---
install_jumphost: ch-jump

system_lvm_volume_size_root: 3G
install:
  vm:
    memory: 8G
    numcpus: 4
    autostart: True
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 30g
        properties:
          'syncoid:sync': 'false'
  interfaces:
  - bridge: br-svc
    name: svc0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_

ntp_variant: systemd-timesyncd

spreadspace_apt_repo_components:
  - prometheus


prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - instance: "ssh-{{ inventory_hostname }}"
    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
    module: ssh_banner
  - instance: "https-greenbone.chaos-at-home.org"
    target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/robots.txt"
    module: http_tls_2xx


docker_pkg_provider: docker-com
docker_plugins:
  - compose

docker_storage:
  type: lvm
  vg: "{{ host_name }}"
  lv: docker
  size: 20G
  fs: ext4


greenbone_server_version: 22.4
greenbone_server_hostname: "{{ host_name }}.{{ host_domain }}"
greenbone_server_tls:
  certificate_provider: static-ca
  certificate_config:
    mode: "0750"
    owner: root
    group: www-data
    ca:
      key_content: "{{ chaos_at_home_internal_ca_key }}"
      cert_content: "{{ chaos_at_home_internal_ca_cert }}"
    key:
      mode: "0640"
      owner: root
      group: www-data
      type: RSA
      size: 4096
    cert:
      mode: "0644"
      owner: root
      group: www-data
      common_name: "{{ host_name }}"
      san_extra: "{{ ['IP:'] | product(ansible_all_ipv4_addresses) | map('join') | list }}"
      key_usage:
      - digitalSignature
      - keyAgreement
      key_usage_critical: yes
      extended_key_usage:
      - serverAuth
      extended_key_usage_critical: yes
      create_subject_key_identifier: yes
      not_before: +0h
      not_after: +365d
      renew_margin: +70d

greenbone_server_admin_password: "{{ vault_greenbone_server_admin_password }}"
greenbone_feed_update_schedule: "*-*-* 08:15:00"