---
# Encrypted Variables (Ansible Vault)
# These variables contain sensitive information and should be encrypted

# Database Credentials
vault_mysql_root_password: "super_secure_root_password_change_me"
vault_mysql_user_password: "secure_user_password_change_me"
vault_mysql_replication_password: "secure_replication_password_change_me"

# Application Secrets
vault_app_key: "base64:CHANGE_THIS_TO_A_REAL_32_CHARACTER_SECRET_KEY"
vault_jwt_secret: "CHANGE_THIS_TO_A_REAL_JWT_SECRET_KEY"
vault_encryption_key: "CHANGE_THIS_TO_A_REAL_ENCRYPTION_KEY"

# Redis Password
vault_redis_password: "secure_redis_password_change_me"

# SMTP Configuration
vault_smtp_host: "smtp.example.com"
vault_smtp_port: 587
vault_smtp_username: "noreply@michaelschiemer.de"
vault_smtp_password: "smtp_password_change_me"
vault_smtp_encryption: "tls"

# Third-party API Keys
vault_api_keys:
  stripe_secret: "sk_test_CHANGE_THIS_TO_REAL_STRIPE_SECRET"
  paypal_client_id: "CHANGE_THIS_TO_REAL_PAYPAL_CLIENT_ID"
  paypal_client_secret: "CHANGE_THIS_TO_REAL_PAYPAL_SECRET"
  google_analytics: "GA_TRACKING_ID"
  recaptcha_site_key: "RECAPTCHA_SITE_KEY"
  recaptcha_secret_key: "RECAPTCHA_SECRET_KEY"

# OAuth Configuration
vault_oauth:
  google:
    client_id: "GOOGLE_CLIENT_ID"
    client_secret: "GOOGLE_CLIENT_SECRET"
  github:
    client_id: "GITHUB_CLIENT_ID"
    client_secret: "GITHUB_CLIENT_SECRET"

# Backup Encryption
vault_backup_encryption_key: "CHANGE_THIS_TO_A_REAL_BACKUP_ENCRYPTION_KEY"

# Monitoring Secrets
vault_monitoring:
  slack_webhook: "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK"
  pagerduty_key: "PAGERDUTY_INTEGRATION_KEY"

# Docker Registry Credentials
vault_docker_registry:
  username: "registry_username"
  password: "registry_password"
  email: "kontakt@michaelschiemer.de"

# SSH Keys (base64 encoded)
vault_ssh_keys:
  deploy_private_key: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    # CHANGE THIS TO YOUR ACTUAL DEPLOY KEY
    -----END OPENSSH PRIVATE KEY-----
  deploy_public_key: "ssh-rsa AAAAB3NzaC1yc2E... deploy@michaelschiemer.de"

# SSL Certificate Passwords
vault_ssl_passwords:
  private_key_passphrase: "ssl_private_key_passphrase"
  p12_password: "ssl_p12_password"

# Security Tokens
vault_security_tokens:
  csrf_secret: "CHANGE_THIS_TO_A_REAL_CSRF_SECRET"
  api_token_secret: "CHANGE_THIS_TO_A_REAL_API_TOKEN_SECRET"
  session_secret: "CHANGE_THIS_TO_A_REAL_SESSION_SECRET"

# External Service Credentials
vault_external_services:
  cloudflare_api_token: "CLOUDFLARE_API_TOKEN"
  aws_access_key: "AWS_ACCESS_KEY_ID"
  aws_secret_key: "AWS_SECRET_ACCESS_KEY"
  
# Feature Flags and Secrets
vault_features:
  enable_debug_mode: false
  enable_profiler: false
  enable_maintenance_mode: false
  
# Environment Specific Secrets
vault_environment_secrets:
  production:
    sentry_dsn: "https://YOUR_SENTRY_DSN@sentry.io/PROJECT_ID"
    newrelic_license: "NEWRELIC_LICENSE_KEY"
  staging:
    sentry_dsn: "https://YOUR_STAGING_SENTRY_DSN@sentry.io/PROJECT_ID"
  development:
    debug_token: "DEBUG_TOKEN_FOR_DEVELOPMENT"