--- install_jumphost: ch-jump install: vm: memory: 1G numcpus: 1 autostart: False disks: primary: /dev/sda scsi: sda: type: zfs name: root size: 10g properties: 'syncoid:sync': 'false' interfaces: - bridge: br-svc name: svc0 network: nameservers: "{{ network_zones.svc.dns }}" domain: "{{ host_domain }}" systemd_link: interfaces: "{{ install.interfaces }}" primary: &_network_primary_ name: svc0 address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}" gateway: "{{ network_zones.svc.gateway }}" static_routes: - destination: "{{ network_zones.lan.prefix }}" gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}" interfaces: - *_network_primary_ ntp_variant: systemd-timesyncd ################# system_lvm_volume_size_root: 3G lvm_volumes: system/storage: &_lvm_thinpool_system_storage_ vg: "{{ host_name }}" lv: storage thinpool: true size: 5G spreadspace_apt_repo_components: - container docker_pkg_provider: docker-com docker_plugins: - buildx docker_storage: type: lvm parent: *_lvm_thinpool_system_storage_ lv: docker size: 1G fs: ext4 kubelet_storage: type: lvm parent: *_lvm_thinpool_system_storage_ lv: kubelet size: 1G fs: ext4 kubernetes_version: 1.28.5 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap ch_testvm_prometheus_apps_publish_ca_key: | -----BEGIN RSA PRIVATE KEY----- MIIJKQIBAAKCAgEAopKJFGAl3yKFcIFI7j3M/n3lNafjBo3QySoTgtkobO2gR8Me E6RFwZXEquceO5MYU4BxmWN+m+mOFnTezJbQZAmGv/dPsV+yM/I/oidokg7EZNuo 2lOrnlt9SP8koIvSBOrzVjCy84BeZWTNpKPXK26lcBoFGxjQ2PYjdW99t0gkX9Rz KUE9ybTb60F7mVUt99O/eWOBBdQAMPX80eyr7OjFBoQoyDAv3OMx/ZuVjhYOIE+s Eijjl36NCu4LQawvwd2ewIH+YeTK/VH/JN1yt9RZurlhHrajJvQ6U1t5zY8SubsX nTUMpTHFoX+B3vPC1fKhMnG+QoPlN2sT9lBCxZcDVKKj6zuhoFCupBWOc4m9A+yK zAVq0sWnmV1O2AVgtFKdFUc7D7On5hKsN8hlX83haIfyqLN45wdCeXxrHbcyHYS1 RDTbE2Y5CKqjcgLWjrO72tDyhQJEu1ttkY6HR8d0EBd9WemvWN1xIjx5x4HHHk5e 1VSaNKp25SucwvsySGpPfnWV4dKnIzFYPnhnpt6xsbwA0s0w/POggKgK+p4YEgtt GdpBbesME1OrYFu8mlj25JobVyC8H+e7DF7NKNEpLlT0VWR4E1yYTTm9rIhhM0Ne Cqs0mqOhr+bZ0EDpmD6O9ffyIFjIh9ArkUuf1cD/8V+33Kl8AcB4pHlFaQ0CAwEA AQKCAgAeWYpfRCrVyvlL3Urq9R0ftouTln3Ow6tiXqlJUHaYTU1SkFW9V3nRT78p I5/0gbu1HQG4H8erXjDxNszAN3h8cH3YORiG1cVsJrGj+UTvnXOjG5HcfmnH1K8h MUaadTfWRLF8WfeSd1jIB4dPkOmyuUOH18ezvRCCLINGoXOAA6cMv9nm7f/Vt96l fvJO2ATOoxh4FjAoUSFfApE59HvNLNBZbNM7Oim5TC3ROVo0biAhfpYyRrFkXxMA Ixv1XOqGf/Pq3unJRz/xBj2CWZgYwvskXYbIx9JSC56W4Lkuu6LEiy23osdzUIUj Zu0tHOc270aSJwNcogho7ePKZEXulnx721gQWzSGtY8fVmVHshyFb/h7AiU7uvzQ b/zh4uG/FcXfTOHWD6nLkzA0bXlnhkhodwt6qn4tCxDTzmlN5Y2oMT3yYax7fxSZ MVRTvwt5PUKNOf3oxx4IqdmXhVGhdMBaKfrCly4sGQksPes5bcBDbYHlDNZCRwr9 pn1lSHqrEoD0bN+DV+jDLl2/FUXd/G6SlJUmMwINDRsLaKIM89cOwfIjJa1Y/o9Z iQ+XZQBKnff9fhLG3cI33CVWXF/v3C99Gy//v2kmyIxamE4cjR76p8hRM1jq896R Hnb2hKZAONP5a/v3cpnaW08+yvBRT+SvtPFPTuuSUwUTWCymiQKCAQEAwJ7Z/797 p4lnZBqoDPQfDqqFzn5aTqLvyY1jOYltgxDrlgDjD3SRWDJO3rzUAzIZlCw2stGu wxhNAT/kaptB3QMcStiVGBnYa0YnPTwp0kVC7+jsp1+FyyGN0b1hcxbkq2EyQN3m RB5rQZuTKaBDSGO/VQGzTBEW4DAg9bYmBfetbhNQoBjNJ/7yTQIrL9Mf25V3LdXM T8txuGnOb1eP21t4Ty9mVQMiv/s5Gn611r4rO3BsQ+DSHomUbybGUrnMs4PHmO84 lTKMCLI1RtebO0Kjhbb6ufWgdrYBzZ0Ir/eleohB8zLhKT6m99Hk57Ou1u1OIi0s v8jLs43MAPoK+QKCAQEA2BCecN1b/kP3Pex1ZyaXmMZJUNk9BPwFe90KrfJVAmJ9 qo8Ql8hF95I1roCJghxo3c5EUzp/y7C+vXQdCLUrRGCG2qT5/IIuy8NclmtYSx2T NH+16ZtO/4EhmmazRWzTBjDyU5Umgvp9O2PKC8iGL7JC32lJ4NYX6M81NgfYXnjz 4JlgRQZ6mtNlrN+Zc/zyzm7Pb9bSPUJj6sOadrsdgvR0gu1Yi/nKQeGpXMd9LjPT DFV+Nb0KIFo22MHrUPTaWl7oTtNqBWjKvvV252QzVEuxqzrFOtFMO8Fd4r/lHSAG kZMFBCiFrApk+hEzchn1umG9IDzBc+6JOglvIMOftQKCAQEAmCAdDbX+A+gp5s6C sJBQwvV77gSub/KRLH5kwjk+a0f+t56FtVwbuispTRKW4ts7hmGQ5ZNi0aQslPMQ A/4Qe2uMebQptDodSUPDk8IjSXT4E5/C38E6Wp5qch5+izWmbY+6764QwPXBQbSL +lEfMlnM72cDYu0QQwjfzw8HYqkkqI3KnFZaGN9qH9W5o/C69WJLGMEEtnR3oOy3 ZAokjFrmXquRx0xNso/Hnpw6IppYbH4ykz1I1WNU/qAB+63P9Gr8RVWRO4wLOob8 OrHnYFsV6HIF/L33+ClwrSH7jXYpk+dvJpKlbzyTA6Aah7/KMuaCUc2ZzPHZpzoy xwaziQKCAQEA0DcTuMhZQqrUtIQOj50NMljDhnoS557G2hqllAOYEHhBif/ciaii ZHYt7UBJQ22FUVrZVStmxDBLX99pq16Ll5U9365kigYaepqFux8vMxQJK+p2r+zP MEKM03JtCFZa9fhtTkbJmicyT+1WZAyV45jyAMJCQ72NxPkJ2kutIz2EJ8kmkN4x gMp/jRzdkH0OsAjxNmHasNYt26ssS4b+ZZiWPyXi0uGhG+QPhi1oYQHoPFaXDcpi 29KUUEZwMtADLFuRm4T5AsV9vJBoSYyyOmXHja9RKeFQibVKeJ1cebjHG7qGdv9l 8ekCbkntPePuffJ6g3qJIuOYsqkswnJCkQKCAQAns9UolfLKHB68NuCswjtqlozX KpMhDQKeS7a1/oOmlymAKJ9irmzwYvlsYTyW9mtYSurstTxKVbqIcPzY+jqGIuuh 6gpRsKUlfFHluZHl8sCB4ZZ7g+QDQCWAfoiBNgD+pkJqlL7DGKd520NMxQyYxDH1 cEx5blKgO2sKkkV0jTYHO7SAlVpy4j7Gm9olG8v6AxBFQrEgeI/pGANXundho6ai u2m8YDkIlS1zQiyyvBncNoZ5X2ZDSa1aAJn9B6lCq9PWKxhKNX8E8aVVbrDFIK4+ zu71QecMIJVfHGtrjBbfQgFiJzxTi10YpuJvBT5HQPF4XjAN3DB15D/Gy9BG -----END RSA PRIVATE KEY----- ch_testvm_prometheus_apps_publish_ca_cert: | -----BEGIN CERTIFICATE----- MIIFBDCCAuygAwIBAgIUB05Y1b+0LfULh1R7h1OUHF44VO4wDQYJKoZIhvcNAQEL BQAwLzEtMCsGA1UEAwwkY2gtdGVzdHZtLXByb21ldGh1ZXMgQXBwcyBQdWJsaXNo IENBMCAXDTI0MDExMTIwMTIyMloYDzIwNjMxMTIzMjAxMjIyWjAvMS0wKwYDVQQD DCRjaC10ZXN0dm0tcHJvbWV0aHVlcyBBcHBzIFB1Ymxpc2ggQ0EwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQCikokUYCXfIoVwgUjuPcz+feU1p+MGjdDJ KhOC2Shs7aBHwx4TpEXBlcSq5x47kxhTgHGZY36b6Y4WdN7MltBkCYa/90+xX7Iz 8j+iJ2iSDsRk26jaU6ueW31I/ySgi9IE6vNWMLLzgF5lZM2ko9crbqVwGgUbGNDY 9iN1b323SCRf1HMpQT3JtNvrQXuZVS330795Y4EF1AAw9fzR7Kvs6MUGhCjIMC/c 4zH9m5WOFg4gT6wSKOOXfo0K7gtBrC/B3Z7Agf5h5Mr9Uf8k3XK31Fm6uWEetqMm 9DpTW3nNjxK5uxedNQylMcWhf4He88LV8qEycb5Cg+U3axP2UELFlwNUoqPrO6Gg UK6kFY5zib0D7IrMBWrSxaeZXU7YBWC0Up0VRzsPs6fmEqw3yGVfzeFoh/Kos3jn B0J5fGsdtzIdhLVENNsTZjkIqqNyAtaOs7va0PKFAkS7W22RjodHx3QQF31Z6a9Y 3XEiPHnHgcceTl7VVJo0qnblK5zC+zJIak9+dZXh0qcjMVg+eGem3rGxvADSzTD8 86CAqAr6nhgSC20Z2kFt6wwTU6tgW7yaWPbkmhtXILwf57sMXs0o0SkuVPRVZHgT XJhNOb2siGEzQ14KqzSao6Gv5tnQQOmYPo719/IgWMiH0CuRS5/VwP/xX7fcqXwB wHikeUVpDQIDAQABoxYwFDASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEB CwUAA4ICAQBOwXLbrM+9D9177SWrn/O9ETGBAMyITotf970eSDTfh7qeMagYY3z2 72sABwv226ITrS/ukgyWqC/jqZFr/lONqG5ckrfn8JHJyX8PpQUW0C9TkOrd6NMu bgoQWXJHrKiqW56jPzo9WiQ0HqEY/QUKw7ZkhVr/SrUykSombGw0mCzPXGrpcYBe 5p0IwEEDX7Meu6iPPXhLhK0RMtLGPNSKmnGdnlMR88DdbVzAyxS5bfwmEsaE8U4x 3oMYCfzVTjYIu/mNizEen4TMK8MlYMD4xFP/Zsd+/l3JGfXy/qhQiOaCQZy1yhZI S5Ypm6IsnZ9yhz6+XysOSq1aXeMsJeADGrpCIz1MKSK6YK5J6wMvEYWLVC73FosF 0pLbO+OANXW3/h6qatZoqCKEOmFe5vSLDbl7G4JPhl2YpW2nuKNyDhOSgH0NcbJy saidgBVGFz5reT+Dj3rHaGUxgnBvBRF19RAy17K4jWvQlHNYP3+K4T3fXg2Jk+TJ xNP1ILaGJp6lzTgWu2eOnuzoSL1nHXnFlH0j/GR/iutZMMUPWwifUn7AT1t8NcBF sb5sQP1wadb+tLgNH47loPxdP5Ox8xReSPgvwB5Kjt3yvRnJ7WCezG2xUQOIO2cT ZZPiVEsoxs6xspIPbfPPA6cOxsKPnWzp5eZpjFbDkkgURn0c2nSKlQ== -----END CERTIFICATE----- apps_publish_zone__ch_testvm_prometheus: name: ch-testvm-prometheus publisher: ch-testvm-prometheus certificate_provider: static-ca certificate_ca_config: cert_content: "{{ ch_testvm_prometheus_apps_publish_ca_cert }}" key_content: "{{ ch_testvm_prometheus_apps_publish_ca_key }}" whawty_auth_instances: foo: version: 0.2-rc9 port: 3080 store: default: 1 params: - id: 1 argon2id: time: 1 memory: 65536 threads: 4 length: 32 sync: port: 3022 authorized_keys: "{{ users.equinox.ssh }}" storage: type: lvm parent: *_lvm_thinpool_system_storage_ lv: whawty-auth-foo size: 128M fs: ext4 dest: /srv/whawty/auth/foo publish: zone: "{{ apps_publish_zone__ch_testvm_prometheus }}" hostnames: - passwd.example.com tls: certificate_provider: selfsigned cert: organization_name: "chaos-at-home" organizational_unit_name: "ansible" key_usage: - digitalSignature - keyAgreement key_usage_critical: yes extended_key_usage: - serverAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +52w renew_margin: +42d bar: version: 0.2-rc9 port: 3180 store: default: 1 params: - id: 1 argon2id: time: 1 memory: 65536 threads: 4 length: 32 sync: port: 3122 authorized_keys: "{{ users.equinox.ssh }}" storage: type: lvm parent: *_lvm_thinpool_system_storage_ lv: whawty-auth-bar size: 128M fs: ext4 dest: /srv/whawty/auth/bar publish: zone: "{{ apps_publish_zone__ch_testvm_prometheus }}" hostnames: - passwd.bar.com tls: certificate_provider: selfsigned cert: organization_name: "chaos-at-home" organizational_unit_name: "ansible" key_usage: - digitalSignature - keyAgreement key_usage_critical: yes extended_key_usage: - serverAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +52w renew_margin: +42d