# Secure Configuration Template
# This file demonstrates which fields should be encrypted
#
# Usage:
# 1. Copy this file: cp secure.yaml.example secure.yaml
# 2. Fill in your actual secrets
# 3. Encrypt: provisioning config encrypt secure.yaml --in-place
# 4. Verify: provisioning config is-encrypted secure.yaml

# ============================================================================
# Cloud Provider Credentials (ENCRYPT THIS FILE!)
# ============================================================================

providers:
  aws:
    # AWS credentials (SENSITIVE - must be encrypted)
    access_key_id: "AKIAIOSFODNN7EXAMPLE"
    secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    session_token: ""  # Optional for temporary credentials
    region: "us-east-1"

    # KMS key for SOPS encryption (not sensitive, can be plain)
    kms_key_arn: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

  upcloud:
    # UpCloud credentials (SENSITIVE - must be encrypted)
    username: "your-upcloud-username"
    password: "your-upcloud-password"
    zone: "de-fra1"

  local:
    # SSH keys for local provider (SENSITIVE - must be encrypted)
    ssh_private_key_path: "/home/user/.ssh/id_rsa"
    ssh_public_key_path: "/home/user/.ssh/id_rsa.pub"

# ============================================================================
# Database Credentials (ENCRYPT THIS FILE!)
# ============================================================================

databases:
  postgres:
    host: "db.example.com"
    port: 5432
    database: "provisioning"
    # Credentials (SENSITIVE - must be encrypted)
    username: "db_admin"
    password: "SuperSecretPassword123!"
    ssl_mode: "require"

    # Connection pool settings (not sensitive)
    max_connections: 100
    min_connections: 10

  redis:
    host: "redis.example.com"
    port: 6379
    # Redis password (SENSITIVE - must be encrypted)
    password: "RedisSecretPassword456!"
    database: 0
    ssl: true

# ============================================================================
# API Keys and Tokens (ENCRYPT THIS FILE!)
# ============================================================================

api_keys:
  # GitHub API token (SENSITIVE - must be encrypted)
  github:
    token: "ghp_1234567890abcdefghijklmnopqrstuvwxyz"

  # Slack webhook (SENSITIVE - must be encrypted)
  slack:
    webhook_url: "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX"

  # Monitoring service (SENSITIVE - must be encrypted)
  datadog:
    api_key: "1234567890abcdefghijklmnopqrstuv"
    app_key: "abcdefghijklmnopqrstuvwxyz1234567890abcd"

  # Container registry (SENSITIVE - must be encrypted)
  docker_hub:
    username: "dockeruser"
    password: "DockerHubPassword789!"

# ============================================================================
# SSH Keys (ENCRYPT THIS FILE!)
# ============================================================================

ssh_keys:
  # Private SSH key (SENSITIVE - must be encrypted)
  production:
    private_key: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
      ... (full private key here) ...
      -----END OPENSSH PRIVATE KEY-----

    public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... user@host"

  # Deployment key (SENSITIVE - must be encrypted)
  deployment:
    private_key: |
      -----BEGIN OPENSSH PRIVATE KEY-----
      ... (deployment key here) ...
      -----END OPENSSH PRIVATE KEY-----

# ============================================================================
# TLS/SSL Certificates (ENCRYPT THIS FILE!)
# ============================================================================

certificates:
  # Server certificate (SENSITIVE - must be encrypted)
  server:
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKtjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
      ... (full certificate here) ...
      -----END CERTIFICATE-----

    # Private key (SENSITIVE - must be encrypted)
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKj
      ... (full private key here) ...
      -----END PRIVATE KEY-----

  # CA certificate (not sensitive if public CA, but encrypt for consistency)
  ca:
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKtjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
      ... (CA certificate here) ...
      -----END CERTIFICATE-----

# ============================================================================
# OAuth/OIDC Configuration (ENCRYPT THIS FILE!)
# ============================================================================

oauth:
  google:
    # OAuth client (SENSITIVE - must be encrypted)
    client_id: "123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com"
    client_secret: "GOCSPX-abcdefghijklmnopqrstuvwxyz"
    redirect_uri: "https://app.example.com/auth/callback"

  github:
    # GitHub OAuth (SENSITIVE - must be encrypted)
    client_id: "Iv1.1234567890abcdef"
    client_secret: "1234567890abcdefghijklmnopqrstuvwxyz1234"

# ============================================================================
# Secret Keys and Salts (ENCRYPT THIS FILE!)
# ============================================================================

secrets:
  # Application secret key (SENSITIVE - must be encrypted)
  app_secret_key: "supersecretkey123456789abcdefghijklmnopqrstuvwxyz"

  # JWT signing key (SENSITIVE - must be encrypted)
  jwt_secret: "jwtsecret123456789abcdefghijklmnopqrstuvwxyz"

  # Encryption key (SENSITIVE - must be encrypted)
  encryption_key: "encryptionkey123456789abcdefghijklmnopqrstuvwxyz"

  # Password salt (SENSITIVE - must be encrypted)
  password_salt: "salt123456789abcdefghijklmnopqrstuvwxyz"

# ============================================================================
# Webhooks (ENCRYPT THIS FILE!)
# ============================================================================

webhooks:
  # Webhook secret for signature verification (SENSITIVE - must be encrypted)
  github:
    secret: "webhook_secret_github_123456789"

  gitlab:
    token: "glpat-1234567890abcdefghij"

# ============================================================================
# SOPS Metadata (automatically added after encryption)
# ============================================================================

# After encryption, SOPS will add metadata at the end:
#
# sops:
#   kms: []
#   gcp_kms: []
#   azure_kv: []
#   hc_vault: []
#   age:
#     - recipient: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
#       enc: |
#         -----BEGIN AGE ENCRYPTED FILE-----
#         ...
#         -----END AGE ENCRYPTED FILE-----
#   lastmodified: "2025-10-08T10:00:00Z"
#   mac: ENC[AES256_GCM,data:...,iv:...,tag:...,type:str]
#   pgp: []
#   unencrypted_suffix: _unencrypted
#   version: 3.10.2

# ============================================================================
# Important Notes
# ============================================================================

# 1. NEVER commit this file to git without encryption!
# 2. After filling in secrets, immediately encrypt:
#    provisioning config encrypt secure.yaml --in-place
#
# 3. Verify encryption:
#    provisioning config is-encrypted secure.yaml
#
# 4. Only encrypted files with SOPS metadata are safe to commit
#
# 5. To edit encrypted file:
#    provisioning config edit-secure secure.yaml
#
# 6. File naming conventions for auto-encryption:
#    - secure.yaml (in workspace/config/)
#    - *.enc.yaml (anywhere)
#    - *credentials*.toml (in providers/)
#    - *secret*.yaml (in platform/)