---
# Ansible Vault Encrypted Secrets
#
# IMPORTANT: Do NOT commit secrets.yml to git, even if encrypted!
# The .gitignore is configured to exclude it, but always verify.
#
# To set up:
#   1. cp secrets.yml.example secrets.yml
#   2. Edit secrets.yml with your actual values
#   3. ansible-vault encrypt secrets.yml
#   4. Verify: git status should NOT show secrets.yml
#
# To edit encrypted secrets: ansible-vault edit secrets.yml

# Database passwords
vault_forgejo_db_password: "CHANGE_ME_STRONG_PASSWORD_HERE"

# Admin account
vault_forgejo_admin_password: "CHANGE_ME_ADMIN_PASSWORD_HERE"

# Secret keys (generate with: openssl rand -base64 32)
vault_forgejo_secret_key: "CHANGE_ME_SECRET_KEY_64_CHARS_MINIMUM_XXXXXXXXXXXXXXXXX"
vault_forgejo_internal_token: "CHANGE_ME_INTERNAL_TOKEN_XXXXXXXXXXXXXXXXXXXXXXXXX"
vault_forgejo_jwt_secret: "CHANGE_ME_JWT_SECRET_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

# Metrics token (if prometheus enabled)
vault_forgejo_metrics_token: "CHANGE_ME_METRICS_TOKEN_XXXXXXXXX"

# Email password (if email enabled)
vault_email_password: ""

# S3 credentials (if S3 enabled)
vault_s3_access_key: ""
vault_s3_secret_key: ""

# Notes:
# - Generate strong passwords: openssl rand -base64 32
# - Never commit unencrypted secrets to version control
# - Keep a secure backup of your vault password
# - Rotate secrets regularly