---
interfaces:
  adm: ens18
  srv: ens19

loc_certbot:
  - mail: root@crans.org
    certname: crans.org
    domains: "*.crans.org"
  - mail: root@crans.org
    certname: adm.crans.org
    domains: "*.adm.crans.org"

loc_service_certbot:
  config:
    crans.org:
      zone: _acme-challenge.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_challenge.
        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    adm.crans.org:
      zone: _acme-challenge.adm.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_adm_challenge.
        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512

loc_nginx:
  ssl:
    - name: adm.crans.org
      cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
    - name: crans.org
      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
  servers: []
loc_reverseproxy:
  reverseproxy_sites:
    - { from: gitlab.crans.org, to: 127.0.0.1:8000 }
    - { from: gitlab.adm.crans.org, to: 127.0.0.1:8000, ssl: adm.crans.org }

  redirect_sites: []
  static_sites: []