infra/main: clean up database_users output

infra/main/main.tf

@@ -57,10 +57,29 @@ module "digitalocean_database_cluster" {
   digitalocean_region = var.region
 }
 
-# TODO: make it output a Kubernetes Secret in env var format, can be piped into
+# `jq .database_users.value.forgejo | sops --encrypt`
-# `jq .database_users.value.forgejo | sops --encrypt` for nice secret gen
-# Ref: https://github.com/RyanSquared/gitops/blob/b8305292f215f6fe0bed170550b9b869302ab9e2/environments/production/kustomizations/forgejo/forgejo-config.enc.yaml
 output "database_users" {
-  value = module.digitalocean_database_cluster.database_users
+  value = {
+    for db_user in module.digitalocean_database_cluster.database_users:
+    db_user.name => {
+      apiVersion = "v1",
+      kind = "Secret",
+      metadata = {
+        name = "database-configuration",
+      },
+      stringData = {
+        name = db_user.name,
+        dbname = db_user.name,
+        host = module.digitalocean_database_cluster.database_cluster.private_host,
+        port = module.digitalocean_database_cluster.database_cluster.port,
+        password = db_user.password,
+      }
+    }
+  }
+  sensitive = true
+}
+
+output "database" {
+  value = module.digitalocean_database_cluster.database_cluster
   sensitive = true
 }