--- interfaces: disable: true loc_needrestart: override: [] debian_mirror: http://deb.debian.org/debian postfix: primary: false secondary: true public: true dkim: true titanic: false loc_wireguard: tunnels: - name: "sputnik" addresses: - "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}/24" - "{{ query('ldap', 'ip6', 'sputnik', 'adm') }}/64" listen_port: 51820 private_key: "{{ vault.wireguard.sputnik.privkey }}" peers: - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" endpoint: "{{ query('ldap', 'ip4', 'boeing', 'srv') }}:51820" post_up: - "/sbin/ip link set sputnik alias adm" loc_slapd: ip: "{{ query('ldap', 'ip4', 'sputnik', 'adm') }}" replica: true replica_rid: 4 loc_certbot: - mail: root@crans.org certname: adm.crans.org domains: "*.adm.crans.org" - mail: root@crans.org certname: crans.org domains: "*.crans.org" loc_service_certbot: config: "crans.org": zone: _acme-challenge.crans.org server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_challenge. secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}" algorithm: HMAC-SHA512 "adm.crans.org": zone: _acme-challenge.adm.crans.org server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" port: 53 key: name: certbot_adm_challenge. secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}" algorithm: HMAC-SHA512 loc_reverseproxy: reverseproxy_sites: - {from: status.crans.org, to: "127.0.0.1:8080"} - {from: git2.crans.org, to: "127.0.0.1:3000"} - {from: git2.adm.crans.org, to: "127.0.0.1:3000", ssl: adm.crans.org} redirect_sites: [] static_sites: [] loc_bind: default: type: slave primaries: "{{ query('ldap', 'ip', 'silice', 'adm') }}" loc_service_ssh_known_hosts: config: ldap: server: "ldaps://{{ query('ldap', 'ip4', 'sputnik', 'adm') }}"