---
install_jumphost: ch-jump

install:
  vm:
    memory: 2G
    numcpus: 2
    autostart: True
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
  interfaces:
  - bridge: br-svc
    name: svc0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_


ntp_variant: systemd-timesyncd


acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"


spreadspace_apt_repo_components:
  - main
  - prometheus


prometheus_exporters_extra:
  - ssl

prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - instance: "ssh-{{ inventory_hostname }}"
    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
    module: ssh_banner
  - instance: "https-login.chaos-at-home.org"
    target: "https://{{ network_services.http.addr }}/login"
    module: "http_tls_2xx"
    hostname: "login.chaos-at-home.org"

prometheus_job_multitarget_ssl__probe:
  ch-http-proxy:
  - instance: "sslcert-apps-publish-{{ inventory_hostname }}"
    target: "/etc/ssl/apps-publish-*/*.pem"
    module: file


whawty_auth_store_instances:
  chaos-at-home:
    config: "{{ whawty_auth_store__chaos_at_home | combine({'basedir': '/var/lib/whawty/auth/chaos-at-home'}) }}"
    permissions:
      file-mode: "0600"
      dir-mode: "0700"
    sync:
      type: client
      hostname: 192.168.32.1
      port: 3022
      user: sync
      prometheus: yes


whawty_nginx_sso_backends:
  chaos-at-home:
    port: 1234
    login_url: https://login.chaos-at-home.org/login

whawty_nginx_sso_logins:
  chaos-at-home:
    hostname: login.chaos-at-home.org
    tls:
      certificate_provider: acmetool
      certificate_config:
        request:
          challenge:
            http-self-test: false
    config:
      cookie:
        domain: ".chaos-at-home.org"
        name: __Secure-chaos-at-home-sso
        secure: yes
        expire: 167h
        keys:
        - name: 2023-11
          ed25519:
            private-key-data: "{{ vault_whawty_nginx_sso_login_keys['chaos-at-home']['2023-11'] }}"
        backend:
          bolt: {}
      auth:
        whawty:
          store: /etc/whawty/auth/store-chaos-at-home.yml
          autoreload: yes
          remote-upgrades:
            url: https://127.0.0.1/api/update
            http-host: passwd.chaos-at-home.org
            tls:
              server-name: passwd.chaos-at-home.org
      web:
        listen: 127.0.0.1:1234
        login:
          title: "chaoSSO login"
        revocations:
          tokens: "{{ vault_whawty_nginx_sso_sync_tokens['chaos-at-home'] | dict2items | map(attribute='value') }}"
      prometheus:
        listen: 127.0.0.1:1235

prometheus_job_multitarget_whawty_nginx_sso:
  ch-http-proxy:
  - instance: "whawty-nginx-sso-{{ inventory_hostname }}-chaos-at-home"
    instance_name: chaos-at-home