---
## during install ch-jump must be reachable via mgmt or svc
install_jumphost: ch-jump

install:
  vm:
    memory: 1G
    numcpus: 2
    autostart: True
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
  interfaces:
  - bridge: br-svc
    name: svc0
  - bridge: br-lan
    name: lan0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.c3voc.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_
  - name: lan0
    address: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets[inventory_hostname]) }}"


base_sysctl_config_user:
  net.ipv4.ip_forward: 1


spreadspace_apt_repo_components:
  - prometheus


prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - instance: "ssh-{{ inventory_hostname }}"
    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
    module: ssh_banner


dhcp_server_interfaces:
  lan0:
    prefix: "{{ network_zones.lan.prefix }}"
    gateway: "{{ network_zones.lan.gateway }}"
    start: "{{ network_zones.lan.dhcp.start }}"
    limit: "{{ network_zones.lan.dhcp.limit }}"
    domain: "{{ host_domain }}"
    dns: "{{ network_zones.lan.dns }}"


nftables_base_rules:
  public-services: |
    define nic_lan = lan0
    define public_ipv4 = {{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}

    table ip nat {
      chain public-services-prerouting {
        type nat hook prerouting priority -100; policy accept;
        iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-router']) | ansible.utils.ipaddr('address') }} comment "ssh-router"
    {% for name, svc in network_services.items() %}
        iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
    {% endfor %}
      }
      chain public-services-output {
        type nat hook output priority -100; policy accept;
        ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-router']) | ansible.utils.ipaddr('address') }} comment "ssh-router"
    {% for name, svc in network_services.items() %}
        ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
    {% endfor %}
      }
    }