---
install_jumphost: ch-jump

install:
  vm:
    memory: 1G
    numcpus: 1
    autostart: False
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
        properties:
          'syncoid:sync': 'false'
  interfaces:
  - bridge: br-svc
    name: svc0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_

ntp_variant: systemd-timesyncd


###
managed_ca_authorities:
  foo:
    key:
      type: RSA
      size: 4096
    cert:
      common_name: foo CA
      country_name: "AT"
      locality_name: "Graz"
      organization_name: "spreadspace"
      organizational_unit_name: "ansible"
      state_or_province_name: "Styria"
      digest: sha256
      not_before: +0h
      not_after: +520w


mosquitto_broker_global_config_options:
  per_listener_settings: "true"

mosquitto_broker_listeners:
  example:
    bind: 1883
    options:
      allow_anonymous: "false"
      acl_file: /etc/mosquitto/example.acl
      password_file: /etc/mosquitto/example.passwd
  foo:
    bind: 1884 192.168.32.42
    hostnames:
    - mqtt.example.com
    tls:
      certificate_provider: managed-ca
      certificate_config:
        ca:
          host: ch-testvm-prometheus
          name: foo
        cert:
          organization_name: "spreadspace"
          organizational_unit_name: "ansible"
          san_extra:
          - "IP:192.168.32.42"
          extended_key_usage:
          - serverAuth
          extended_key_usage_critical: yes
          create_subject_key_identifier: yes
          not_after: +100w
    options:
      allow_anonymous: "false"
      require_certificate: "true"
      cafile: /etc/mosquitto/ca_certificates/foo-ca-crt.pem
      use_identity_as_username: "true"
      acl_file: /etc/mosquitto/foo.acl

mosquitto_broker_prometheus_listener: true

mosquitto_broker_acl_files:
  example: |
    user admin
    topic read test/+
    user equinox
    topic write test/+
  foo: |
    user consumer
    topic read foo/+
    user producer
    topic write foo/+

mosquitto_broker_password_files:
  example: |
    admin:{{ 'admin' | mosquitto_passwd_hash('admin@mqtt.example.com') }}
    equinox:{{ 'secret' | mosquitto_passwd_hash('equinox@mqtt.example.com') }}