# Template for your Ansible Vault secrets file.
# Copy to vault.yml, fill in values, then encrypt:
#   ansible-vault encrypt vault.yml
# Edit later with:
#   ansible-vault edit vault.yml

# ── MQTT ─────────────────────────────────────────────────────────────────────
vault_mqtt_c2_user: drb-c2-core
vault_mqtt_c2_pass: "CHANGE_ME"
vault_mqtt_node_user: drb-node
vault_mqtt_node_pass: "CHANGE_ME"

# ── C2 Core ───────────────────────────────────────────────────────────────────
vault_service_key: ""            # openssl rand -hex 32
vault_node_api_key: ""           # openssl rand -hex 32
vault_openai_api_key: ""
vault_google_maps_api_key: ""
vault_gemini_api_key: ""
vault_gcs_bucket: "your-gcs-bucket-name"
vault_firestore_database: "c2-server"

# ── Gitea Container Registry ──────────────────────────────────────────────────
vault_registry_host: "git.vpn.cusano.net"
vault_registry_user: "logan"
vault_registry_token: ""                                   # Gitea access token with package:write scope
vault_registry: "git.vpn.cusano.net/logan"                # full image prefix

# ── Discord Bot ───────────────────────────────────────────────────────────────
vault_discord_token: ""

# ── Frontend (Firebase) ───────────────────────────────────────────────────────
vault_firebase_api_key: ""
vault_firebase_auth_domain: ""
vault_firebase_project_id: ""
vault_firebase_storage_bucket: ""
vault_firebase_messaging_sender_id: ""
vault_firebase_app_id: ""

# No GCP key needed — the VM uses Application Default Credentials via the
# GCE metadata server. Terraform grants the required IAM roles at apply time.