---
os_family_rhel:
  - almalinux
  - fedora
  - rhel
  - rocky
os_family_debian:
  - debian
  - ubuntu
  - ubuntu-lts

# OS -> family, so roles do platform_config lookups instead of is_rhel when-chains.
os_family_map:
  almalinux: RedHat
  archlinux: Archlinux
  debian: Debian
  fedora: RedHat
  rhel: RedHat
  rocky: RedHat
  ubuntu: Debian
  ubuntu-lts: Debian

os_supported:
  - almalinux
  - archlinux
  - debian
  - fedora
  - rhel
  - rocky
  - ubuntu
  - ubuntu-lts

# User input. Normalized into hypervisor_cfg + hypervisor_type.
hypervisor:
  type: "none"
hypervisor_defaults:
  type: "none"
  url: ""
  username: ""
  password: ""
  token_id: ""
  token_secret: ""
  node: ""
  storage: ""
  datacenter: ""
  cluster: ""
  folder: ""
  certs: false
  ssh: false

physical_default_os: "archlinux"
custom_iso: false
thirdparty_tasks: "dropins/preparation.yml"

system_defaults:
  type: "virtual" # virtual|physical
  os: ""
  version: ""
  filesystem: "ext4"
  name: ""
  # consumed by the golden produce/deploy wrappers, not the bootstrap itself
  source: ""
  id: ""
  cpus: 0
  memory: 0 # MiB
  balloon: 0 # MiB
  network:
    bridge: ""
    vlan: ""
    ip: ""
    prefix: ""
    gateway: ""
    dns:
      servers: []
      search: []
    interfaces: []
  path: ""
  timezone: "Europe/Vienna"
  locale: "en_US.UTF-8"
  keymap: "us"
  # source: dvd|mirror|satellite|none ('' -> family default: EL=dvd, else mirror).
  # satellite values come from inventory/vault only, never committed code.
  content:
    source: ""
    url: ""
    proxy: ""
    gpgcheck: true
    satellite:
      host: ""
      ip: ""              # optional /etc/hosts entry when DNS does not resolve host
      org: ""
      activation_key: ""
      ca_url: ""
      service_level: ""
      environment: ""
      install: false
  packages: []
  disks: []
  users: {}
  root:
    password: ""
    shell: "/bin/bash"
  luks:
    enabled: false
    passphrase: ""
    mapper: "SYSTEM_DECRYPTED"
    auto: true
    method: "tpm2"
    tpm2:
      device: "auto"
      pcrs: ""
    keysize: 64
    options: "discard,tries=3"
    type: "luks2"
    cipher: "aes-xts-plain64"
    hash: "sha512"
    iter: 4000
    bits: 512
    pbkdf: "argon2id"
  features:
    # On only for the clone-deploy golden path; off keeps ansible-direct + smaller image.
    cloud_init: false
    cis:
      enabled: false
      profile: default # default|l1|l2 (default = current house behaviour)
      rules: {} # per-rule overrides, e.g. {usb_lockdown: false}
      params: {} # parameter overrides, e.g. {pwquality_minlen: 16}
    selinux:
      enabled: true
    firewall:
      enabled: true
      backend: "" # '' -> family default (EL/arch=firewalld, debian/ubuntu=ufw); override: firewalld|ufw
      toolkit: "nftables" # nftables|iptables
    ssh:
      enabled: true
    zstd:
      enabled: true
    swap:
      enabled: true
    banner:
      motd: false
      sudo: true
    chroot:
      tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
    initramfs:
      generator: "" # auto-detected; override: dracut|mkinitcpio|initramfs-tools
    desktop:
      enabled: false
      environment: ""       # gnome|kde|sway|hyprland
      display_manager: ""   # auto from environment when empty; override: gdm|sddm|greetd|plasma-login-manager|ly
      autologin: false      # false | username from system.users
      session: ""           # session name/command for the autologin user
      groups: []            # opt-in package groups (keys of desktop_package_groups)
    secure_boot:
      enabled: false
      method: ""            # arch only: sbctl (default) or uki; ignored for other distros
    firmware:
      enabled: "auto"       # auto = on for physical, off for virtual
      microcode: "auto"
    gpu:
      enabled: "auto"       # auto = follows desktop.enabled
      nvidia_driver: "auto" # auto | open | proprietary | nouveau
    peripherals:
      enabled: "auto"       # auto = follows desktop.enabled
      fingerprint: "auto"   # auto|true|false (auto = install when detected)
      camera: "auto"        # v4l-utils when a UVC/IPU6 camera is detected
      audio: "auto"         # SOF firmware + ALSA UCM when an audio device is present
      bluetooth: "auto"     # bluez when a Bluetooth controller is present
      displaylink: false
    hardware:
      profile: {}           # full override: non-empty SKIPS detection (golden image)
      # The keys below MERGE over detection: lists union, booleans OR, packages
      # and kernel_params append, disable[] force-off applied last.
      cpu: ""               # pin a CPU vendor (intel|amd); empty = use detection
      gpus: []              # extra GPU vendor codes to force
      wireless: []          # extra wireless vendor codes to force
      audio: []             # extra audio vendor codes to force
      camera: {}            # {uvc: true, ipu6: true} to force a camera kind
      fingerprint: false    # force-on a fingerprint reader detection missed
      bluetooth: false      # force-on a Bluetooth controller detection missed
      packages: {}          # per-os_family extra packages, e.g. {Archlinux: [intel-ipu6-dkms]}
      disable: []           # feature/vendor names to force-off (audio|bluetooth|camera|fingerprint|displaylink|<vendor>)
      kernel_params: []     # extra kernel cmdline params (quirks), e.g. ["i915.enable_psr=0"]

# Drives data-driven validation. Virtual types also require a network bridge or interfaces.
hypervisor_required_fields:
  proxmox:
    hypervisor: [url, username, node, storage]
    system: [id]
  vmware:
    hypervisor: [url, username, password, datacenter, storage]
    system: []
  xen:
    hypervisor: []
    system: []
  libvirt:
    hypervisor: []
    system: []

# Used when content.url is empty.
content_mirror_defaults:
  debian: "https://deb.debian.org/debian/"
  ubuntu: "http://archive.ubuntu.com/ubuntu/"
  ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"

# Virtual-only; physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
  libvirt: "/dev/vd"
  xen: "/dev/xvd"
  proxmox: "/dev/sd"
  vmware: "/dev/sd"

# Mountpoints managed by the partitioning role - forbidden for extra disks.
reserved_mounts:
  - /boot
  - /boot/efi
  - /home
  - /var
  - /var/log
  - /var/log/audit

# Drive letter sequence for disk device naming (max 26 disks).
disk_letter_map: "abcdefghijklmnopqrstuvwxyz"

system_disk_defaults:
  size: 0
  device: ""
  mount:
    path: ""
    fstype: ""
    label: ""
    opts: "defaults"