---
certbot_certificates:
  - domains:
      - monitor.kill0.net
    email: rcavicchioni@gmail.com
  - domains:
      - git.kill0.net
    email: rcavicchioni@gmail.com
  - domains:
      - stats.kill0.net
    email: rcavicchioni@gmail.com
  - domains:
      - jump0.kill0.net
    email: rcavicchioni@gmail.com
  - domains:
      - dl.kill0.net
    email: rcavicchioni@gmail.com
  - domains:
      - cavi.cc
    email: rcavicchioni@gmail.com
  - domains:
      - proxy.kill0.net
    email: rcavicchioni@gmail.com

lego_user_environ:
  GCE_PROJECT: kill0-net
  GCE_SERVICE_ACCOUNT_FILE: "{{ lego_etc_dir_path }}/credentials.json"

lego_bin_user_args:
  - --email rcavicchioni@gmail.com
  - --dns gcloud

lego_bin_renew_user_args:
  - --renew-hook "systemctl reload nginx"

lego_domains:
  - name: cavi.cc
  - name: dl.kill0.net
  - name: git.kill0.net
  - name: monitor.kill0.net
  - name: proxy.kill0.net
  - name: stats.kill0.net

autossh_config: []

wireguard_interfaces:
  wg0:
    address:
      - 169.254.0.1/24
      - fc00::ffff:169.254.0.1/64
    private_key: "{{ vault_wireguard_private_keys.wg0 }}"
    listen_port: 51820
    table: 'off'
  wg1:
    address:
      - 192.168.255.1/24
      - fc01::ffff:192.168.255.1/128
      - 2600:3c00:e000:343::ffff:192.168.255.1/128
    private_key: "{{ vault_wireguard_private_keys.wg1 }}"
    listen_port: 51821

restic_tidy_enabled: true

nginx_htpasswd_files: "{{ vault_nginx_htpasswd_files }}"

nginx_vhosts:
  cavicc:
    server:
      - server_name: cavi.cc
        root: /var/www/cavicc
        listen:
          - 80
          - "[::]:80"
        raw: |
          location / {
              return 301 https://$server_name$request_uri;
          }
      - server_name: cavi.cc
        root: /var/www/cavicc
        listen:
          - 443 ssl
          - "[::]:443 ssl"
        ssl_certificate: /var/lib/lego/certificates/cavi.cc.crt
        ssl_certificate_key: /var/lib/lego/certificates/cavi.cc.key
        # ssl_certificate: /etc/letsencrypt/live/cavi.cc/fullchain.pem
        # ssl_certificate_key: /etc/letsencrypt/live/cavi.cc/privkey.pem
        raw: |
          location / {
            add_header Alt-Svc 'h3=":$server_port"; ma=86400'; 
          }

  proxy:
    upstream:
      - name: loki_backend
        server:
          - localhost:3100
      #- name: prometheus_backend
      #  server:
      #    - localhost:9090
    map:
      - name: $http_upgrade
        variable: $connection_upgrade
        content:
          default: upgrade
          '': close
    server:
      - server_name: proxy.kill0.net
        root: /var/empty
        listen:
          - 80
          - "[::]:80"
        raw: |
          location / {
              return 301 https://$server_name$request_uri;
          }
      - server_name: proxy.kill0.net
        root: /var/empty
        listen:
          - 443 ssl
          - "[::]:443 ssl"
        # ssl_certificate: /etc/letsencrypt/live/proxy.kill0.net/fullchain.pem
        # ssl_certificate_key: /etc/letsencrypt/live/proxy.kill0.net/privkey.pem
        ssl_certificate: /var/lib/lego/certificates/proxy.kill0.net.crt
        ssl_certificate_key: /var/lib/lego/certificates/proxy.kill0.net.key
        raw: |
          auth_basic "Proxy";
          auth_basic_user_file /etc/nginx/proxy.htpasswd;

          location / {
            add_header Alt-Svc 'h3=":$server_port"; ma=86400'; 
          }

          location /loki {
            proxy_http_version 1.1;
            proxy_pass http://loki_backend;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
          }

          location /prometheus/ {
            proxy_pass http://prometheus_backend/;
          }