#!/usr/bin/env ansible-playbook
---
# Deploy tunnel
- hosts: sputnik.adm.crans.org
  vars:
    debian_mirror: http://mirror.crans.org/debian
    wireguard:
      sputnik: true
      private_key: "{{ vault_wireguard_sputnik_private_key }}"
      peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
  roles:
    - wireguard

- hosts: boeing.adm.crans.org
  vars:
    # Debian mirror on adm
    debian_mirror: http://mirror.adm.crans.org/debian
    wireguard:
      sputnik: false
      if: ens20
      private_key: "{{ vault_wireguard_boeing_private_key }}"
      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
  roles:
    - wireguard

# Deploy DHCP server
- hosts: dhcp.adm.crans.org
  vars:
    dhcp:
      authoritative: true
  roles:
    - isc-dhcp-server

# Deploy recursive DNS cache server
- hosts: odlyd.adm.crans.org
  roles:
    - bind-recursive

# Deploy authoritative DNS server
- hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
  vars:
    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
    bind:
      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
      slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
      zones: "{{ lookup('re2oapi', 'dnszones') }}"
  roles:
    - bind-authoritative

# Deploy firewall
- hosts: gulp.adm.crans.org
  roles: []  # TODO

# Deploy Unifi Controller
- hosts: unifi.adm.crans.org
  roles:
    - unifi-controller

# Configure routers
- hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org
  roles:
    - logall
    - quagga

# Deploy BGP server configuration on IPv4 routers
- hosts: gulp.adm.crans.org,odlyd.adm.crans.org
  vars:
    zebra:
      password: "{{ vault_zebra_password }}"
    bgp:
      as: 204515
      router_id: 158.255.113.73
      network: 185.230.76.0/22
      neighbor: 158.255.113.72
      remote_as: 8218
  roles:
    - quagga-ipv4

# Deploy BGP server configuration on IPv6 routers
- hosts: ipv6-zayo.adm.crans.org
  vars:
    zebra:
      password: "{{ vault_zebra_password }}"
    bgp:
      as: 204515
      router_id: 138.231.136.200
      network: 2a0c:700::/32
      neighbor: 2001:1b48:2:103::bb:1
      remote_as: 8218
  roles:
    - quagga-ipv6

# Deploy postfix on mail servers
- hosts: titanic.adm.crans.org
  vars:
    postfix:
      primary: false
      secondary: true
      public: true
      dkim: true
      mailman: false
      titanic: true
  roles:
    - postfix

- hosts: sputnik.adm.crans.org
  vars:
    postfix:
      primary: false
      secondary: true
      public: true
      dkim: true
      mailman: false
      titanic: false
  roles:
    - postfix