---
# ValleyForge Admin Control Plane Configuration

# Admin Users (for infrastructure management)
# These users will have SSH access and sudo privileges on ValleyForge
admin_users:
  - username: alice
    comment: "Alice - Infrastructure Lead"
    groups: ["sudo"]
    generate_keys: true
  
  - username: bob
    comment: "Bob - Security Admin"
    groups: ["sudo"]
    generate_keys: true

# WireGuard Admin VPN Configuration
# This VPN is for your admin team to securely access ValleyForge
wg_network: "10.100.0.0/24"
wg_server_address: "10.100.0.1/24"
wg_port: 51820

# Admin VPN peers (your infrastructure team)
wg_peers:
  - name: admin1
    # ip: 10.100.0.10  # Auto-assigned
  - name: admin2
    # ip: 10.100.0.11  # Auto-assigned
  - name: admin3
    # ip: 10.100.0.12  # Auto-assigned

# Firewall Configuration
# IMPORTANT: Set vpn_only_mode to false initially to allow SSH access
# After admin VPN is working, set to true and redeploy
vpn_only_mode: false  # Change to true after admin VPN is configured

management_allowed_sources:
  - "0.0.0.0/0"  # Allow from anywhere initially
  # After admin VPN is working, change to:
  # - "10.100.0.0/24"  # Admin VPN network only

management_ports:
  - port: 22
    proto: tcp
    comment: "SSH"
  - port: 51820
    proto: udp
    comment: "WireGuard Admin VPN"

# SSH Hardening
# Keep root login enabled initially for bootstrapping
ssh_permit_root_login: "yes"  # Change to "no" after admin users are working
ssh_password_authentication: "no"
ssh_max_auth_tries: 3

# Security Settings
enable_apparmor: true
enable_auditd: true
enable_fail2ban: true
enable_unattended_upgrades: true

# Ansible Control Node Settings
valleyforge_repo_url: "https://git.hacker.supply/valleyforge/resist-vpn-infra.git"
valleyforge_clone_repo: true