31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
# Secrets onboarding role defaults
|
|
# This role bootstraps Ansible Vault infrastructure for safe credential storage.
|
|
# All paths and file modes are defined as idempotent defaults for single-vault (all hosts) scoping.
|
|
|
|
---
|
|
# Vault infrastructure paths
|
|
vault_base_dir: "{{ lookup('env', 'HOME') }}/.ansible/vault"
|
|
vault_password_file: "{{ vault_base_dir }}/password"
|
|
vault_encrypted_file: "{{ playbook_dir }}/../group_vars/vault/all.yml"
|
|
vault_vars_dir: "{{ playbook_dir }}/../group_vars/vault"
|
|
|
|
# File and directory security modes (octal strings for Jinja2)
|
|
vault_dir_mode: "0700" # Owner read/write/execute only
|
|
vault_password_file_mode: "0600" # Owner read/write only
|
|
vault_file_mode: "0600" # Owner read/write only (encrypted vars file)
|
|
|
|
# Optional enforcement controls for production readiness
|
|
vault_require_encrypted_vars_file: false
|
|
vault_encrypted_vars_required_keys: []
|
|
|
|
# Onboarding behavior toggles
|
|
create_example_vault: false # Set to true to create example encrypted var during first run
|
|
vault_skip_validation: false # Set to true to skip assert checks (not recommended)
|
|
|
|
# Example variable names (for documentation and learning)
|
|
# These are referenced in the vault validation task
|
|
example_vault_variables:
|
|
- grafana_admin_password
|
|
- authentik_outpost_dozzle_token
|
|
- docker_registry_password
|