# Do not edit this directly.
#
# Use
#  group_vars/inventory_name/vars.yml
#  host_vars/your_hostname/vars.yml
# for plaintext variables.
#
# For secrets, use the same paths with vault.yml instead of vars.yml.

### Misc settings

# Could be sudo instead
escalation_method: doas

sshd_port: 2500

# Username for the priviledged user
admin_username: maestro

# Username for unpriviledged user
username: dogeystamp

# Git repos (could be localhost if Gitea is installed)
dots_repo: http://localhost:3000/dogeystamp/dots.git
site_repo: http://localhost:3000/dogeystamp/wb5.git

# Drive with all the data stored on it (should be separate from OS drive)
# This is the raw partition, and not the mapped crypt device
secondary_disk: /dev/sda1

# Drive for backups (also separate from OS drive)
# This is the raw partition, and not the mapped crypt device
backup_disk: /dev/sda2

# Username for website deployment
web_username: ianitor

# Web root for nginx and other applications
webroot: /srv/http

# Data root
dataroot: /var/www/data

# Extra packages
util_pack:
  - neovim
  - neofetch
  - fish
  - htop
  - tmux
  - git
  - cronie
  # for chronic
  - moreutils
  - progress
  - rsync
  - man-db
  - mosh



### Network settings (nameserver, address, etc.)

# Domain to send dynamic DNS updates to
dyndns_domain: d.nerdpol.ovh

# Domain actually used for the site (this will be set up to forward to dyndns_domain)
# Set this to the same as dyndns_domain if your registrar supports dynamic DNS natively
domain: dogeystamp.com

# Forward DNS queries to
dns_forward: 1.1.1.1

# Local IP address subnet
local_subnet: 192.168.0.0/24

# CIDR prefix
subnet_prefix: /24
  
# Static address of the server (locally)
# Preferably have another one to SSH into with Ansible, as we change the IP midway
# in connection.yml
local_ip: 192.168.0.3

# Gateway address (this is your router's IP)
gateway: 192.168.0.1

# Connection interface for static IP
interface: eth0


# Settings for templates in templates/srv_conf/ and service configs
nginx_services:
  wiki:
    path: "/"
  navidrome:
    path: "/"
  gitea:
    path: "/"
  synapse:
    # Synapse does not support a prefix path.
    max_body_size: 50M
  website:
    path: "/"


# List of nginx server blocks

# domain is the domain this server block listens to
# ssl_cert is the name of the SSL certificate and key (see roles/networking/ssl)
# listens sets the ports the block will listen to
# services is a list of services (templates/srv_conf/) to place in this domain

# Ensure no two services have the same location (domain and path)

default_listens:
  - "443 ssl http2"
  - "[::]:443 ssl http2"

server_blocks:
  wiki:
    domain: "wiki.{{ domain }}"
    ssl_cert: "{{ domain }}"
    listens: "{{ default_listens }}"
    services:
      - wiki

  navidrome:
    domain: "mus.{{ domain }}"
    ssl_cert: "{{ domain }}"
    listens: "{{ default_listens }}"
    services:
      - navidrome

  gitea:
    domain: "git.{{ domain }}"
    ssl_cert: "{{ domain }}"
    listens: "{{ default_listens }}"
    services:
      - gitea

  synapse:
    domain: "m.{{ domain }}"
    ssl_cert: "{{ domain }}"
    listens:
      - "443 ssl http2"
      - "[::]:443 ssl http2"
      - "8448 ssl http2 default_server"
      - "[::]:8448 ssl http2 default_server"
    services:
      - synapse

  website:
    domain: "www.{{ domain }}"
    ssl_cert: "{{ domain }}"
    listens: "{{ default_listens }}"
    services:
      - website

  redirect:
    domain: "{{ dyndns_domain }}"
    ssl_cert: "{{ dyndns_domain }}"
    listens: "{{ default_listens }}"
    services:
      - redirect

# Settings for other services not handled by nginx
service_info:
  coturn:
    domain: "stun.{{ domain }}"
    ssl_cert: "stun.{{ domain }}"
    

### Mediawiki farm variables

# Internal names for the wikis, used for filenames and URLs
wiki_names:
  - bepp
  - rw



### Placeholders for secret vault (change these in host_vars/your_hostname/vault.yml)

ddclient_pass: "secret"

# Gitea secrets
lfs_jwt_secret: "secret"
jwt_secret: "secret"

# Mediawiki secrets
wgUpgradeKey: "secret"
# This should have the same amount of elements as wiki_names.
wgSecretKey:
  - "wiki_secret"
  - "rw_secret"

# Matrix Synapse secrets
registration_shared_secret: "secret"
macaroon_secret_key: "secret"
form_secret: "secret"

# Syncthing secrets
syncthing_gui_pass: ""

# Coturn secrets
coturn_secret_key: "secret"

# SSL ACME External Account Binding secrets (optional: required for some CAs)

# ZeroSSL
zerossl_acme_eab_kid: "secret"
zerossl_acme_eab_key: "secret"
# If you have a different email for ZeroSSL
zerossl_email: "you@example.com"

# Email address for ACME and DNS
email: me@example.com



### Role switches

# Setup AUR helper yay
enable_aur: yes

# Dotfile deployment
enable_dotfiles: yes

# LUKS crypto and filesystem mounts
enable_filesystems: yes

# Deploy script to facilitate backups
enable_backup: yes

# Firewall (UFW)
enable_firewall: yes

# Use NetworkManager to configure a proper static IP address in LAN
enable_connection: yes

# Dynamic DNS client
enable_ddclient: yes

# Nameserver (if you can't do NAT hairpinning)
enable_nameserver: yes

# SSL ACME (Let's Encrypt)
enable_ssl: yes

# nginx: necessary for gitea, synapse, wiki, and website.
enable_webserver: yes

# Git server
enable_gitea: yes

# Matrix server
enable_synapse: yes

# TURN server for Matrix VoIP
enable_coturn: yes

# MediaWiki
enable_wiki: yes

# Navidrome (music server)
enable_navidrome: yes

# Personal website
enable_website: yes

# Syncthing
enable_syncthing: yes

# Mailserver (local only)
enable_mail: yes