---
# Example variables for baremetal installs.
hypervisor:
  type: "none"

system:
  type: "physical"
  os: "archlinux"
  filesystem: "btrfs" # btrfs|ext4|xfs
  name: "{{ inventory_hostname }}"
  cpus: 8
  memory: 16384
  network:
    ip: "{{ ansible_host | default('') }}"
    prefix: 24
    gateway: "10.0.0.1"
    dns:
      servers:
        - "1.1.1.1"
  disks:
    - device: "/dev/sda"
      size: 120
    - device: "/dev/sdb"
      size: 500
      mount:
        path: /data
        fstype: ext4
  users:
    admin:
      password: "CHANGE_ME"
      keys:
        - "ssh-ed25519 AAAA..."
  root:
    password: "CHANGE_ME"
  luks:
    enabled: true
    passphrase: "CHANGE_ME"
    mapper: "SYSTEM_DECRYPTED"
    auto: true
    method: "tpm2"
    tpm2:
      device: "auto"
      pcrs: "7"
  features:
    cis:
      enabled: false
    selinux:
      enabled: true
    firewall:
      enabled: true
      backend: "firewalld"
      toolkit: "nftables"
    ssh:
      enabled: true
    zstd:
      enabled: true
    swap:
      enabled: true
    banner:
      motd: true
      sudo: true
    chroot:
      tool: "arch-chroot"
    desktop:
      enabled: false
      environment: ""    # gnome|kde|sway|hyprland (sway/hyprland are Archlinux only)
      autologin: false   # false | a username from system.users (not bool true)
    # firmware/microcode default to "auto" - on for physical, off for virtual.
    # gpu and peripherals.* default to "auto" tied to desktop.enabled.
    # Override only when you want non-default behavior.
    gpu:
      enabled: "auto"        # auto = follows desktop.enabled; set true to force
      nvidia_driver: "auto"  # auto = open|proprietary|nouveau by GPU generation
    peripherals:
      displaylink: false  # explicit opt-in for DisplayLink docks
    hardware:
      profile: {}         # autodetect; or set to bake a golden-image profile