---
# Bao secret <mount>/data/garage expected to contain:
#   rpc_secret, admin_token, metrics_token, webui_password
_garage: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/garage', url=vault_addr) }}"

# First entry is the canonical public S3 FQDN. Additional entries
# cover internal *.int.* names so server-to-server S3 traffic (e.g.
# nextcloud → garage) stays in the LAN.
garage_s3_domains:
  - "s3.gymb.souveredu.ch"
  - "s3.int.gymb.souveredu.ch"
garage_webui_domain: "console.s3.gymb.souveredu.ch"
garage_use_ssl: true
garage_webui_enabled: true
# Gate the WebUI behind authentik (admins-only, via policy-binding on the
# authentik proxy app). Replaces the htpasswd Basic-Auth — AUTH_USER_PASS
# is dropped from the compose env when this is true. The forwardauth URL
# resolves to the application-host traefik (network alias
# `auth.gymb.souveredu.ch` -> authentik-server-1 in the proxy network on
# the application host), but THIS host (storage) is in a different LAN,
# so traefik here reaches it via the public name through the DMZ proxy.
garage_webui_authentik_forward_auth: true
garage_webui_authentik_forward_auth_url: "https://auth.gymb.souveredu.ch/outpost.goauthentik.io/auth/traefik"
# Kept for completeness — only used when authentik ForwardAuth is off.
garage_webui_username: "admin"
garage_webui_password: "{{ _garage.webui_password | default('disabled') }}"

garage_rpc_secret: "{{ _garage.rpc_secret }}"
garage_admin_token: "{{ _garage.admin_token }}"
garage_metrics_token: "{{ _garage.metrics_token }}"

# Initial cluster bootstrap (single-node)
garage_bootstrap_enabled: true
garage_bootstrap_zone: "burgdorf1"
garage_bootstrap_capacity: "100G"

# Buckets and keys consumed by nextcloud
garage_s3_keys:
  - name: nextcloud
    buckets:
      - name: nextcloud
        permissions: ["read", "write"]