infra-automation/inventories/production/group_vars/all/vault.yml.example

---
# =============================================================================
# Production Environment - Encrypted Secrets (EXAMPLE)
# =============================================================================
#
# This is an EXAMPLE vault file. To use:
#
# 1. Copy this file to vault.yml:
#    cp vault.yml.example vault.yml
#
# 2. Fill in actual values (replace CHANGEME placeholders)
#
# 3. Encrypt with ansible-vault:
#    ansible-vault encrypt inventories/production/group_vars/all/vault.yml
#
# 4. Edit encrypted vault:
#    ansible-vault edit inventories/production/group_vars/all/vault.yml
#
# 5. Use in playbooks with --ask-vault-pass or --vault-password-file
#
# =============================================================================

# -----------------------------------------------------------------------------
# User Credentials
# -----------------------------------------------------------------------------

# Ansible service account SSH key
vault_ansible_user_ssh_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ... ansible@example.com"

# Root password for console access (if needed)
vault_root_password: "CHANGEME_STRONG_PASSWORD"

# Ansible user sudo password (if passwordless sudo not configured)
vault_ansible_become_password: "CHANGEME_SUDO_PASSWORD"

# -----------------------------------------------------------------------------
# API Tokens and Keys
# -----------------------------------------------------------------------------

# Cloud Provider API Tokens
vault_aws_access_key_id: "CHANGEME_AWS_ACCESS_KEY"
vault_aws_secret_access_key: "CHANGEME_AWS_SECRET_KEY"

vault_azure_subscription_id: "CHANGEME_AZURE_SUBSCRIPTION"
vault_azure_client_id: "CHANGEME_AZURE_CLIENT_ID"
vault_azure_secret: "CHANGEME_AZURE_SECRET"
vault_azure_tenant: "CHANGEME_AZURE_TENANT"

vault_gcp_service_account_key: "CHANGEME_GCP_JSON_KEY"

vault_digitalocean_token: "CHANGEME_DO_TOKEN"

# CMDB API Tokens
vault_netbox_api_token: "CHANGEME_NETBOX_TOKEN"
vault_servicenow_api_token: "CHANGEME_SERVICENOW_TOKEN"

# Git/Repository Credentials
vault_gitea_username: "ansible@mymx.me"
vault_gitea_password: "79,;,metOND"
vault_gitea_api_token: "CHANGEME_GITEA_TOKEN"

# Email Configuration
vault_mailcow_username: "ansible@mymx.me"
vault_mailcow_password: "79,;,metOND"
vault_smtp_username: "ansible@mymx.me"
vault_smtp_password: "79,;,metOND"

# -----------------------------------------------------------------------------
# Database Credentials
# -----------------------------------------------------------------------------

vault_mysql_root_password: "CHANGEME_MYSQL_ROOT"
vault_mysql_replication_password: "CHANGEME_MYSQL_REPL"

vault_postgresql_postgres_password: "CHANGEME_PG_POSTGRES"
vault_postgresql_replication_password: "CHANGEME_PG_REPL"

vault_mongodb_admin_password: "CHANGEME_MONGO_ADMIN"
vault_redis_password: "CHANGEME_REDIS_PASSWORD"

# -----------------------------------------------------------------------------
# Application Secrets
# -----------------------------------------------------------------------------

vault_app_secret_key: "CHANGEME_APP_SECRET_32_CHARS_MIN"
vault_app_api_key: "CHANGEME_APP_API_KEY"
vault_app_jwt_secret: "CHANGEME_JWT_SECRET"

# -----------------------------------------------------------------------------
# SSL/TLS Certificates
# -----------------------------------------------------------------------------

# Private key for SSL certificates (PEM format)
vault_ssl_private_key: |
  -----BEGIN PRIVATE KEY-----
  CHANGEME_SSL_PRIVATE_KEY_CONTENT
  -----END PRIVATE KEY-----

# SSL certificate chain
vault_ssl_certificate: |
  -----BEGIN CERTIFICATE-----
  CHANGEME_SSL_CERTIFICATE_CONTENT
  -----END CERTIFICATE-----

# Certificate authority certificate
vault_ssl_ca_certificate: |
  -----BEGIN CERTIFICATE-----
  CHANGEME_CA_CERTIFICATE_CONTENT
  -----END CERTIFICATE-----

# -----------------------------------------------------------------------------
# Monitoring and Logging
# -----------------------------------------------------------------------------

vault_grafana_admin_password: "CHANGEME_GRAFANA_ADMIN"
vault_prometheus_auth_token: "CHANGEME_PROMETHEUS_TOKEN"
vault_zabbix_api_token: "CHANGEME_ZABBIX_TOKEN"
vault_elasticsearch_password: "CHANGEME_ELASTIC_PASSWORD"
vault_kibana_encryption_key: "CHANGEME_KIBANA_32_CHAR_KEY"

# -----------------------------------------------------------------------------
# Backup and Recovery
# -----------------------------------------------------------------------------

vault_backup_encryption_key: "CHANGEME_BACKUP_ENCRYPTION_KEY"
vault_s3_backup_access_key: "CHANGEME_S3_BACKUP_ACCESS"
vault_s3_backup_secret_key: "CHANGEME_S3_BACKUP_SECRET"

# -----------------------------------------------------------------------------
# External Services
# -----------------------------------------------------------------------------

vault_slack_webhook_url: "https://hooks.slack.com/services/CHANGEME"
vault_pagerduty_api_key: "CHANGEME_PAGERDUTY_KEY"
vault_datadog_api_key: "CHANGEME_DATADOG_KEY"
vault_datadog_app_key: "CHANGEME_DATADOG_APP_KEY"

# -----------------------------------------------------------------------------
# Encryption Keys
# -----------------------------------------------------------------------------

vault_luks_passphrase: "CHANGEME_LUKS_PASSPHRASE"
vault_gpg_passphrase: "CHANGEME_GPG_PASSPHRASE"

# =============================================================================
# Usage in Playbooks
# =============================================================================
#
# Reference vault variables in your playbooks and roles:
#
# - name: Create user with vault password
#   user:
#     name: ansible
#     password: "{{ vault_ansible_user_password | password_hash('sha512') }}"
#
# - name: Configure database
#   mysql_db:
#     login_password: "{{ vault_mysql_root_password }}"
#
# =============================================================================