- hosts: irc.liw.fi
  remote_user: root
  roles:
    - role: sane_debian_system
    - role: sshd
    - role: comfortable-debian-system
    - role: unix_users
    - role: self-updating-system
    - role: irc-client
  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: irc
    sane_debian_system_codename: bookworm
    sane_debian_system_mirror: deb.debian.org

    unix_users_version: 2
    unix_users:
      - username: root
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
      - username: liw
        comment: Lars Wirzenius
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
      - username: liwmf
        comment: Lars Wirzenius
        authorized_keys: |
          {{ liw_personal_ssh_pub }}

    # We must define the sshd variables here. The defaults from the
    # "all" group assume sshca knows the host by the
    # sane_debian_system_hostname name, which isn't true for this
    # host.
    sshd_version: 1
    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key irc.liw.fi') }}"
    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 irc.liw.fi') }}"
    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"