---
debian_mirror: http://deb.debian.org/debian

postfix:
  primary: false
  secondary: true
  public: true
  dkim: true
  titanic: false

loc_wireguard:
  tunnels:
    - name: sputnik
      addresses:
        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}/24"
        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv6 | first }}/64"
      listen_port: 51820
      private_key: "{{ vault.wireguard.sputnik.privkey }}"
      peers:
        - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}"
          allowed_ips:
            - "{{ query('ldap', 'network', 'adm') }}"
            - fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ansible.utils.ipv4 | first }}:51820"
      post_up:
        - /sbin/ip link set sputnik alias adm

loc_slapd:
  ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}"
  replica: true
  replica_rid: 4

loc_moinmoin:
  main: false

loc_certbot:
  - mail: root@crans.org
    certname: adm.crans.org
    domains: "*.adm.crans.org"
  - mail: root@crans.org
    certname: crans.org
    domains: "*.crans.org"

loc_service_certbot:
  config:
    crans.org:
      zone: _acme-challenge.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_challenge.
        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    adm.crans.org:
      zone: _acme-challenge.adm.crans.org
      server: 172.16.10.147
      port: 53
      key:
        name: certbot_adm_challenge.
        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512

loc_nginx:
  service_name: wiki
  ssl:
    - name: adm.crans.org
      cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
    - name: crans.org
      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
  servers:
    - server_name:
        - wiki2.crans.org
      ssl: crans.org
      access_log: /var/log/nginx/wiki.log combined
      error_log: /var/log/nginx/wiki.error.log
      additional_params:
        - rewrite ^/$ $scheme://wiki2.crans.org/PageAccueil
        - client_max_body_size 15M

      locations:
        - filter: /wiki
          params:
            - alias /var/local/wiki/htdocs/

        - filter: /robots.txt
          params:
            - alias /var/local/wiki/robots.txt

        - filter: /favicon.ico
          params:
            - alias /var/local/wiki/favicon.ico

        - filter: /www-sitemap.xml
          params:
            - alias /var/local/wiki/www-sitemap.xml

        - filter: /
          params:
            - uwsgi_pass unix:///var/run/uwsgi/app/moinmoin/socket
            - include uwsgi_params

loc_reverseproxy:
  reverseproxy_sites:
    - { from: status.crans.org, to: 127.0.0.1:8080 }
    - { from: git2.crans.org, to: 127.0.0.1:3000 }
    - { from: git2.adm.crans.org, to: 127.0.0.1:3000, ssl: adm.crans.org }

  redirect_sites: []
  static_sites: []
loc_bind:
  default:
    type: slave
    primaries: "{{ query('ldap', 'ip', 'silice', 'adm') }}"

loc_service_ssh_known_hosts:
  config:
    ldap:
      server: ldaps://{{ query('ldap', 'ip', 'sputnik', 'adm') | ansible.utils.ipv4 | first }}