---
# --- Vault API ---
vault_url: "http://nas.lan.toal.ca:8200"
vault_validate_certs: false

# --- Init ---
vault_init_key_shares: 5
vault_init_key_threshold: 3

# --- OIDC ---
vault_oidc_client_id: vault
vault_oidc_admin_group: vault-admins
vault_oidc_default_ttl: 1h
vault_oidc_max_ttl: 8h

# --- Unseal ---
# vault_unseal_keys: []   # list of 3+ unseal key strings (from 1Password)

# --- Secrets (required, set via vault or host_vars) ---
# vault_vault_root_token:          # root token from 1Password (required for Play 2)
# vault_vault_oidc_client_secret:  # OIDC client secret from Keycloak (required for Play 2)
# vault_oidc_issuer:               # e.g. https://keycloak.apps.openshift.toal.ca/realms/toallab