reference-ansible/inventories/demo-gymburgdorf/host_vars/storage/garage.yml

---
# Bao secret <mount>/data/garage expected to contain:
#   rpc_secret, admin_token, metrics_token, webui_password
_garage: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/garage', url=vault_addr) }}"

# First entry is the canonical public S3 FQDN. Additional entries
# cover internal *.int.* names so server-to-server S3 traffic (e.g.
# nextcloud → garage) stays in the LAN.
garage_s3_domains:
  - "s3.gymb.souveredu.ch"
  - "s3.int.gymb.souveredu.ch"
garage_webui_domain: "console.s3.gymb.souveredu.ch"
garage_use_ssl: true
garage_webui_enabled: true
garage_webui_username: "admin"
garage_webui_password: "{{ _garage.webui_password }}"

garage_rpc_secret: "{{ _garage.rpc_secret }}"
garage_admin_token: "{{ _garage.admin_token }}"
garage_metrics_token: "{{ _garage.metrics_token }}"

# Initial cluster bootstrap (single-node)
garage_bootstrap_enabled: true
garage_bootstrap_zone: "burgdorf1"
garage_bootstrap_capacity: "100G"

# Buckets and keys consumed by nextcloud
garage_s3_keys:
  - name: nextcloud
    buckets:
      - name: nextcloud
        permissions: ["read", "write"]