ansible_become_password: "{{ vault_root_pass }}"
ansible_host: "{{ vault_ansible_host }}"
ansible_user: "{{ vault_ssh_user }}"

security_firewall_mangle_drop_privatenets: false
security_firewall_mangle_policy_forward: accept
security_firewall_filter_policy_forward: accept

k3s_cluster_name: internal
k3s_cluster_role: server
k3s_cluster_ip: "{{ vault_cluster_ip }}"

mariadb_server_root_password: "{{ vault_mariadb_server_root_password }}"
mariadb_server_run_custom_sql: true
mariadb_server_custom_sql: "{{ vault_mariadb_server_custom_sql }}"
mariadb_server_bind_addresses: "{{ vault_mariadb_server_bind_addresses }}"

postgresql_server_run_custom_sql: true
postgresql_nft_allowed_ingress_list: '{{ vault_postgresql_nft_allowed_ingress_list }}'
postgresql_server_custom_sql: "{{ vault_postgresql_server_custom_sql }}"
postgresql_server_bind_addresses: "{{ vault_postgresql_server_bind_addresses }}"
postgresql_server_databases_list:
  - name: '{{ vault_invidious_pg_dbname }}'
  - name: '{{ vault_opentofu_pg_dbname }}'
postgresql_server_accounts_list:
  - name: '{{ vault_invidious_pg_user }}'
    password: '{{ vault_invidious_pg_password }}'
  - name: '{{ vault_opentofu_pg_user }}'
    password: '{{ vault_opentofu_pg_password }}'
postgresql_server_hba_conf_list:
  - address: '10.42.0.0/16'
    databases:
      - '{{ vault_invidious_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_invidious_pg_user }}'
  - address: '{{ vault_provider_geopoiesis }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'
  - address: '{{ vault_provider_unobtainium }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'
  - address: '{{ vault_provider_unsepttrium }}/32'
    databases:
      - '{{ vault_opentofu_pg_dbname }}'
    contype: hostssl
    method: scram-sha-256
    users:
      - '{{ vault_opentofu_pg_user }}'

k3s_cluster_helm_customizations:
  - name: routing-invidious
    content: |-
      ---
      apiVersion: "traefik.io/v1alpha1"
      kind:       "IngressRoute"
      metadata:
        name:       "invidious"
        namespace:  "default"
        annotations: []
        labels:
          "app.kubernetes.io/component":  "server"
          "app.kubernetes.io/name":       "invidious"
          "app.kubernetes.io/version":    "latest"
          "app.kubernetes.io/part-of":    "invidious"
          "app.kubernetes.io/managed-by": "ansible"
          "app.kubernetes.io/instance":   "invidious"
      spec:
        entryPoints:
          - websecure
        routes:
        - match: Host(`invidious.nullified.fr`)
          kind:  Rule
          services:
            - name: "invidious"
              port: 3000

k3s_cluster_additional_helm_charts:
  - release_name: redis
    release_namespace: default
    chart_ref: 'oci://registry-1.docker.io/bitnamicharts/redis'
    chart_version: '^18'
    values:
      replica:
        replicaCount: 1
  - release_name: invidious
    release_namespace: default
    chart_ref: 'invidious'
    chart_repo_url: 'https://charts-helm.invidious.io'
    chart_version: '^2.0'
    update_repo_cache: true
    values:
      postgresql:
        enabled: false
      ingress:
        enabled: false
      config:
        db:
          user: '{{ vault_invidious_pg_user }}'
          password: '{{ vault_invidious_pg_password }}'
          host: '10.42.0.1'
          dbname: '{{ vault_invidious_pg_dbname }}'
        domain: "invidious.nullified.fr"
        https_only: true
        external_port: 443
        channel_threads: 1
        full_refresh: true
        feed_threads: 1
        hmac_key: '{{ vault_invidious_hmac_key }}'
        popular_enabled: false
        captcha_enabled: false
        default_user_preferences:
          region: FR
          captions: ["French", "English", "English (auto-generated)"]
          dark_mode: "dark"
          feed_menu: ["Subscriptions", "Playlists"]
          default_home: "Subscriptions"
          autoplay: true
          continue: true
          continue_autoplay: true
          quality: dash
          quality_dash: best
          volume: 75
          save_player_pos: true

k3s_cluster_additional_tf_resources:
  - name: Invoice Ninja
    git_repository: 'https://gitlab.0x2a.ninja/flowtech/oss/invoice-ninja.git'
    git_revision: 0.0.8
    terraform_dir: 'terraform'
    tfvars_content: '{{ vault_invoice_ninja_tfvars }}'
    backend_override: |-
      terraform {
        backend "pg" {}
      }
    backend_env:
      PGHOST: '{{ vault_ansible_host }}'
      PGDATABASE: '{{ vault_opentofu_pg_dbname }}'
      PGUSER: '{{ vault_opentofu_pg_user }}'
      PGPASSWORD: '{{ vault_opentofu_pg_password }}'

hc_vault_server_tls_cert_data: '{{ vault_hc_vault_server_tls_cert_data }}'
hc_vault_server_tls_key_data: '{{ vault_hc_vault_server_tls_key_data }}'
hc_vault_initialize: true