---
version: 1.1

remotes:
  description: Create account and connexion to a LDAP server
  type: domainname
  multi: true
  mandatory: false
  hidden: true
  provider: LDAP

"remote_{{ suffix }}":
  dynamic:
    variable: accounts.remotes
  hidden: true

  family:
    description: 'LDAP family name for {{ suffix }}'
    mandatory: false
    provider: LDAP:family

  dn:
    description: 'LDAP account DN for {{ suffix }}'
    mandatory: false
    provider: LDAP:dn

  password:
    description: 'LDAP passowrd for {{ suffix }}'
    type: secret
    mandatory: false
    provider: LDAP:password

  base_dn:
    description: 'LDAP base DN for {{ suffix }}'
    mandatory: false
    provider: LDAP:base_dn

users:
  description: Users management
  help: >-
    Management of manually created local users. Those users are not classified
  type: leadership

  ldap_user_mail:
    description: Email address
    examples:
      - johndoe@example.net
    help: An user is identify by his email address.
    type: mail
    mandatory: false

  ldap_user_aliases:
    description: Emails aliases
    multi: true
    examples:
      - jdoe@example.net
    type: mail
    mandatory: false

  ldap_user_uid:
    description: Account name
    examples:
      - jdoe
    type: unix_user

  ldap_user_gn:
    description: Given name
    examples:
      - John
    type: string

  ldap_user_sn:
    description: Surname
    examples:
      - Doe
    type: string

  ldap_user_password:
    type: secret
    default:
      jinja: >-
        {{ accounts.users.ldap_user_mail |
            get_password(server_name=general.network.interface_0.domain_name,
                         description="ldap user",
                         type="cleartext",
                         hide=general.hide_secret,
                         temporary=true)
          }}
    hidden: true

families:
  description: Families to create
  type: unix_user
  multi: true
  help: >-
    Users can be classified into families. This variable contains all the names
    of the families to be created.
  mandatory: false

"family_{{ suffix }}":
  description: 'Management of family {{ suffix }}'
  dynamic:
    variable: accounts.families

  users:
    description: 'Users management for the family {{ suffix }}'
    help: >-
      Management of manually created users. Those users are classified in a
      family.
    type: leadership

    ldap_user_mail:
      description: 'Email address for the family {{ suffix }}'
      examples:
        - johndoe@family.net
      help: An user is identify by his email address.
      type: mail
      mandatory: false

    ldap_user_aliases:
      description: 'Emails aliases for the family {{ suffix }}'
      examples:
        - jdoe@family.net
      type: mail
      multi: true
      mandatory: false

    ldap_user_uid:
      description: 'Account name for the family {{ suffix }}'
      examples:
        - jdoe
      type: unix_user

    ldap_user_gn:
      description: 'Given name for the family {{ suffix }}'
      examples:
        - John
      type: string

    ldap_user_sn:
      description: 'Surname for the family {{ suffix }}'
      examples:
        - Doe
      type: string

    ldap_user_password:
      type: secret
      default:
        jinja: >-
          {{ _.ldap_user_mail |
             get_password(server_name=general.network.interface_0.domain_name,
                          description="ldap family user",
                          type="cleartext",
                          hide=general.hide_secret,
                          temporary=true)
            }}
      hidden: true