---
_whawty_auth_zfs_base_:
  pool: storage
  name: whawty/auth

whawty_auth_instances:
  passwd.chaos-at-home.org:
    version: 0.3
    port: 3080
    store: "{{ whawty_auth_store__chaos_at_home }}"
    sync:
      port: 3022
      authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsY3QIaN/S05EHZ9IF6GWgXG0wAh5qAxgQAq7ZLtNP8 whawty-auth-sync-chaos-at-home@ch-http-proxy
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHoyvg0McwpPFAT642lm9MIGG2/6Hi+hFe8IvmroDar whawty-auth-sync-chaos-at-home@ch-pan
    ldap:
      port: 636
      hostnames:
      - ldap.chaos-at-home.org
      tls:
        certificate_provider: static-ca
        certificate_config:
          ca:
            key_content: "{{ chaos_at_home_internal_ca_key }}"
            cert_content: "{{ chaos_at_home_internal_ca_cert }}"
          key:
            type: RSA
            size: 4096
          cert:
            key_usage:
            - digitalSignature
            - keyAgreement
            key_usage_critical: yes
            extended_key_usage:
            - serverAuth
            extended_key_usage_critical: yes
            create_subject_key_identifier: yes
            not_before: +0h
            not_after: +365d
            renew_margin: +70d
    storage:
      type: zfs
      parent: "{{ _whawty_auth_zfs_base_ }}"
      name: passwd.chaos-at-home.org
      properties:
        quota: 128M
    publish:
      zone: "{{ apps_publish_zone__chaos_at_home }}"
      hostnames:
      - passwd.chaos-at-home.org
      tls:
        certificate_provider: acmetool
        certificate_config:
          request:
            challenge:
              http-self-test: false