---

# these settings should be modified in host_vars,
# cause they're mostly defaults

# set up external data disk
# also see roles/filesystems/defaults/main.yml
external_disk: no
# this exists solely because one time my external disk's ext4 partition disappeared?
# anyways now it keeps a copy of files away from syncthing in case it turns evil
# it's just an rsync shell script
backup_disk: no

# where data goes
# if you have external_disk on, you should probably set this to a path there
dataroot: /var/lib/serv_data

# send dynamic DNS update for this domain
dyndns_domain: null
# dyndns_domain: d.nerdpol.ovh

# limit this to, for example, your VPN subnet or your local subnet
# alternatively, 0.0.0.0/0 to open up the internal services to all
# for multiple subnets, separate with spaces
internal_cidr: "{{ local_subnet }}"

# this is set true in group_vars/bastion/vars.yml
enable_ddclient: false

# real public facing domain
# use CNAME entries to redirect subdomains to dyndns_domain
# this could be the same as dyndns_domain if your registrar supports dyndns
domain: null
# domain: dogeystamp.com

# local dns forwards here
dns_forward: 1.1.1.1

# clone dotfiles and stuff
enable_dotfiles: yes

escalation_method: doas

# set up static IP
enable_connection: yes

# use a wireguard network between bastion and fleet host for the reverse proxy
# see roles/wireguard/defaults/main.yml for further config settings
wireguard_services: true
wireguard_interface: "wg0"