---
install_jumphost: ch-jump

install:
  vm:
    memory: 1G
    numcpus: 1
    autostart: False
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
        properties:
          'syncoid:sync': 'false'
  interfaces:
  - bridge: br-svc
    name: svc0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_

ntp_variant: systemd-timesyncd

sshd_allowusers_host: "{{ normal_users_host | union(admin_users_host) | union(['greenbone']) }}"


## test

redis_server_storage:
  type: lvm
  vg: "{{ host_name }}"
  lv: redis
  size: 1G
  fs: ext4

redis_server_legacy_auth_password: "changeme"


opendkim_admin_mail: postmaster@chaox.org
opendkim_internal_hosts:
  - 127.0.0.1
#  - "{{ network_zones.lan.prefix }}"
#  - "{{ network_zones.svc.prefix }}"

opendkim_domains:
  chaox.org:
    keys:
      test-2024-07:
        keylength: 2048


rspamd_web:
  hostname: mx0.chaox.org
  password: secret
  enable_password: very-secret

rspamd_modules_local_config:
  antivirus: |
   enabled = false;
  fuzzy_check: |
   enabled = false;
  greylist: |
   enabled = false;
  rbl: |
   enabled = false;



postfix_base_mynetworks:
  - "127.0.0.0/8"
  - "[::ffff:127.0.0.0]/104"
  - "[::1]/128"

postfix_base_mydestination:
  - "$myhostname"
  - "{{ host_name }}.{{ host_domain }}"
  - "localhost"
  - mx0.chaox.org
  - mailrelay.chaox.org

postfix_base_inet_interfaces:
  - "all"

postfix_base_relayhost: 192.168.28.250


postfix_submission_hostname: mailrelay.chaox.org

postfix_submission_tls:
  certificate_provider: static-ca
  certificate_config:
    ca:
      key_content: "{{ chaos_at_home_internal_ca_key }}"
      cert_content: "{{ chaos_at_home_internal_ca_cert }}"


postfix_submission_auth_saslauthd:
  mechanism: ldap
  ldap_options:
    auth_method: fastbind
    servers: ldaps://ldap.chaos-at-home.org
    tls_check_peer: yes
    tls_cacert_content: "{{ chaos_at_home_internal_ca_cert }}"
    filter: "%u@chaos-at-home.org"

postfix_submission_allowed_sender_domains:
  - chaox.org

postfix_submission_dkim_signer: "opendkim"