---
timezone: America/Toronto

packages:
  - apt-utils
  - bash-completion
  - ca-certificates
  - curl
  - git
  - gnupg
  - htop
  - net-tools
  - openssh-server
  - python3
  - python3-pip
  - sudo
  - vim
  - wget

users:
  - name: cbalders
    groups: sudo
    shell: /bin/bash

ssh_authorized_keys:
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINALaic1jpoP6t1urbZqJLI1eU5NeTVD9k8AAMAvOvvk OfficeMini"
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzTHdCiQjhIHsGB8oMpyKtr9TZXrXeIRKwcwe698zMW Generated By Termius"

# Alloy ships Docker logs + journald to Loki on observe.lan.balders.ca + node
# metrics to Prometheus. Pattern mirrors every other LXC.
alloy_host_label: dawarich
alloy_loki_url: http://observe.lan.balders.ca:3100/loki/api/v1/push
alloy_prom_job: node_lxc
alloy_prom_group: lxc
alloy_prom_hostname: dawarich

# ------------------------------------------------------------------------------
# Dawarich — self-hosted location history
# ------------------------------------------------------------------------------
# Pin image tags (Dawarich ships breaking schema changes on minor bumps). Bump
# in lockstep across app + sidekiq, never split — they share the same DB
# migrations. Check release notes before bumping.
# Pinned tag — OIDC support first landed in 1.7.8 (2026-05-16). DO NOT
# downgrade below 1.7.8 without disabling OIDC. Bump in lockstep with sidekiq.
dawarich_image: "freikin/dawarich:1.7.11"
# Official PostGIS image — alpine variant. Strict superset of postgres:16-alpine
# so swapping to it later (if we ever centralize on DB VM) is non-breaking.
postgis_image: "postgis/postgis:16-3.4-alpine"
redis_image: "redis:7-alpine"

dawarich_port: 3000
dawarich_site_url: "https://dawarich.balders.ca"
dawarich_domain: "dawarich.balders.ca"

# Database (local — central DB VM doesn't load PostGIS extension; see memory
# project_dawarich for the convention exception rationale).
dawarich_db_name: "dawarich"
dawarich_db_user: "dawarich"

# Background processing — keep modest to leave headroom for the web tier.
# Dawarich docs default 5; bump cautiously if Sidekiq queue depth grows.
dawarich_sidekiq_concurrency: 5

# Geocoding — disabled in v1. Dawarich falls back to its internal lightweight
# lookup. Self-hosted Photon stack is a future addition; uncomment + set host
# when wired.
# dawarich_photon_api_host: "photon.lan.balders.ca"

# OIDC via Authentik. Client id/secret live in Infisical /oidc/ (pushed into
# Authentik by homelab-ansible-pi-auth's oidc_clients role).
dawarich_oidc_enabled: true
dawarich_oidc_issuer: "https://auth.balders.ca/application/o/dawarich/"
dawarich_oidc_redirect_uri: "https://dawarich.balders.ca/users/auth/openid_connect/callback"
dawarich_oidc_provider_name: "Authentik"
# false → only OIDC users can sign in (we want SSO-only). First OIDC login
# becomes the canonical user account.
dawarich_allow_email_password_registration: false
dawarich_oidc_auto_register: true

# Infisical (secrets source)
infisical_url: "https://secrets.balders.ca"
infisical_project_id: "50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
infisical_client_id: "828d2cc8-eb25-4b1e-a711-c9a4b1580106"
infisical_client_secret: "{{ vault_infisical_client_secret }}"