# ── FreeIPA ───────────────────────────────────────────────────────────────────
IPA_HOSTNAME=ipa.corp.example.com
IPA_DOMAIN=corp.example.com
IPA_REALM=CORP.EXAMPLE.COM
IPA_ADMIN_PASSWORD=ChangeMe123!
IPA_DM_PASSWORD=ChangeMe456!
IPA_SETUP_DNS=false
IPA_DNS_FORWARDER=
IPA_SETUP_KRA=false

# ── Ansipa SMB shares ─────────────────────────────────────────────────────────
# SMB_SCAN_PASSWORD    — password for 'scanupload'; deploy to clients via Ansible
#                        with smb_scan_password=<this value> (use ansible-vault).
# LUKS_KEY_UPLOAD_PASSWORD — password for the 'luks-upload' service account used
#                        by the Ansible controller to write LUKS backup keys to
#                        the ansipa-luks-keys share. Pass to collect-luks-keys.yml
#                        with -e luks_upload_password=<this value>.
#                        To grant read access, add a Samba user to KeyAdmin on the
#                        container: useradd -r -G KeyAdmin <user> && smbpasswd -a <user>
SMB_SCAN_PASSWORD=ChangeMe_ScanPass!
LUKS_KEY_UPLOAD_PASSWORD=ChangeMe_LuksUpload!

# ── Keycloak ──────────────────────────────────────────────────────────────────
KC_HOSTNAME=keycloak.corp.example.com
KC_REALM=corp
KC_ADMIN=admin
KC_ADMIN_PASSWORD=ChangeMe789!
KC_DB_PASSWORD=ChangeMe000!

# ── Keycloak → FreeIPA LDAP federation ───────────────────────────────────────
# Leave IPA_BIND_PASSWORD blank to reuse IPA_DM_PASSWORD.
# In production, create a dedicated read-only service account in FreeIPA.
IPA_BIND_DN=cn=Directory Manager
IPA_BIND_PASSWORD=
IPA_USE_LDAPS=false