# Secrets onboarding role defaults
# This role bootstraps Ansible Vault infrastructure for safe credential storage.
# All paths and file modes are defined as idempotent defaults for single-vault (all hosts) scoping.

---
# Vault infrastructure paths
vault_base_dir: "{{ lookup('env', 'HOME') }}/.ansible/vault"
vault_password_file: "{{ vault_base_dir }}/password"
vault_encrypted_file: "{{ playbook_dir }}/../group_vars/vault/all.yml"
vault_vars_dir: "{{ playbook_dir }}/../group_vars/vault"

# File and directory security modes  (octal strings for Jinja2)
vault_dir_mode: "0700"              # Owner read/write/execute only
vault_password_file_mode: "0600"    # Owner read/write only
vault_file_mode: "0600"             # Owner read/write only (encrypted vars file)

# Optional enforcement controls for production readiness
vault_require_encrypted_vars_file: false
vault_encrypted_vars_required_keys: []

# Onboarding behavior toggles
create_example_vault: false         # Set to true to create example encrypted var during first run
vault_skip_validation: false        # Set to true to skip assert checks (not recommended)

# Example variable names (for documentation and learning)
# These are referenced in the vault validation task
example_vault_variables:
  - grafana_admin_password
  - authentik_outpost_dozzle_token
  - docker_registry_password