ansible/inventories/production/group_vars/all/vault.example.yml

---
# Example vault values for Proxmox app projects.
#
# Copy required keys into your encrypted vault:
#   make edit-group-vault
#
# Never commit real secrets unencrypted.

# Proxmox API
vault_proxmox_host: "10.0.10.201"
vault_proxmox_user: "root@pam"
vault_proxmox_node: "pve"
vault_proxmox_password: "CHANGE_ME"

# Optional token auth (recommended if you use it)
# vault_proxmox_token_id: "root@pam!ansible"
# vault_proxmox_token: "CHANGE_ME"

# SSH public key for appuser (workstation key)
vault_ssh_public_key: "ssh-ed25519 AAAA... you@example"

# LXC create bootstrap password (often required by Proxmox)
vault_lxc_root_password: "CHANGE_ME"

# -----------------------------------------------------------------------------
# POTE (python/venv + cron) secrets
# -----------------------------------------------------------------------------
# Private key used for cloning from Gitea (deploy key). Store as a multi-line block.
vault_pote_git_ssh_key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  CHANGE_ME
  -----END OPENSSH PRIVATE KEY-----

# Environment-specific DB passwords (used by roles/pote)
vault_pote_db_password_dev: "CHANGE_ME"
vault_pote_db_password_qa: "CHANGE_ME"
vault_pote_db_password_prod: "CHANGE_ME"

# SMTP password for reports
vault_pote_smtp_password: "CHANGE_ME"

# -----------------------------------------------------------------------------
# Mirrormatch (Prisma/Node backend) secrets
# -----------------------------------------------------------------------------
# Optional deploy key for private repo access
vault_mirrormatch_git_ssh_key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  CHANGE_ME
  -----END OPENSSH PRIVATE KEY-----

# Per-environment database URLs (use external Postgres VM/cluster)
vault_mirrormatch_database_url_dev: "postgresql://mm_dev_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_dev"
vault_mirrormatch_database_url_qa: "postgresql://mm_qa_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_qa"
vault_mirrormatch_database_url_prod: "postgresql://mm_prod_user:CHANGE_ME@10.0.10.181:5432/mirrormatch_prod"

# Optional shadow DB URLs if your Prisma workflow needs them
vault_mirrormatch_shadow_database_url_dev: "postgresql://mm_dev_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_dev_shadow"
vault_mirrormatch_shadow_database_url_qa: "postgresql://mm_qa_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_qa_shadow"
vault_mirrormatch_shadow_database_url_prod: "postgresql://mm_prod_shadow:CHANGE_ME@10.0.10.181:5432/mirrormatch_prod_shadow"

# NEXTAUTH secrets per env
vault_mirrormatch_nextauth_secret_dev: "CHANGE_ME"
vault_mirrormatch_nextauth_secret_qa: "CHANGE_ME"
vault_mirrormatch_nextauth_secret_prod: "CHANGE_ME"

# SMTP (prod)
vault_mirrormatch_smtp_host: "smtp.example.com"
vault_mirrormatch_smtp_port: "587"
vault_mirrormatch_smtp_user: "smtp-user"
vault_mirrormatch_smtp_password: "CHANGE_ME"
vault_mirrormatch_smtp_from: "MirrorMatch <noreply@mirrormatch.com>"

# -----------------------------------------------------------------------------
# punimTag (monorepo) secrets
# -----------------------------------------------------------------------------
# Optional deploy key for private repo access
vault_punimtag_git_ssh_key: |
  -----BEGIN OPENSSH PRIVATE KEY-----
  CHANGE_ME
  -----END OPENSSH PRIVATE KEY-----

# Per-environment database URLs (use external Postgres at 10.0.10.181:5432)
vault_punimtag_database_url_dev: "postgresql://punimtag_dev_user:CHANGE_ME@10.0.10.181:5432/punimtag_dev"
vault_punimtag_database_url_qa: "postgresql://punimtag_qa_user:CHANGE_ME@10.0.10.181:5432/punimtag_qa"
vault_punimtag_database_url_prod: "postgresql://punimtag_prod_user:CHANGE_ME@10.0.10.181:5432/punimtag_prod"