- hosts: shell-shell.vm.liw.fi
  remote_user: root
  roles:
    - role: sane_debian_system
    - role: sshd
    - role: comfortable-debian-system
    - role: unix_users
    - role: linkchecker
    - role: mail-server
    - role: self-updating-system
  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: shell
    sane_debian_system_codename: bullseye
    sane_debian_system_mirror: deb.debian.org

    unix_users_version: 2
    unix_users:
      - username: root
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
      - username: liw
        comment: Lars Wirzenius
        authorized_keys: |
          {{ liw_personal_ssh_pub }}
        sudo: yes
      - username: soile
        comment: Soile Mottisenkangas
      - username: docstory
        comment: Soile Mottisenkangas

    mailname: pieni.net
    smarthost: mail.infrafish.uk
    smarthost_port: 587
    smarthost_user: liw@login.liw.fi
    smarthost_pass_name: pieni.net/smarthost_pass_intrafish

    mail_hostname: pieni.net

    # We must define the sshd variables here. The defaults from the
    # "all" group assume sshca knows the host by the
    # sane_debian_system_hostname name, which isn't true for this
    # host.
    sshd_version: 1
    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key shell-shell.vm.liw.fi') }}"
    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 shell-shell.vm.liw.fi') }}"
    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"