---
all:
  vars:
    client_id: "{{ CLIENT_ID }}"
    client_name: "{{ CLIENT_NAME }}"
    billing_model: "hybrid"
    maintenance_window_start: "02:00"
    maintenance_window_end: "05:00"
    maintenance_window_tz: "UTC"
    n8n_webhook_url: "{{ lookup('env', 'N8N_WEBHOOK_URL') }}"
    human_estimate_seconds: 2700
    change_freeze: false
    ansible_ssh_extra_args: "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"

  children:
    # --- NETWORK LAYER ---
    firewalls:
      children:
        opnsense:
          hosts:
            client-fw-01:
              ansible_host: "{{ FW_HOST }}"

        pfsense_nodes:
          # Depends on variables set in group_vars/pfsense_nodes.yml
          hosts:
            client-fw-01:
              ansible_host: "{{ FW_HOST }}"
              ansible_port: 22222
              ansible_user: "{{ FW_USER }}"
              ansible_ssh_private_key_file: "~/.ssh/client_{{ CLIENT_SLUG }}"
              ha_role: "primary"        # Use: primary | backup
              #ha_peer: "client-fw-02"  # Uncomment if this node is part an HA pair

    # --- INFRASTRUCTURE ---
    hypervisors:
      children:
        proxmox:
          hosts:
            client-pv-01:
              ansible_host: "{{ PV_HOST }}"
        xcp:
          hosts:
            client-xcp-01:
              ansible_host: "{{ XCP_HOST }}"

    # --- WORKSTATIONS/SERVERS ---
    linux_hosts:
      hosts: {}
      vars:
        ansible_user: root
        ansible_ssh_private_key_file: "~/.ssh/client_{{ CLIENT_SLUG }}"
        os_family: "debian"

    windows_hosts:
      hosts: {}
      vars:
        ansible_user: Administrator
        ansible_connection: winrm
        ansible_winrm_transport: ntlm
        ansible_winrm_server_cert_validation: validate
        ansible_port: 5986