sovereign/inventories/production/group_vars/all.yml

---
# =============================================================================
# SOVEREIGN DEPLOYMENT CONFIGURATION
# All variables for this deployment are defined here.
# =============================================================================

# Base domain - all services are subdomains of this
base_domain: "example.com"

# Base directory for all service data
sovereign_base_dir: /opt/sovereign

# Traefik
traefik_acme_email: "admin@{{ base_domain }}"
traefik_domain: "traefik.{{ base_domain }}"
traefik_dashboard_password: "changeme"  # htpasswd hash

# Authentik
authentik_domain: "auth.{{ base_domain }}"
authentik_version: "2024.10.5"
authentik_secret_key: "change-me-to-a-50-char-random-string"
authentik_db_password: "changeme_authentik_db"
authentik_admin_email: "admin@{{ base_domain }}"
authentik_admin_password: "changeme_admin"

# Graylog
graylog_domain: "logs.{{ base_domain }}"
graylog_version: "6.0"
graylog_password_secret: "changeme_graylog_secret_min_16_chars"  # min 16 chars
graylog_root_password_sha2: "changeme_sha256_of_password"  # echo -n yourpassword | sha256sum
graylog_host: "127.0.0.1"  # host IP reachable from containers
graylog_gelf_port: 12201

# Stalwart Mail
stalwart_domain: "mail.{{ base_domain }}"
stalwart_admin_password: "changeme_mail_admin"
stalwart_version: "latest"

# Roundcube
roundcube_domain: "webmail.{{ base_domain }}"
roundcube_version: "latest"
roundcube_db_password: "changeme_roundcube_db"
roundcube_des_key: "changeme_24_char_des_key____"

# Wazuh
wazuh_domain: "wazuh.{{ base_domain }}"
wazuh_version: "4.9.0"
wazuh_admin_password: "changeme_wazuh_admin"
wazuh_api_password: "changeme_wazuh_api"

# WireGuard / Headscale
wireguard_domain: "vpn.{{ base_domain }}"
headscale_domain: "headscale.{{ base_domain }}"
headscale_version: "0.23.0"
wireguard_port: 51820
headscale_noise_private_key: ""  # generated on first run

# Matrix / Element
matrix_domain: "matrix.{{ base_domain }}"
element_domain: "chat.{{ base_domain }}"
matrix_version: "v1.118.0"
matrix_registration_secret: "changeme_registration_secret"
matrix_db_password: "changeme_matrix_db"

# Jitsi
jitsi_domain: "meet.{{ base_domain }}"
jitsi_version: "stable-9753"
jitsi_jicofo_auth_password: "changeme_jicofo"
jitsi_jvb_auth_password: "changeme_jvb"
jitsi_jibri_recorder_password: "changeme_jibri_recorder"
jitsi_jibri_xmpp_password: "changeme_jibri_xmpp"
jitsi_turn_secret: "changeme_turn"

# MinIO
minio_domain: "s3.{{ base_domain }}"
minio_console_domain: "minio.{{ base_domain }}"
minio_version: "latest"
minio_root_user: "minioadmin"
minio_root_password: "changeme_minio"
minio_nextcloud_bucket: "nextcloud"
minio_nextcloud_access_key: "nextcloud"
minio_nextcloud_secret_key: "changeme_nextcloud_s3"

# Nextcloud
nextcloud_domain: "cloud.{{ base_domain }}"
nextcloud_version: "29"
nextcloud_admin_user: "admin"
nextcloud_admin_password: "changeme_nextcloud"
nextcloud_db_password: "changeme_nextcloud_db"
nextcloud_db_root_password: "changeme_nextcloud_db_root"

# Vaultwarden
vaultwarden_domain: "vault.{{ base_domain }}"
vaultwarden_version: "latest"
vaultwarden_admin_token: "changeme_vaultwarden_admin_token"
vaultwarden_db_password: "changeme_vaultwarden_db"

# Forgejo
forgejo_domain: "git.{{ base_domain }}"
forgejo_version: "latest"
forgejo_db_password: "changeme_forgejo_db"
forgejo_secret_key: "changeme_forgejo_secret"
forgejo_internal_token: "changeme_forgejo_internal_token"
forgejo_lfs_jwt_secret: "changeme_forgejo_lfs_jwt"
forgejo_admin_user: "admin"
forgejo_admin_password: "changeme_forgejo_admin"
forgejo_admin_email: "admin@{{ base_domain }}"
forgejo_ssh_port: 2222

# Website
website_nginx_version: "alpine"

# SMTP (for services that send email)
smtp_host: "stalwart"
smtp_port: 587
smtp_from: "noreply@{{ base_domain }}"
smtp_user: "noreply@{{ base_domain }}"
smtp_password: "changeme_smtp"
smtp_tls: "starttls"