---
###
# Data disk config
disk_additional_disks:
  - disk: /dev/nvme1n1
    part: /dev/nvme1n1p1
    fstype: ext4
    mount_options: defaults
    mount: /data
    mode: '0700'


###
# Security hardening

# SSH
sftp_enabled: true
ssh_max_auth_retries: 6
ssh_permit_tunnel: true
ssh_allow_tcp_forwarding: true
ssh_allow_agent_forwarding: true
ssh_client_alive_count: 100
ssh_client_alive_interval: 40

# OS
sysctl_overwrite:
  net.ipv4.ip_forward: 1


###
# Wireguard deployment
wireguard_dir: /data/wireguard
wireguard_address: 10.214.214.0/24

wireguard_clients_download_dir: clients/
wireguard_download_clients: true

wireguard_hostname: "{{ inventory_hostname }}"

wireguard_out_interface: ens5

wireguard_additional_routes:
  - 172.18.0.0/16
  - 172.24.0.0/16
  - 172.21.0.0/20
  - 172.29.0.0/20
  - 172.30.0.0/16
  - 172.31.0.0/16

# concat routes defined on ens5 brigde and additional ones
_wireguard_interface_addr: "{{ ansible_ens5.ipv4.network }}/{{ ansible_ens5.ipv4.netmask }}"
wireguard_peers_allowed_ips: "{{ ([(_wireguard_interface_addr | ipaddr('net'))] + wireguard_additional_routes) | join(\", \") }}"

wireguard_peers:
  - name: ahamsik
    allowed_ip: 10.214.214.11
    publickey: "OkmR7NwLz3x/vKJgdw7TtFoAw86LgZuDFfex+nXA/xM="
  - name: mdojcak
    allowed_ip: 10.214.214.12
    publickey: "iscYYL0um94v/HnBd9Gmo948gpBtbu+5+kLIIn9U6nw="
  - name: mhauskrecht
    allowed_ip: 10.214.214.13
    publickey: "XPlbqaZ5rcoCtVMADiixvHjZ1mm0ErX628T6XznodzM="
  - name: mmuransky
    allowed_ip: 10.214.214.14
    publickey: "JeZ9CX6/ZuyK9mvQ0D4d1nS5Dg6NE0Ggz20NwW1pTlM="