---
interfaces:
  adm: ens18
  srv: ens19

loc_needrestart:
  override:
    - regex: inspircd
      mode: 'i'
    - regex: anope
      mode: 'i'
    - regex: thelounge
      mode: 'i'

loc_nginx:
  service_name: "thelounge"
  servers:
    - server_name:
        - "irc.crans.org"
        - "irc"
      default: true
      ssl: crans.org
      locations:
        - filter: "^~ /web/"
          params:
            - "proxy_pass http://localhost:9000/"
            - "include \"/etc/nginx/snippets/options-proxypass.conf\""
        - filter: "~ ^/$"
          params:
            - "return 302 https://irc.crans.org/web/"
        - filter: "/"
          params:
            - "return 302 \"https://wiki.crans.org/VieCrans/UtiliserIrc#Via_l.27interface_web\""

loc_thelounge:
  public: "true"

loc_inspircd:
  cloak:
    name: crans
    key: "{{ vault.inspircd.cloak.key }}"
  diepass: "{{ vault.inspircd.diepass }}"
  restartpass: "{{ vault.inspircd.restartpass }}"
  opers: "{{ vault.inspircd.opers }}"
  server:
    name: irc.crans.org
    description: Crans IRC server
    network: Crans
  admin:
    name: Pierre-Elliott Bécue
    nick: PEB
    email: root@crans.org
  ssl:
    - name: crans.org
    - name: adm.crans.org
  bind:
    - address: "{{ query('ldap', 'ip4', 'irc', 'srv') }}"
      type: clients
      clair: 6667
      ssl: 6697
      certificate: crans.org
    - address: "{{ query('ldap', 'ip6', 'irc', 'srv') }}"
      type: clients
      clair: 6667
      ssl: 6697
      certificate: crans.org
    - address: "{{ query('ldap', 'ip4', 'irc', 'adm') }}"
      type: clients
      clair: 6667
      ssl: 6697
      certificate: adm.crans.org
    - address: "{{ query('ldap', 'ip6', 'irc', 'adm') }}"
      type: clients
      clair: 6667
      ssl: 6697
      certificate: adm.crans.org
    - address: 127.0.0.1
      type: servers
      clair: 6668
  connect:
    - name: zamok
      allows:
        ipv4: "{{ query('ldap', 'ip4', 'zamok', 'srv') }}/32"
        ipv6: "{{ query('ldap', 'ip6', 'zamok', 'srv') }}/128"
      threshold: 1
    - name: irc
      allows:
        ipv4: "{{ query('ldap', 'ip4', 'irc', 'srv') }}/32"
        ipv6: "{{ query('ldap', 'ip6', 'irc', 'srv') }}/128"
      threshold: 1
    - name: gitlab
      allows:
        ipv4: "{{ query('ldap', 'ip4', 'gitzly', 'srv') }}/32"
        ipv6: "{{ query('ldap', 'ip6', 'gitzly', 'srv') }}/128"
      threshold: 10
      commandrate: 10000
    - name: monitoring
      allows:
        ipv4: "{{ query('ldap', 'ip4', 'fyre', 'adm') }}/32"
        ipv6: "{{ query('ldap', 'ip6', 'fyre', 'adm') }}/128"
      threshold: 10
      commandrate: 10000
      modes: true
  dns: "{{ query('ldap', 'ip4', 'romanesco', 'srv') }}"
  services:
    name: services.irc.crans.org
    port: 6668
    recvpass: "{{ vault.anope.recvpass }}"
    sendpass: "{{ vault.anope.sendpass }}"

loc_anope:
  recvpass: "{{ vault.anope.recvpass }}"
  sendpass: "{{ vault.anope.sendpass }}"
  options_seed: "{{ vault.anope.options_seed }}"
  services_roots: "{{ vault.anope.services_roots }}"
  services_host: "services.irc.crans.org"

loc_certbot:
  - mail: root@crans.org
    certname: crans.org
    domains: "*.crans.org"
  - mail: root@crans.org
    certname: adm.crans.org
    domains: "*.adm.crans.org"

loc_service_certbot:
  config:
    "crans.org":
      zone: _acme-challenge.crans.org
      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
      port: 53
      key:
        name: certbot_challenge.
        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "adm.crans.org":
      zone: _acme-challenge.adm.crans.org
      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
      port: 53
      key:
        name: certbot_adm_challenge.
        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512