sovereign/inventories/production/group_vars/all.yml

---
# =============================================================================
# SOVEREIGN DEPLOYMENT CONFIGURATION
# All variables for this deployment are defined here.
# =============================================================================

# Base domain - all services are subdomains of this
base_domain: "example.com"

# =============================================================================
# BRANDING
# Applied across all services that support custom branding.
# =============================================================================

# Display name shown in service UIs and email subjects
tenant_name: "Example Corp"

# Path to a logo image on the Ansible control machine (PNG or SVG recommended).
# Leave empty to use each service's default logo.
# Example: "files/logo.png"
tenant_logo_local_path: ""

# Primary brand colour (hex). Used for backgrounds, buttons, and highlights.
tenant_primary_color: "#2563eb"

# Accent / secondary colour (hex).
tenant_accent_color: "#1e40af"

# Base directory for all service data
sovereign_base_dir: /opt/sovereign

# Traefik
traefik_acme_email: "admin@{{ base_domain }}"
traefik_domain: "traefik.{{ base_domain }}"
traefik_dashboard_password: "changeme"  # htpasswd hash

# Authentik
authentik_domain: "auth.{{ base_domain }}"
authentik_version: "2024.10.5"
authentik_secret_key: "change-me-to-a-50-char-random-string"
authentik_db_password: "changeme_authentik_db"
authentik_admin_email: "admin@{{ base_domain }}"
authentik_admin_password: "changeme_admin"

# Graylog
graylog_domain: "logs.{{ base_domain }}"
graylog_version: "6.0"
graylog_password_secret: "changeme_graylog_secret_min_16_chars"  # min 16 chars
graylog_root_password_sha2: "changeme_sha256_of_password"  # echo -n yourpassword | sha256sum
graylog_host: "127.0.0.1"  # host IP reachable from containers
graylog_gelf_port: 12201

# Stalwart Mail
stalwart_domain: "mail.{{ base_domain }}"
stalwart_admin_password: "changeme_mail_admin"
stalwart_version: "latest"

# Roundcube
roundcube_domain: "webmail.{{ base_domain }}"
roundcube_version: "latest"
roundcube_db_password: "changeme_roundcube_db"
roundcube_des_key: "changeme_24_char_des_key____"

# Wazuh
wazuh_domain: "wazuh.{{ base_domain }}"
wazuh_version: "4.9.0"
wazuh_admin_password: "changeme_wazuh_admin"
wazuh_api_password: "changeme_wazuh_api"

# WireGuard / Headscale
wireguard_domain: "vpn.{{ base_domain }}"
headscale_domain: "headscale.{{ base_domain }}"
headscale_version: "0.23.0"
wireguard_port: 51820
headscale_noise_private_key: ""  # generated on first run

# Matrix / Element
matrix_domain: "matrix.{{ base_domain }}"
element_domain: "chat.{{ base_domain }}"
matrix_version: "v1.118.0"
matrix_registration_secret: "changeme_registration_secret"
matrix_db_password: "changeme_matrix_db"

# Jitsi
jitsi_domain: "meet.{{ base_domain }}"
jitsi_version: "stable-9753"
jitsi_jicofo_auth_password: "changeme_jicofo"
jitsi_jvb_auth_password: "changeme_jvb"
jitsi_jibri_recorder_password: "changeme_jibri_recorder"
jitsi_jibri_xmpp_password: "changeme_jibri_xmpp"
jitsi_turn_secret: "changeme_turn"

# MinIO
minio_domain: "s3.{{ base_domain }}"
minio_console_domain: "minio.{{ base_domain }}"
minio_version: "latest"
minio_root_user: "minioadmin"
minio_root_password: "changeme_minio"
minio_nextcloud_bucket: "nextcloud"
minio_nextcloud_access_key: "nextcloud"
minio_nextcloud_secret_key: "changeme_nextcloud_s3"

# Nextcloud
nextcloud_domain: "cloud.{{ base_domain }}"
nextcloud_version: "29"
nextcloud_admin_user: "admin"
nextcloud_admin_password: "changeme_nextcloud"
nextcloud_db_password: "changeme_nextcloud_db"
nextcloud_db_root_password: "changeme_nextcloud_db_root"

# Vaultwarden
vaultwarden_domain: "vault.{{ base_domain }}"
vaultwarden_version: "latest"
vaultwarden_admin_token: "changeme_vaultwarden_admin_token"
vaultwarden_db_password: "changeme_vaultwarden_db"

# Forgejo
forgejo_domain: "git.{{ base_domain }}"
forgejo_version: "latest"
forgejo_db_password: "changeme_forgejo_db"
forgejo_secret_key: "changeme_forgejo_secret"
forgejo_internal_token: "changeme_forgejo_internal_token"
forgejo_lfs_jwt_secret: "changeme_forgejo_lfs_jwt"
forgejo_admin_user: "admin"
forgejo_admin_password: "changeme_forgejo_admin"
forgejo_admin_email: "admin@{{ base_domain }}"
forgejo_ssh_port: 2222

# Twenty CRM
twenty_domain: "crm.{{ base_domain }}"
twenty_version: "latest"
twenty_app_secret: "changeme_twenty_app_secret_min_32_chars_random"
twenty_db_password: "changeme_twenty_db"
twenty_oidc_client_secret: "changeme_twenty_oidc_secret"  # set in Authentik after creating the OAuth2 app

# Website
website_nginx_version: "alpine"

# SMTP (for services that send email)
smtp_host: "stalwart"
smtp_port: 587
smtp_from: "noreply@{{ base_domain }}"
smtp_user: "noreply@{{ base_domain }}"
smtp_password: "changeme_smtp"
smtp_tls: "starttls"

# DNS / BIND9 — authoritative nameserver
bind_version: "9.18-22.04_beta"
# dns_server_ip must be the public IPv4 address of this server.
# Register ns1.{{ base_domain }} as a glue record at your domain registrar
# pointing to this IP, then set your domain's nameservers to ns1.{{ base_domain }}.
dns_server_ip: "changeme_server_public_ip"
dns_ns_hostname: "ns1.{{ base_domain }}"
dns_ttl: 3600

# DKIM — retrieve the public key from the Stalwart admin UI at
# mail.{{ base_domain }} → Settings → DKIM keys after first deployment.
# Leave empty to skip the DKIM TXT record until the key is available.
stalwart_dkim_selector: "default"
stalwart_dkim_public_key: ""  # e.g. "MIGfMA0GCSqGSIb3DQEB..."

# DMARC — email authentication policy
dmarc_policy: "quarantine"  # none | quarantine | reject
dmarc_rua: "mailto:dmarc-reports@{{ base_domain }}"
dmarc_ruf: "mailto:dmarc-forensics@{{ base_domain }}"