---

users:
  - name: admin
    password_hash: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      30623138653735643561343061356531373430393662383764633038383238383837626636393432
      3138653539356430306266663864343563616332656131310a343632323363653665646363366437
      66643430626437333461656231303339656435346261336238313036306431396333643965666631
      3665393163623266320a373838313538626438623330393533353931336331623464613664633430
      32303734396634376431383936643431313561303864343930393363623130663236666636353637
      63613237383666656263316661333031643032323266636464313839653065316138343035346161
      64313037336666353136383462333832373031623637636630326330313832333265386632343139
      30306638356434376635346637346134653064613236326333656566383137353166393063333563
      32623638343263313463313062303465626439356461613235656661623364656138
    ssh_public_keys: 
      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
      - "ssh-ed25519 \
         AAAAC3NzaC1lZDI1NTE5AAAAIJRnXU2My2iMXl1yCIEoASZYAUW0q1qn3P5tSUI0B0+4 \
         openpgp:0xAD2BFD7F"
    opendoas_settings: "permit persist admin as root"
  - name: ansible
    password_hash: ""
    ssh_public_keys:
      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0"
      - "ssh-ed25519 \
         AAAAC3NzaC1lZDI1NTE5AAAAIJRnXU2My2iMXl1yCIEoASZYAUW0q1qn3P5tSUI0B0+4 \
         openpgp:0xAD2BFD7F"
    opendoas_settings: "permit nopass ansible"

nginx_settings:
  server_tokens: false
  gzip: true
  ssl_protocols:
    - TLSv1.2
    - TLSv1.3
  load_balancers:
    http:
      - upstream:
          name: main-page
          servers:
            - 192.168.0.10:80
        server:
          listen_port: 80
          names:
            - dev.cuqmbr.xyz
            - dev.cuqmbr.home
      - upstream:
          name: searxng
          servers:
            - 192.168.0.15:8888
        server:
          listen_port: 80
          names:
            - searxng.dev.cuqmbr.xyz
            - searxng.dev.cuqmbr.home
          statements:
            - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
            - proxy_set_header X-Real-IP $remote_addr
      - upstream:
          name: forgejo
          servers:
            - 192.168.0.20:3000
        server:
          listen_port: 80
          names:
            - gitea.dev.cuqmbr.xyz
            - gitea.dev.cuqmbr.home
            - git.dev.cuqmbr.xyz
            - git.dev.cuqmbr.home
          statements:
            - proxy_set_header Connection $http_connection
            - proxy_set_header Upgrade $http_upgrade
            - proxy_set_header Host $host
            - proxy_set_header X-Real-IP $remote_addr
            - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
            - proxy_set_header X-Forwarded-Proto $scheme
      #     name: prometheus
      #     servers:
      #       - 192.168.0.252:9090
      #   server:
      #     listen_port: 80
      #     names:
      #       - prometheus.dev.cuqmbr.xyz
      #       - prometheus.dev.cuqmbr.home
      - upstream:
          name: grafana
          servers:
            - 192.168.0.252:3000
        server:
          listen_port: 80
          names:
            - monitoring.dev.cuqmbr.xyz
            - monitoring.dev.cuqmbr.home
          statements:
            - proxy_set_header Host $http_host

fluentbit_settings:
  service:
    flush: 1
    daemon: false
    log_level: info
    http_server: false
  pipeline:
    inputs:
      - name: systemd
        tag: systemd_input
    filters:
      - name: rewrite_tag
        match: systemd_input
        rule: $_SYSTEMD_UNIT ^(nginx.service)$ nginx false
      - name: rewrite_tag
        match: systemd_input
        rule: $_SYSTEMD_UNIT ^(nginx.service.+|(?!nginx.service).*)$ systemd false
      - name: record_modifier
        match: nginx
        allowlist_key:
          - MESSAGE
      # - name: record_modifier
      #   match: systemd_tag
      #   allowlist_key:
      #     - _SYSTEMD_UNIT
      #     - MESSAGE
    outputs:
      - name: loki
        host: 192.168.0.252
        labels: "env=common,hostname=load-balancer,service_name=nginx"
        match: nginx
      - name: loki
        host: 192.168.0.252
        labels: "env=common,hostname=load-balancer,service_name=systemd"
        match: systemd