---

# User can be overridden by a vault variable or from hosts file entry or ansible cmdline
username: "{{ vault_username | default(ansible_user_id) }}"

# Use google authenticator config from vault if it's there
# 1st line secret can be 16 or 26 chars
# NOTE: Be sure to use char encoding for spaces
# vault_google_auth_config:
#   - name: host1.example.com
#     label: "Mailsys%20{{ inventory_hostname_short }}:{{ username }}"
#     issuer: "Example%20Corp%20Mailsys"
#     secret: |
#       6DRWZ2AWOAFAQMSI
#       "RATE_LIMIT 3 30
#       " WINDOW_SIZE 3
#       " DISALLOW_REUSE
#       " TOTP_AUTH
#       36011504
#       52878834
#       36710801
#       23387673
#       16670568
#   - name: hosty.somewhere.com
#     secret: |
#       MVXECANUVTIQ2647HK3S35FM3A
#       " RATE_LIMIT 3 30 1734051365
#       " DISALLOW_REUSE 57801712
#       " TOTP_AUTH
#       17029728
#       27355189
#       27432004
#       50794981
#       18624382
google_auth_config: "{{ vault_google_auth_config | default('NEW') }}"

# Force use of token even with SSH key
google_auth_force: false

# Default label and issuer if not defined in vault_google_auth_config for the host(s)
# NOTE: Be sure to use char encoding for spaces
google_auth_label: "Example%20{{ inventory_hostname_short }}:{{ username }}"
google_auth_issuer: "Example%20Inc."

google_auth_packages:
  - libpam-google-authenticator
  - python3-qrcode
  - qrencode