--- # ============================================================================= # Production Environment - Encrypted Secrets (EXAMPLE) # ============================================================================= # # This is an EXAMPLE vault file. To use: # # 1. Copy this file to vault.yml: # cp vault.yml.example vault.yml # # 2. Fill in actual values (replace CHANGEME placeholders) # # 3. Encrypt with ansible-vault: # ansible-vault encrypt inventories/production/group_vars/all/vault.yml # # 4. Edit encrypted vault: # ansible-vault edit inventories/production/group_vars/all/vault.yml # # 5. Use in playbooks with --ask-vault-pass or --vault-password-file # # ============================================================================= # ----------------------------------------------------------------------------- # User Credentials # ----------------------------------------------------------------------------- # Ansible service account SSH key vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com" # Root password for console access (if needed) vault_root_password: "CHANGEME_STRONG_PASSWORD" # Ansible user sudo password (if passwordless sudo not configured) vault_ansible_become_password: "CHANGEME_SUDO_PASSWORD" # ----------------------------------------------------------------------------- # API Tokens and Keys # ----------------------------------------------------------------------------- # Cloud Provider API Tokens vault_aws_access_key_id: "CHANGEME_AWS_ACCESS_KEY" vault_aws_secret_access_key: "CHANGEME_AWS_SECRET_KEY" vault_azure_subscription_id: "CHANGEME_AZURE_SUBSCRIPTION" vault_azure_client_id: "CHANGEME_AZURE_CLIENT_ID" vault_azure_secret: "CHANGEME_AZURE_SECRET" vault_azure_tenant: "CHANGEME_AZURE_TENANT" vault_gcp_service_account_key: "CHANGEME_GCP_JSON_KEY" vault_digitalocean_token: "CHANGEME_DO_TOKEN" # CMDB API Tokens vault_netbox_api_token: "CHANGEME_NETBOX_TOKEN" vault_servicenow_api_token: "CHANGEME_SERVICENOW_TOKEN" # Git/Repository Credentials vault_gitea_username: "ansible@mymx.me" vault_gitea_password: "79,;,metOND" vault_gitea_api_token: "CHANGEME_GITEA_TOKEN" # Email Configuration vault_mailcow_username: "ansible@mymx.me" vault_mailcow_password: "79,;,metOND" vault_smtp_username: "ansible@mymx.me" vault_smtp_password: "79,;,metOND" # ----------------------------------------------------------------------------- # Database Credentials # ----------------------------------------------------------------------------- vault_mysql_root_password: "CHANGEME_MYSQL_ROOT" vault_mysql_replication_password: "CHANGEME_MYSQL_REPL" vault_postgresql_postgres_password: "CHANGEME_PG_POSTGRES" vault_postgresql_replication_password: "CHANGEME_PG_REPL" vault_mongodb_admin_password: "CHANGEME_MONGO_ADMIN" vault_redis_password: "CHANGEME_REDIS_PASSWORD" # ----------------------------------------------------------------------------- # Application Secrets # ----------------------------------------------------------------------------- vault_app_secret_key: "CHANGEME_APP_SECRET_32_CHARS_MIN" vault_app_api_key: "CHANGEME_APP_API_KEY" vault_app_jwt_secret: "CHANGEME_JWT_SECRET" # ----------------------------------------------------------------------------- # SSL/TLS Certificates # ----------------------------------------------------------------------------- # Private key for SSL certificates (PEM format) vault_ssl_private_key: | -----BEGIN PRIVATE KEY----- CHANGEME_SSL_PRIVATE_KEY_CONTENT -----END PRIVATE KEY----- # SSL certificate chain vault_ssl_certificate: | -----BEGIN CERTIFICATE----- CHANGEME_SSL_CERTIFICATE_CONTENT -----END CERTIFICATE----- # Certificate authority certificate vault_ssl_ca_certificate: | -----BEGIN CERTIFICATE----- CHANGEME_CA_CERTIFICATE_CONTENT -----END CERTIFICATE----- # ----------------------------------------------------------------------------- # Monitoring and Logging # ----------------------------------------------------------------------------- vault_grafana_admin_password: "CHANGEME_GRAFANA_ADMIN" vault_prometheus_auth_token: "CHANGEME_PROMETHEUS_TOKEN" vault_zabbix_api_token: "CHANGEME_ZABBIX_TOKEN" vault_elasticsearch_password: "CHANGEME_ELASTIC_PASSWORD" vault_kibana_encryption_key: "CHANGEME_KIBANA_32_CHAR_KEY" # ----------------------------------------------------------------------------- # Backup and Recovery # ----------------------------------------------------------------------------- vault_backup_encryption_key: "CHANGEME_BACKUP_ENCRYPTION_KEY" vault_s3_backup_access_key: "CHANGEME_S3_BACKUP_ACCESS" vault_s3_backup_secret_key: "CHANGEME_S3_BACKUP_SECRET" # ----------------------------------------------------------------------------- # External Services # ----------------------------------------------------------------------------- vault_slack_webhook_url: "https://hooks.slack.com/services/CHANGEME" vault_pagerduty_api_key: "CHANGEME_PAGERDUTY_KEY" vault_datadog_api_key: "CHANGEME_DATADOG_KEY" vault_datadog_app_key: "CHANGEME_DATADOG_APP_KEY" # ----------------------------------------------------------------------------- # Encryption Keys # ----------------------------------------------------------------------------- vault_luks_passphrase: "CHANGEME_LUKS_PASSPHRASE" vault_gpg_passphrase: "CHANGEME_GPG_PASSPHRASE" # ============================================================================= # Usage in Playbooks # ============================================================================= # # Reference vault variables in your playbooks and roles: # # - name: Create user with vault password # user: # name: ansible # password: "{{ vault_ansible_user_password | password_hash('sha512') }}" # # - name: Configure database # mysql_db: # login_password: "{{ vault_mysql_root_password }}" # # =============================================================================