system:
  hostname: isa-nuc
  domain: home.ctu.cx
  timezone: Europe/Berlin
  enableOwnRepos: true
  enableSudo: true
  useNTP: true
  extraPackages:
    - iftop
    - iotop
    - htop
    - rsync
    - mtr
    - traceroute
    - dnsutils
    - tar
    - unzip
    - wget
    - curl
    - screen
    - zsh
    - tmux
    - dnsmasq
    - dmidecode
    - libvirt
    - qemu-headless
    - iptables-nft
    - bridge-utils
    - openbsd-netcat
  users:
    - name: root
      allowedSshKeys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local
    - name: isa
      groups: "wheel"
      shell: /usr/bin/zsh
      password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32646436343430316239336133663933356637336239653637386638393766376133623335343338
          3066636233353436326461336561616365613233643965340a383036663337313466316139313061
          31353232373536646565336563633166366639353563303534633336646532316131363266306335
          3063393532396238300a393835373462636662303665333035343066376666383637326132346336
          3966
      allowedSshKeys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local

network:
  nftables:
    enable: true

networkd:
  networkd_resolv_conf_content:
    - nameserver 1.1.1.1
    - nameserver 8.8.8.8
  networkd_apply_action: "restart"
  netdev:
    - name: br0
      priority: 20
      content:
        - NetDev:
          - Name: br0
          - Kind: bridge
  network:
    - name: br0
      priority: 20
      content:
        - Match:
          - Name: br0
        - Network:
          - DNS: 195.39.246.1
          - Address: 195.39.246.41/28
          - Gateway: 195.39.246.33
          - Address: 2a0f:4ac0:acab::41/128
          - Gateway: fe80::1
    - name: eno1
      priority: 10
      content:
        - Match:
          - Name: eno1
        - Network:
          - Bridge: br0


services:
  openssh:
    enable: true
    port: 22
    permitRootLogin: true
    passwordAuthentication: false

  prometheus_node_exporter:
    enable: true

  vnstat:
    enable: true

  acme_redirect:
    enable: true
    email: hi@f2k1.de
    certs:
      isa-nuc.home.ctu.cx:
        renewTasks:
          - sudo systemctl restart nginx

  nginx:
    enable: true
    sslOnly: true
    vhosts:
      luna.f2k1.de:
        defaultServer: true
        ssl:
          enable: true
          cert: "/var/lib/acme-redirect/live/isa-nuc.home.ctu.cx/fullchain"
          privkey: "/var/lib/acme-redirect/live/isa-nuc.home.ctu.cx/privkey"
        locations:
          - path: /node-exporter
            proxy: http://127.0.0.1:9100/metrics