---

TIMEZONE: "Europe/Berlin"

local_user: "{{ lookup('env','USER') }}"

global_username: zocker
global_admin_mail: felix.stupp@outlook.com

ansible_user: "{{ global_username }}"

ansible_become: yes
ansible_become_pass: "{{ zocker_password }}"

default_tg_monitor_recipient_id: "{{ zocker_telegram_id }}"

zocker_authorized_keys_url: "https://git.banananet.work/zocker.keys"

update_scripts_directory: "/root/update"

backup_gpg_fingerprint: "73D09948B2392D688A45DC8393E1BD26F6B02FB7"
backups_to_keep: 1
backups_directory: "/backups"
backups_files_directory: "{{ backups_directory }}/files"
backups_mysql_database_directory: "{{ backups_directory }}/mysql_databases"
backup_scripts_directory: "/root/backup"
backup_files_scripts_directory: "{{ backup_scripts_directory }}/files"
backup_mysql_database_scripts_directory: "{{ backup_scripts_directory }}/mysql_databases"

# Enabling "debug mode" allows deploying an debug / transitional instance besides another with the same base configuration
# The debug instance is reachable by using the same domain but prefixed with global_dns_debug_prefix
# Prevents overwriting of original's instance DNS config until debug mode is disabled
# If debug mode is disabled, the compatibility to the "debug domain" will be lost and the original's instance DNS config will be overwritten
# Other variables will need to be adjusted if both instances run on the same server
is_debug_instance: no
has_debug_instance: "{{ is_debug_instance }}"
delete_debug_dns_entries: "{{ not has_debug_instance }}"
debug_domain: "debug-instance.{{ domain }}" # used if is_debug_instance / on "debug mode", should only prefix domain
effective_domain: "{{ is_debug_instance | ternary(debug_domain, domain) }}"

global_local_user: "{{ lookup('env', 'USER') }}"

global_deployment_directory: "/ansible"
global_configuration_environment_directory: "{{ global_deployment_directory }}/configurations"
global_helper_directory: "{{ global_deployment_directory }}/helpers"
global_webservers_directory: "/var/webservers"
global_socket_directory: "/var/run"

global_credentials_directory: "credentials"
global_public_key_directory: "public_keys"

global_dns_list_directory: "{{ global_public_key_directory }}/dns"
global_dns_session_key_name: "local-ddns"
global_dns_session_key_path: "/var/run/named/session.key"
global_dns_session_key_algorithm: "hmac-sha512"
global_dns_update_key_algorithm: "ED25519"
global_dns_ttl: "{{ 60 * 60 }}" # default if omitted in all cases
global_dns_debug_ttl: "{{ 60 }}" # mostly used if has_debug_instance to allow short transfer times

global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"

global_validate_shell_script: "/usr/bin/shellcheck %s" # TODO add "--format="
global_validate_sudoers_file: "/usr/sbin/visudo -c -f %s"

global_wireguard_private_directory: "{{ global_credentials_directory }}/wireguard"
global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard/keys"
global_wireguard_peers_directory: "{{ global_public_key_directory }}/wireguard/peers"

nginx_status_page_acl: |
  allow 127.0.0.0/8;
  allow ::1;
  allow {{ ansible_default_ipv4.address }};
  allow {{ ansible_default_ipv6.address }};
  allow {{ global_wireguard_ipv4_range }};
  deny all;

phpfpm_status_page_path: "/.well-known/php-fpm-status"

ssh_host_key_types:
  - ed25519
  - rsa

# (Backend) Port Mappings

backend_smtp_port: 12891
backend_imap_port: 12892

# OS-specific Default Configuration

debian_repository_mirror: "http://deb.debian.org/debian/"
debian_repository_use_sources: yes

raspbian_repository_mirror: "http://raspbian.raspberrypi.org/raspbian/"
raspbian_archive_repository_mirror: "http://archive.raspberrypi.org/debian/"
raspbian_repository_use_sources: yes

# System configuration

global_users_directory: "/home"

# Application configurations

global_ansible_facts_directory: "/etc/ansible/facts.d"

global_apparmor_profiles_directory: "/etc/apparmor.d"
global_apparmor_profiles_local_directory: "{{ global_apparmor_profiles_directory }}/local"

global_apt_sources_directory: "/etc/apt/sources.list.d"

global_bind_service_name: "named.service"
global_bind_configuration_directory: "/etc/bind"
global_bind_data_directory: "/var/lib/bind"

global_certbot_configuration_directory: "/etc/letsencrypt"
global_certbot_configuration_file: "{{ global_certbot_configuration_directory }}/cli.ini"
global_certbot_certificates_directory: "/etc/letsencrypt/live"

global_chromium_configuration_directory: "/etc/chromium"
global_chromium_managed_policies_file: "{{ global_chromium_configuration_directory }}/policies/managed/managed_policies.json"

global_dns_upstream_servers:
  # Quad9 DNS with DNSSEC support, without EDNS
  - "9.9.9.9"
  - "149.112.112.112"
  - "2620:fe::fe"
  - "2620:fe::9"

global_dnsmasq_configuration_file: "/etc/dnsmasq.conf"
global_dnsmasq_configuration_directory: "/etc/dnsmasq.d"

global_docker_service_name: "docker.service"
global_docker_configuration_directory: "/etc/docker"
global_docker_daemon_configuration_file: "{{ global_docker_configuration_directory }}/daemon.json"

global_fail2ban_service_name: "fail2ban.service"
global_fail2ban_system_directory: "/etc/fail2ban"
global_fail2ban_configuration_directory: "{{ global_fail2ban_system_directory }}/fail2ban.d"
global_fail2ban_actions_directory: "{{ global_fail2ban_system_directory }}/action.d"
global_fail2ban_filters_directory: "{{ global_fail2ban_system_directory }}/filter.d"
global_fail2ban_jails_directory: "{{ global_fail2ban_system_directory }}/jail.d"

global_ip_discover_url: "https://keys.banananet.work/ping"
global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"

global_interfaces_directory: "/etc/network/interfaces.d"

global_lightdm_configuration_directory: "/etc/lightdm"

global_log_directory: "/var/log"

global_mysql_socket_path: "/var/run/mysqld/mysqld.sock"

global_nfs_port: "2049" # for version 4
global_nfs_directory: "{{ global_webservers_directory }}/nfs"

global_nginx_system_user: www-data
global_nginx_service_name: "nginx.service"
global_nginx_installation_directory: "/etc/nginx"

global_pamd: "/etc/pam.d"

global_plymouth_themes_directory: "/usr/share/plymouth/themes"

global_redis_configuration_directory: "/etc/redis"
global_redis_service_name: "redis-server.service"

global_resolv_conf: "/etc/resolv.conf"

global_ssh_service_name: "sshd.service"
global_ssh_configuration_directory: "/etc/ssh/"
global_ssh_configuration_environment_directory: "{{ global_configuration_environment_directory }}/ssh"
global_ssh_configuration_link_name: "config"
global_ssh_configuration_link: "{{ global_ssh_configuration_environment_directory }}/{{ global_ssh_configuration_link_name }}"

global_sudoers_directory: "/etc/sudoers.d"

global_wireguard_configuration_directory: "/etc/wireguard"
global_wireguard_port: 51820
global_wireguard_ipv4_subnet: 22
global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
# TODO Wireguard IPv6 Support

global_systemd_preset_directory: "/lib/systemd/system"
global_systemd_configuration_directory: "/etc/systemd/system"
global_systemd_journal_configuration_directory: "/etc/systmed/journald.conf.d"
global_systemd_journal_max_storage: 1G
global_systemd_network_directory: "/etc/systemd/network"
global_systemd_network_service_name: "systemd-networkd.service"
global_systemd_network_system_user: "systemd-network"

global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh"

# Projects

# WG Minecraft
project_wg_minecraft_port: 25566

# Miscellaneous

## IP Blocklist

global_ip_blocklist: "{{ (lookup('file', 'misc/blocklists/ipv4.txt')).split('\n') }}"