---
install:
  vm:
    memory: 2G
    numcpus: 2
    autostart: True
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
  interfaces:
  - bridge: br-public
    name: primary0
    mac: 52:54:00:02:f5:a1

network:
  nameservers: "{{ vm_host.network.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: primary0
    address: "{{ vm_host.network.bridges.public.prefix | ansible.utils.ipaddr(vm_host.network.bridges.public.offsets[inventory_hostname]) }}"
    gateway: "{{ vm_host.network.bridges.public.gateway }}"
    address6: "{{ vm_host.network.bridges.public.prefix6 | ansible.utils.ipaddr(vm_host.network.bridges.public.offsets6[inventory_hostname]) }}"
    gateway6: "{{ vm_host.network.bridges.public.gateway6 }}"
  interfaces:
  - *_network_primary_


spreadspace_apt_repo_components:
  - main
  - prometheus


sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}"


ntp_variant: systemd-timesyncd


wireguard_p2p_interface:
  name: remote0
  description: connection to chaos-at-home internal services
  listen_port: 51820
  addresses:
  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
  static_routes:
  - dest: "{{ network_zones.svc.prefix }}"
    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"

wireguard_p2p_peers:
  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
    endpoint:
      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
      port: 51820
    allowed_ips:
    - "{{ network_zones.remote.prefix }}"
    - "{{ network_zones.svc.prefix }}"
    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"


nginx_server_names_hash_bucket_size: 64
acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"


dyndns:
  domain: schaaas.at
  soa:
    ttl: 7200
    mname: ns0.chaos-at-home.org
    rname: hostmaster.schaaas.at
    refresh: 1200
    retry: 900
    expire: 2592000
    default_ttl: 60
  static_records:
  - "schaaas.at.          7200  IN  NS     ns0.chaos-at-home.org."
  - "schaaas.at.          7200  IN  NS     ns1.chaos-at-home.org."
  - "schaaas.at.          7200  IN  MX 10  mx0.chaos-at-home.org."
  - "schaaas.at.          7200  IN  MX 10  mx1.chaos-at-home.org."
  - "dyn.schaaas.at.      7200  IN  A      89.106.215.19"
  - "dyn.schaaas.at.      7200  IN  AAAA   2a02:3e0:407::19"
  - "captive.schaaas.at.  7200  IN  CNAME  dyn.schaaas.at."
  clients:
    mz-router: mzl
    ch-equinox-t450s: equinox
    ele-media: elemedia


bind_option_empty_zones_enable: no

bind_option_notify: explicit
bind_option_also_notify:
  - "{{ hostvars['ch-mimas'].external_ip }}"
bind_option_allow_transfer:
  - "{{ hostvars['ch-mimas'].external_ip }}"
  - "{{ hostvars['ch-mimas'].external_ip6 }}"

bind_option_allow_update:
  - none
bind_option_allow_recursion:
  - localhost

bind_stats_channels:
  - addr: 127.0.0.1
    port: 8053
    allow:
    - 127.0.0.1

bind_zone_blacklist:
  - onion
  - zip
  - mov

bind_master_zones:
  chaos-at-home.org:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.chaos-at-home.org"
  chaox.org:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.chaox.org"
  spreadspace.org:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.spreadspace"
  spreadspace.com:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.spreadspace"
  spreadspace.net:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.spreadspace"
  spreadspace.systems:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.spreadspace"
  elev8.at:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.elev8.at"
  java-sucks.com:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.java-sucks.com"
  xn--gh-via.org:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.gäh.org"
  schaaas.at:
    remote_file: /var/lib/dyndns/db.schaaas.at
  gimpf.org:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.gimpf.org"
  movetogether.at:
    file: "{{ global_files_dir }}/chaos-at-home/bind-zones/db.movetogether.at"

bind_slave_zones:
  realraum:
    masters:
    - 89.106.211.33
    - 2a02:3e0:4000:1::1
    zones:
    - realraum.at
    - r3.at
    - hack-challenge.at

  funkfeuer:
    masters:
    - 193.33.150.114
    zones:
    - ffgraz.net
    - graz.funkfeuer.at
    - 10.in-addr.arpa
    - 150.33.193.in-addr.arpa
    - 151.33.193.in-addr.arpa


prometheus_exporters_extra:
  - bind

prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - instance: "ssh-{{ inventory_hostname }}"
    target: "{{ network.primary.address | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
    module: ssh_banner
  - instance: "https-pan.chaos-at-home.org"
    target: "https://pan.chaos-at-home.org"
    module: http_tls_2xx


whawty_auth_store_instances:
  chaos-at-home:
    config: "{{ whawty_auth_store__chaos_at_home | combine({'basedir': '/var/lib/whawty/auth/chaos-at-home'}) }}"
    permissions:
      file-mode: "0600"
      dir-mode: "0700"
    sync:
      type: client
      hostname: 192.168.32.1
      port: 3022
      user: sync
      prometheus: yes

whawty_auth_app_instances:
  chaos-at-home:
    store: chaos-at-home
    listeners:
      saslauthd:
        sockets:
        - /run/whawty/auth/chaos-at-home.sock