---
install_jumphost: ch-jump

install:
  vm:
    memory: 1G
    numcpus: 1
    autostart: yes
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 5g
  interfaces:
  - bridge: br-svc
    name: svc0
  - bridge: br-iot
    name: iot0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_
  - name: iot0
    address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}"


ntp_variant: chrony

ntp_client:
  pools:
  - name: at.pool.ntp.org
    options: iburst

ntp_server:
  allow:
  - "{{ network_zones.iot.prefix }}"


spreadspace_apt_repo_components:
  - prometheus


prometheus_exporters_extra:
  - chrony
  - mosquitto

prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - instance: "ssh-{{ inventory_hostname }}"
    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
    module: ssh_banner
  - instance: "mqtt-mqtt.chaos-at-home.org"
    target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:1883"
    module: "tcp_tls_connect"
    hostname: "mqtt.chaos-at-home.org"


managed_ca_authorities:
  mqtt:
    key:
      type: RSA
      size: 4096
    cert:
      common_name: chaos-at-home CA for mqtt
      not_before: +0h
      not_after: +2080w # ~40 years


mosquitto_broker_global_config_options:
  per_listener_settings: "true"

mosquitto_broker_listeners:
  iot:
    bind: "1883 {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
    options:
      allow_anonymous: "false"
      acl_file: /etc/mosquitto/iot.acl
      password_file: /etc/mosquitto/iot.passwd
  svc:
    bind: "1883 {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
    hostnames:
    - mqtt.chaos-at-home.org
    tls:
      certificate_provider: managed-ca
      certificate_config:
        ca:
          host: ch-iot
          name: mqtt
        cert:
          san_extra:
          - "IP:{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
          extended_key_usage:
          - serverAuth
          extended_key_usage_critical: yes
          create_subject_key_identifier: yes
          not_after: +100w
    options:
      allow_anonymous: "false"
      require_certificate: "true"
      cafile: /etc/mosquitto/ca_certificates/svc-ca-crt.pem
      use_identity_as_username: "true"
      # acl_file: /etc/mosquitto/svc.acl

mosquitto_broker_prometheus_listener: true

mosquitto_broker_acl_files:
  iot: |
    user test
    topic write test/+
  # svc: |
  #   user nodered
  #   topic read test/+

mosquitto_broker_password_files:
  iot: |
    test:{{ vault_mosquitto_broker_passwords.iot.test | mosquitto_passwd_hash('admin@mqtt.example.com') }}