linderhof/inventory/group_vars/all/vault.yml.setup

---
# ============================================================
# Linderhof Secrets
# ============================================================
# Generated by setup.sh
# Edit with: ansible-vault edit $LINDERHOF_DIR/group_vars/all/vault.yml
# ============================================================

# system
root_password: "$root_password"
admin_password: "$admin_password"

# hetzner
hcloud_token: "$hcloud_token"

# mail
# passwords generated with: openssl rand -base64 32
mail_passwords:
  $admin_user@$domain: "$admin_mail_password"
  git@$domain: "$git_mail_password"
  notifications@$domain: "$notifications_mail_password"
rspamd_web_password: "$rspamd_web_password"
rainloop_admin_password: "$rainloop_admin_password"

# forgejo
# keys generated with: openssl rand -hex 32
forgejo_secret_key: "$forgejo_secret_key"
forgejo_internal_token: "$forgejo_internal_token"
forgejo_jwt_secret: "$forgejo_jwt_secret"
forgejo_smtp_password: "$notifications_mail_password"

# monitoring
# password generated with: openssl rand -base64 32
grafana_admin_password: "$grafana_admin_password"

# tuwunel
# token generated with: openssl rand -base64 32
tuwunel_registration_token: "$tuwunel_registration_token"

# radicale
# password generated with: openssl rand -base64 32
radicale_password: "$radicale_password"

# goaccess
# password generated with: openssl rand -base64 32
goaccess_password: "$goaccess_password"

# diun (uses the notifications mail account)
diun_email_password: "$notifications_mail_password"

# restic
# password generated with: openssl rand -base64 32
restic_password: "$restic_password"

# fail2ban (optional — IPs/CIDRs to whitelist)
# fail2ban_ignoreip: "your-home-ip/32"

# DKIM public keys — add after first mail deployment:
#   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
# Format: "v=DKIM1; k=rsa; p=<base64 public key>"
# dkim_keys:
#   $domain: "v=DKIM1; k=rsa; p=..."