---
## BASIC CONFIG
cloud_update: false
cloud_name: cloud
cloud_home: "/opt/{{ cloud_name }}"
cloud_type: "cloud"
cloud_stage: prod
cloud_tzdata: Europe/Berlin

cloud_apps: /opt
cloud_storage: /srv
cloud_python_envs: "{{ cloud_apps }}/pyenv"

cloud_internal_dns: 1.1.1.1

basis_apps:
  - passwd
  - vim
  - unzip
  - resolvconf


## HARDWARE
mount_points: []
#  - path: /some/path
#    dev: /dev/sdb
#    fstype: ext4
#    opts: noatime
#    state: mounted


swap_on: true
swap_file: /swapfile
#block size * block count = swap size (Bytes)
swap_block_size: 1024
swap_block_count: 1048576


## USER + GROUPS
shared_group: "{{ cloud_name }}"
default_groups:
  - "ssh"
  - "users"
  - "cdrom"
  - "{{ cloud_shared_group }}"
users:
  - name: username
    displayname: User Name
    shell: /bin/bash
    groups:
      - sudo
      - username
    state: present
    ssh_key: "ssh-rsa ABCDEF"

## SSH
ssh_port: 22
ssh_configs:
  - Protocol 2
  - "Port {{ cloud_ssh_port }}"
  - PermitRootLogin no
  - PubkeyAuthentication yes
  - PasswordAuthentication no
  - PermitEmptyPasswords no

## FAIL2BAN
fail2ban_bantime: 1h
fail2ban_maxretry: 3
fail2ban_nginx_selfmade_filter:
  - nginx-noscript
  - nginx-nohome
  - nginx-noproxy
fail2ban_nginx_default_filter:
  - nginx-limit-req
  - nginx-botsearch
fail2ban_activate_modules:
  - sshd
  - nginx

## WIREGUARD
wireguard_enabled: True
wireguard_is_gateway: False
wireguard_allow_adjacent_client_traffic: True
wireguard_keepalive: 25

wireguard_gateway_interface: eth0
wireguard_gateway_host: my-wireguard-server.tld
wireguard_gateway_port: 51820
wireguard_gateway_net_prefix: 10.10.10
wireguard_gateway_net_cidr: 24
wireguard_gateway_public_key: your-public-key
wireguard_gateway_private_key: your-privat-key

wireguard_gateway_forward: []
#  - server_port: 22
#    client_port: "{{ ssh_port }}"
#    client_index: 0


wireguard_client_host: my-wireguard-client
wireguard_clients:
#  my-wireguard-client:
#    index: 0
#    public_key: my-public-key
#    private_key: my-private-key