---
# =================================================================
# Vaultwarden Password Manager Role - Default Variables
# =================================================================
# Self-contained Vaultwarden deployment with Podman and PostgreSQL

# =================================================================
# Service Configuration
# =================================================================

# Service user and directories
vaultwarden_user: vaultwarden
vaultwarden_group: vaultwarden
vaultwarden_home: /opt/vaultwarden
vaultwarden_data_dir: "{{ vaultwarden_home }}/data"

# Container configuration
# NOTE: SSO feature is only available in "testing" tag (as of Dec 2025)
# Using "latest" (stable) means SSO will not appear even if configured
# SSO settings below are configured and ready for when feature reaches stable
vaultwarden_version: "latest"
vaultwarden_image: "vaultwarden/server"

# Service management
vaultwarden_service_enabled: true
vaultwarden_service_state: "started"

# =================================================================
# Database Configuration (Self-managed)
# =================================================================

vaultwarden_db_name: "vaultwarden"
vaultwarden_db_user: "vaultwarden"
vaultwarden_db_password: "{{ vault_vaultwarden_db_password }}"

# =================================================================
# Network Configuration
# =================================================================

vaultwarden_domain: "vault.jnss.me"
vaultwarden_http_port: 8080

# =================================================================
# Vaultwarden Core Configuration
# =================================================================

# Admin panel access token (plain text, will be hashed during deployment)
vaultwarden_admin_token_plain: "{{ vault_vaultwarden_admin_token }}"

# Registration and invitation controls
vaultwarden_signups_allowed: false  # Disable open registration
vaultwarden_invitations_allowed: true  # Allow existing users to invite
vaultwarden_show_password_hint: false  # Don't show password hints

# WebSocket support for live sync
vaultwarden_websocket_enabled: true

# =================================================================
# Email Configuration (Optional)
# =================================================================

vaultwarden_smtp_enabled: true
vaultwarden_smtp_host: "smtp.titan.email"
vaultwarden_smtp_port: 587
vaultwarden_smtp_from: "hello@jnss.me"
vaultwarden_smtp_username: "hello@jnss.me"
vaultwarden_smtp_password: "{{ vault_smtp_password | default('') }}"
vaultwarden_smtp_security: "starttls"  # Options: starttls, force_tls, off

# =================================================================
# SSO Configuration (Optional - Authentik Integration)
# =================================================================

vaultwarden_sso_enabled: false

# SSO Provider Configuration (Authentik)
vaultwarden_sso_client_id: "{{ vault_vaultwarden_sso_client_id | default('') }}"
vaultwarden_sso_client_secret: "{{ vault_vaultwarden_sso_client_secret | default('') }}"
# Authority must include full path with application slug
vaultwarden_sso_authority: "https://{{ authentik_domain }}/application/o/vaultwarden/"
vaultwarden_sso_scopes: "openid email profile offline_access"

# Additional SSO settings (per Authentik integration guide)
vaultwarden_sso_only: false  # Set to true to disable email+password login and require SSO
vaultwarden_sso_signups_match_email: true  # Match first SSO login to existing account by email
vaultwarden_sso_allow_unknown_email_verification: false
vaultwarden_sso_client_cache_expiration: 0

# Domain whitelist for SSO signups (comma-separated domains, empty = all)
vaultwarden_sso_signups_domains_whitelist: ""

# =================================================================
# Caddy Integration
# =================================================================

# Caddy configuration (assumes caddy role provides these variables)
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
caddy_log_dir: "/var/log/caddy"
caddy_user: "caddy"

# =================================================================
# Infrastructure Dependencies (Read-only)
# =================================================================

# PostgreSQL socket configuration (managed by postgresql role)
postgresql_unix_socket_directories: "/var/run/postgresql"
postgresql_client_group: "postgres-clients"
postgresql_port: 5432
postgresql_unix_socket_enabled: true