# By convention, variables defined in this file are safe to use in all roles.
#
# In other words, this should be the only place where you should see variables
# without a 'rolename_' prefix.
---
ansible_python_interpreter: /usr/libexec/platform-python

timezone: America/New_York
domain: ipa.example.com    # changeme
email_domain: example.com  # changeme

organization: ACME, Inc.   # changeme

# This variable will be used to configure an SSID with certificate-based auth
# for any hosts in the linux-laptops group.
wifi_ssid: acme-wifi

# Hosts in these CIDRs should be capable of kerberos authentication.
# We use this in many apache configs to determine when to force GSSAPI auth.
kerberized_cidrs:  # changeme
  - 10.10.12.0/24

backup_path: ~/backups

# Use your external MX hostname so that TLS validation works.
mail_host: mx1.exmaple.com

imap_host: imap.{{ domain }}
rspamd_host: rspamd.{{ domain }}

# changeme: specify your vlans here.
# This dictionary is used to discover which VLAN a host belongs to.
# The appropriate VLAN object will end up in the `vlan` variable in host_vars.
vlans:
  mgmt:
    id: 11
    cidr: 10.10.11.0/24
    gateway: 10.10.11.1
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    ntp_servers: ['10.10.11.1']

  trusted:
    id: 12
    cidr: 10.10.12.0/23
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    gateway: 10.10.12.1
    ntp_servers: ['10.10.12.1']

  voip:
    id: 14
    cidr: 10.10.14.0/24
    gateway: 10.10.14.1
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    ntp_servers: ['10.10.14.1']

  print:
    id: 15
    cidr: 10.10.15.0/24
    gateway: 10.10.15.1
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    ntp_servers: ['10.10.15.1']

  vpn:
    id: 16
    cidr: 10.10.16.0/24
    gateway: 10.10.16.1
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    ntp_servers: ['10.10.16.1']

  dmz:
    id: 19
    cidr: 10.10.19.0/24
    dns_servers: # freeipa servers
      - 10.10.12.2
      - 10.10.12.3
    gateway: 10.10.19.1
    ntp_servers: ['10.10.19.1']


# standard freeipa variables
freeipa_realm: '{{ domain | upper }}'
freeipa_basedn: "dc={{ domain.split('.') | join(',dc=') }}"
freeipa_hosts: "{{ groups['freeipa_servers'] | map('regex_replace', '$', '.' ~ domain) }}"
freeipa_ldap_uri: "{{ groups['freeipa_servers'] | map('regex_replace', '^(.*)$', 'ldap://\\1.' ~ domain) | join(' ') }}"
freeipa_master: "{{ groups['freeipa_master'][0] }}"
freeipa_sysaccount_basedn: 'cn=sysaccounts,cn=etc,{{ freeipa_basedn }}'
freeipa_user_basedn: cn=users,cn=accounts,{{ freeipa_basedn }}
freeipa_group_basedn: cn=groups,cn=accounts,{{ freeipa_basedn }}
freeipa_accounts_basedn: cn=accounts,{{ freeipa_basedn }}
freeipa_service_basedn: cn=services,cn=accounts,{{ freeipa_basedn }}
freeipa_ds_password: '{{ vault_freeipa_ds_password }}'
freeipa_admin_password: '{{ vault_freeipa_admin_password }}'
ipa_host: '{{ freeipa_master }}.{{ domain }}'
ipa_user: admin
ipa_pass: '{{ freeipa_admin_password }}'