---
# OS family lists — single source of truth for platform detection and validation
os_family_rhel:
  - almalinux
  - fedora
  - rhel
  - rocky
os_family_debian:
  - debian
  - ubuntu
  - ubuntu-lts

# OS → family mapping — aligns with the main project's ansible_os_family pattern.
# Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
os_family_map:
  almalinux: RedHat
  alpine: Alpine
  archlinux: Archlinux
  debian: Debian
  fedora: RedHat
  opensuse: Suse
  rhel: RedHat
  rocky: RedHat
  ubuntu: Debian
  ubuntu-lts: Debian
  void: Void

os_supported:
  - almalinux
  - alpine
  - archlinux
  - debian
  - fedora
  - opensuse
  - rhel
  - rocky
  - ubuntu
  - ubuntu-lts
  - void

# User input. Normalized into hypervisor_cfg + hypervisor_type.
hypervisor:
  type: "none"
hypervisor_defaults:
  type: "none"
  url: ""
  username: ""
  password: ""
  host: ""
  storage: ""
  datacenter: ""
  cluster: ""
  folder: ""
  certs: false
  ssh: false

physical_default_os: "archlinux"
custom_iso: false
thirdparty_tasks: "dropins/preparation.yml"

system_defaults:
  type: "virtual" # virtual|physical
  os: ""
  version: ""
  filesystem: "ext4"
  name: ""
  id: ""
  cpus: 0
  memory: 0 # MiB
  balloon: 0 # MiB
  network:
    bridge: ""
    vlan: ""
    ip: ""
    prefix: ""
    gateway: ""
    dns:
      servers: []
      search: []
    interfaces: []
  path: ""
  timezone: "Europe/Vienna"
  locale: "en_US.UTF-8"
  keymap: "us"
  packages: []
  disks: []
  users: []
  root:
    password: ""
    shell: "/bin/bash"
  luks:
    enabled: false
    passphrase: ""
    mapper: "SYSTEM_DECRYPTED"
    auto: true
    method: "tpm2"
    tpm2:
      device: "auto"
      pcrs: ""
    keysize: 64
    options: "discard,tries=3"
    type: "luks2"
    cipher: "aes-xts-plain64"
    hash: "sha512"
    iter: 4000
    bits: 512
    pbkdf: "argon2id"
    urandom: true
    verify: true
  features:
    cis:
      enabled: false
    selinux:
      enabled: true
    firewall:
      enabled: true
      backend: "firewalld" # firewalld|ufw
      toolkit: "nftables" # nftables|iptables
    ssh:
      enabled: true
    zstd:
      enabled: true
    swap:
      enabled: true
    banner:
      motd: false
      sudo: true
    rhel_repo:
      source: "iso" # iso|satellite|none — how RHEL systems get packages post-install
      url: ""       # Satellite/custom repo URL when source=satellite
    chroot:
      tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn

# Per-hypervisor required fields — drives data-driven validation.
# All virtual types additionally require network bridge or interfaces.
hypervisor_required_fields:
  proxmox:
    hypervisor: [url, username, password, host, storage]
    system: [id]
  vmware:
    hypervisor: [url, username, password, datacenter, cluster, storage]
    system: []
  xen:
    hypervisor: []
    system: []
  libvirt:
    hypervisor: []
    system: []

# Hypervisor-to-disk device prefix mapping for virtual machines.
# Physical installs must set system.disks[].device explicitly.
hypervisor_disk_device_map:
  libvirt: "/dev/vd"
  xen: "/dev/xvd"
  proxmox: "/dev/sd"
  vmware: "/dev/sd"

# Mountpoints managed by the partitioning role — forbidden for extra disks.
reserved_mounts:
  - /boot
  - /boot/efi
  - /home
  - /var
  - /var/log
  - /var/log/audit

# Drive letter sequence for disk device naming (max 26 disks).
disk_letter_map: "abcdefghijklmnopqrstuvwxyz"

system_disk_defaults:
  size: 0
  device: ""
  mount:
    path: ""
    fstype: ""
    label: ""
    opts: "defaults"