- hosts: http.liw.fi
  remote_user: root
  roles:
    - role: sane_debian_system
    - role: sshd
    - role: unix_users
    - role: apache_server
      tags: [httpd]
    - role: comfortable-debian-system
    - role: self-updating-system
  vars:
    sane_debian_system_version: 2
    sane_debian_system_hostname: static
    sane_debian_system_codename: bullseye
    sane_debian_system_mirror: deb.debian.org

    unix_users_version: 2
    unix_users:
      - username: liw
        comment: Lars Wirzenius
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
      - username: root
        authorized_keys: |
          {{ liw_personal_ssh_pub }}

    letsencrypt: yes
    letsencrypt_email: liw@liw.fi
    letsencrypt_main_domain: http.liw.fi
    certbot_debian_release: bullseye

    static_sites:

      # Sites that refer to this server via CNAME will work out of the box.

      - domain: http-static.vm.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: files.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: vmdb2.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: vmdb2-manual.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: journal.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa
        htpasswd: "{{ lookup('pipe', 'pass journal.liw.fi.htpasswd') }}"
        htpasswd_name: "Private site by Lars. Go away."

      - domain: noir.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: doc.obnam.org
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: subplot.tech
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: www.subplot.tech
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa
        redirect: subplot.tech

      - domain: doc.subplot.tech
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: subplot.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa
        redirect: subplot.tech

      - domain: doc.subplot.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa
        redirect: doc.subplot.tech

      - domain: 256.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: gtdfh.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: blog.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: vmadm.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: doc.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: sshca.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: www.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa
        redirect: liw.fi

      - domain: riki.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: v-i.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: puomi.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: ewww.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: ambient.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: openpgpkey.liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: liw.iki.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      # Sites that need to be changed in DNS (A record) before Let's
      # Encrypt certificates can be created. Comment these out until
      # DNS has been changed.

      - domain: obnam.org
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      - domain: liw.fi
        owner: liw
        ownermail: liw@liw.fi
        letsencrypt: yes
        letsencrypt_cert: certa

      # Sites without HTTPS.

      - domain: yotyonzen.docstory.fi
        owner: liw
        ownermail: webmaster@docstory.fi
        letsencrypt: no

      - domain: zen.docstory.fi
        owner: liw
        ownermail: webmaster@docstory.fi
        letsencrypt: no

      - domain: wedding.docstory.fi
        owner: liw
        ownermail: webmaster@docstory.fi
        letsencrypt: no

      - domain: www.docstory.fi
        owner: liw
        alias: docstory.fi
        ownermail: webmaster@docstory.fi
        letsencrypt: no

    # We must define the sshd variables here. The defaults from the
    # "all" group assume sshca knows the host by the
    # sane_debian_system_hostname name, which isn't true for this
    # host.
    sshd_version: 1
    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key http.liw.fi') }}"
    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 http.liw.fi') }}"
    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"