---
# === Deploy user ===
#
# If true, deploy_user role syncs root's authorized_keys
deploy_user_sync_root_keys: false

# === System tuning ===
#
# swapfile role uses this size (MB) when provisioning swap
swapfile_size_mb: 1024

# === Nginx/analytics access control ===
#
# CIDR/IPs allowed to reach the Umami dashboard via umami_nginx
nginx_dashboard_allowlist:
  - "127.0.0.1/32"

# === Domains ===
#
# Used by certbot role when requesting site certificates
primary_domain: "example.com"
# Shared by certbot + umami_nginx site template for analytics host
analytics_domain: "analytics.example.com"

# === Certbot ===
#
# Toggle ACME issuance in certbot role
certbot_issue_certificates: false
# Ensures packaged systemd timer stays enabled
certbot_auto_renew: true
# Certbot registration email for expiry notices and ToS
certbot_admin_email: "admin@example.com"
# Domains to request via Certbot (include each site explicitly and point DNS to this host)
certbot_domains:
  - "example.com"
  - "analytics.example.com"
  # - "proxy-one.example.com"
  # - "proxy-two.example.com"
# Services stopped temporarily so Certbot standalone can bind ports 80/443
# certbot_standalone_services:
#   - nginx

# === Firewall (UFW) rules ===
#
# Rules required so nginx serves the primary domain
firewall_allow_rules:
  - proto: tcp
    port: 80
    comment: "Allow HTTP"
  - proto: tcp
    port: 443
    comment: "Allow HTTPS"
# Prevents SSH access except via manual firewall changes
firewall_deny_rules:
  - proto: tcp
    port: 22
    comment: "Deny public SSH"

# === Umami application ===
#
# Human-friendly label displayed in Umami UI
umami_site_name: "Personal Blog"
# Docker image used by docker_umami role
umami_docker_image: "ghcr.io/umami-software/umami:postgresql-latest"
# Port exposed by the Umami container for nginx proxying
umami_container_port: 3000
# Directory where docker_umami places compose stack files
umami_docker_compose_dir: "/opt/umami"
# Database user referenced by docker compose and app config
umami_postgres_user: "umami"
# Database name created for Umami
umami_postgres_db: "umami"
# Hostname of the Postgres service within the compose network
umami_postgres_host: "postgres"

# === V2Ray ===
#
# Controller-side path to config.json stored under files/v2ray/
v2ray_config_src: "{{ playbook_dir }}/files/v2ray/config.json"
# Extra helper files copied as-is (no handlers triggered)
v2ray_extra_files: []
# Nginx config files copied by the role; reloads nginx when they change
# v2ray_nginx_files:
#   - src: "{{ playbook_dir }}/files/v2ray/default.conf"
#     dest: /etc/nginx/conf.d/default.conf