---
ansible_become_pass_for:
  kotovalexarian: !vault |
    $ANSIBLE_VAULT;1.2;AES256;kotovalexarian
    61623634613531666632363233346539303131313038666132643464313263356162616661336339
    6437356339396139346435636462613163396332313135620a383962643839393764616130663264
    39363331653837376434613266623331333563343264383365336234666230633334313338623938
    3562303035333732360a393931353339653539323732316137363532316234306461393265633763
    64343336303765646239386265306435323230303764376439346530646138323137333461383766
    3534613339653530643635316531356166313735623339613937
  xuhcc: !vault |
    $ANSIBLE_VAULT;1.2;AES256;xuhcc
    33343933353961653437653139333435306663383434646339353763303530353731383438653337
    3531393762396135366332396632653036346333623133650a306162326438333931303862383330
    39626564333130623731343339663764643632323566393734346565353934656561386462326434
    6538303365386631640a366330333135313464333962313638643465613836643037323833626131
    39623562376439376665636537396339613462356131343763323437623334323463

ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"

common__certbot__cert_name: 'postgres.crypto-libertarian.com'
common__certbot__cert_domains:
  - 'postgres.crypto-libertarian.com'

postgresql_users:
  - name: matrix_synapse
    password: !vault |
      $ANSIBLE_VAULT;1.2;AES256;postgres
      65363838636633623362663839303333346337646138333862373831343162343161356435336565
      3032626439376630656338373464376463663935366134660a316136373261303331633836633937
      30646533386163313136656138633437386366616234383265366261346636396130626333333235
      3264356332336461320a323065616231663165613737646566336434663862306333393465366261
      33373533393361356664343337353861313334623136353138643834336236306662383032316432
      3336623036373964313036633434626239396139336666393361
  - name: matrix_media_repo
    password: !vault |
      $ANSIBLE_VAULT;1.2;AES256;postgres
      39386236643763333734653936616466376334636166646133653335626365373039356262376161
      3439353138643533613166333562663134666539653431340a636231353663633033363034643232
      63393063346332353765343961383730633266613532656234336266623538376332636361353932
      6634626266333033330a626536333161663239353831306466323038373961663132306334386437
      64376231643964363935633531643938616430396664393237613361626465373536643339656566
      6233663734316163386434343332346364363362653934363162

postgresql_databases:
  - name: matrix_synapse
    owner: matrix_synapse
    lc_collate: C
    lc_ctype: C
  - name: matrix_media_repo
    owner: matrix_media_repo
    lc_collate: C
    lc_ctype: C

postgresql_hba_entries:
  - type: local
    database: all
    user: all
    auth_method: peer

  - type: host
    database: all
    user: all
    address: '127.0.0.1/32'
    auth_method: md5

  - type: host
    database: all
    user: all
    address: '::1/128'
    auth_method: md5

  - type: hostssl
    database: matrix_synapse
    user: matrix_synapse
    address: '134.209.196.172/32'
    auth_method: md5

  - type: hostssl
    database: matrix_synapse
    user: matrix_synapse
    address: '2a03:b0c0:2:f0::142:3001/128'
    auth_method: md5

  - type: hostssl
    database: matrix_synapse
    user: matrix_synapse
    address: '10.133.8.214/32'
    auth_method: md5

  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
    address: '134.209.196.172/32'
    auth_method: md5

  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
    address: '2a03:b0c0:2:f0::142:3001/128'
    auth_method: md5

  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
    address: '10.133.8.214/32'
    auth_method: md5

  - type: host
    database: all
    user: all
    address: '0.0.0.0/0'
    auth_method: reject

  - type: host
    database: all
    user: all
    address: '::/0'
    auth_method: reject

common__iptables__v4_filter: |
  # Allow incoming HTTP for Certbot to work.
  -A INPUT  -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other HTTP.
  -A INPUT  -p tcp --dport 80 -j REJECT
  -A OUTPUT -p tcp --dport 80 -j REJECT

  # Allow incoming PostgreSQL from specific hosts.
  -A INPUT  -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
  -A INPUT  -p tcp --dport 5432 -s 10.133.8.214/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other PostgreSQL.
  -A INPUT  -p tcp --dport 5432 -j REJECT
  -A OUTPUT -p tcp --sport 5432 -j REJECT

common__iptables__v6_filter: |
  # Allow incoming HTTP for Certbot to work.
  -A INPUT  -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other HTTP.
  -A INPUT  -p tcp --dport 80 -j REJECT
  -A OUTPUT -p tcp --dport 80 -j REJECT

  # Allow incoming PostgreSQL from specific hosts.
  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other PostgreSQL.
  -A INPUT  -p tcp --dport 5432 -j REJECT
  -A OUTPUT -p tcp --sport 5432 -j REJECT