@ -107,9 +107,9 @@ variable "openresty_git_token" {
     Injected into the clone URL as oauth2:<token>@.
     Only used when openresty_source_type = 'git_clone'.
   EOT
-  type      = string
-  default   = ""
-  sensitive = true
+  type        = string
+  default     = ""
+  sensitive   = true
 }
 
 # ─── Networking & Ports ───────────────────────────────────────────────────────
@@ -133,8 +133,8 @@ variable "db_user" {
 
 variable "db_password" {
   description = "PostgreSQL password."
-  type      = string
-  sensitive = true
+  type        = string
+  sensitive   = true
 }
 
 variable "postgres_image" {

variables.tf

@@ -89,9 +89,9 @@ variable "openresty_git_ref" {
 
 variable "openresty_git_token" {
   description = "Optional auth token for private git repos (git_clone mode)."
-  type      = string
-  default   = ""
-  sensitive = true
+  type        = string
+  default     = ""
+  sensitive   = true
 }
 
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────
@@ -108,8 +108,8 @@ variable "db_user" {
 
 variable "db_password" {
   description = "PostgreSQL password."
-  type      = string
-  sensitive = true
+  type        = string
+  sensitive   = true
 }
 
 variable "postgres_image" {