# Central YAML Source of Truth for Nathan's Lab (2026)
# Edit and commit this file; Ansible playbooks should read this as canonical.
lab_name: "nathan-lab-2026"
canonical_source: "ansible/group_vars/all.yml"

networks:
  main:
    vlan: 1
    cidr: "10.0.0.0/24"
    dhcp_pool: "10.0.0.100-10.0.0.240"
    gateway: "10.0.0.1"
    purpose: "Family / wired / main SSID"

  infra:
    vlan: 10
    cidr: "10.0.10.0/24"
    reserved: "10.0.10.2-10.0.10.50"
    purpose: "Management / Proxmox / NAS / Heimdall mgmt"

  iot:
    vlan: 50
    cidr: "10.0.50.0/24"
    dhcp_pool: "10.0.50.100-10.0.50.199"
    purpose: "IoT devices (Omada)"

  guest:
    vlan: 30
    cidr: "10.0.30.0/24"
    dhcp_pool: "10.0.30.100-10.0.30.200"
    purpose: "Guest WiFi (isolated)"

  compute:
    vlan: 200
    cidr: "10.0.200.0/24"
    purpose: "Swarm / AI grid / ephemeral compute"

lab_hosts:
  er7212pc:
    role: gateway
    current_ip: "10.0.0.2"
    desired_ip: "10.0.0.2"
    note: "DHCP + Omada controller"

  pve01:
    role: proxmox
    current_ip: "10.0.0.201"
    desired_ip: "10.0.10.11"

  pve02:
    role: proxmox
    current_ip: "10.0.0.202"
    desired_ip: "10.0.10.12"

  pve03:
    role: proxmox
    current_ip: "10.0.0.203"
    desired_ip: "10.0.10.13"

  pve04:
    role: proxmox
    current_ip: "10.0.0.204"
    desired_ip: "10.0.10.14"

  swarm-manager-1:
    current_ip: "10.0.0.211"
    desired_ip: "10.0.200.11"

  swarm-manager-2:
    current_ip: "10.0.0.212"
    desired_ip: "10.0.200.12"

  swarm-manager-3:
    current_ip: "10.0.0.213"
    desired_ip: "10.0.200.13"

  swarm-worker-1:
    current_ip: "10.0.0.221"
    desired_ip: "10.0.200.21"

  swarm-worker-2:
    current_ip: "10.0.0.222"
    desired_ip: "10.0.200.22"

  swarm-worker-3:
    current_ip: "10.0.0.223"
    desired_ip: "10.0.200.23"

  ai-lenovo:
    current_ip: "10.0.0.220"
    desired_ip: "10.0.200.20"

  synology:
    current_ip: "10.0.0.249"
    desired_ip: "10.0.10.40"

  terramaster:
    current_ip: "10.0.0.250"
    desired_ip: "10.0.10.41"

  waldorf:
    current_ip: "10.0.0.251"
    desired_ip: "10.0.200.30"

  watchtower:
    current_ip: "10.0.0.200"
    desired_ip: "10.0.10.200"

  heimdall:
    role: beelink
    current_ip: null
    desired_ip:
      mgmt: "10.0.10.2"
      lan: "10.0.0.50"

# === MONITORING INFRASTRUCTURE ===
# Environment-specific configuration for monitoring stack
monitoring:
  stack_user: "chester"
  heimdall_redis: "10.0.0.151:6379"
  watchtower_ip: "10.0.0.200"
  grafana_domain: "grafana.castaldifamily.com"
  uptime_domain: "status.castaldifamily.com"
  dozzle_domain: "logs.castaldifamily.com"
  authentik_host: "https://sso.castaldifamily.com"
  # grafana_admin_password: DEFINE IN VAULT

# === EDGE ROUTING TOPOLOGY ===
# Canonical ingress model: Traefik runs on a dedicated edge host outside Swarm.
# Swarm and standalone hosts publish routes through traefik-kop agents.
edge_routing:
  ingress_mode: "external-traefik"
  edge_host:
    name: "heimdall"
    ip: "10.0.0.151"
    ssh_port: 22
    http_port: 80
    https_port: 443
  integration:
    # Watchtower-hosted traefik-kop instance (publishes Watchtower container routes)
    agent_image: "ghcr.io/jittering/traefik-kop:latest"
    redis_addr: "10.0.0.151:6379"
    bind_ip: "10.0.0.200"        # Watchtower IP — correct for routes originating on Watchtower
  swarm:
    # Swarm-hosted traefik-kop instance (publishes Swarm service routes)
    # bind_ip MUST be a Swarm node IP — the Swarm routing mesh makes published
    # ports available on ALL nodes, so Traefik routes inbound requests here.
    bind_ip: "10.0.0.211"        # swarm-manager-1; any Swarm node IP is valid via routing mesh
    proxy_network: "proxy-net"   # Swarm overlay network; separate from heimdall's bridge of same name
    stack_deploy_target: "swarm-manager-1"
  migration_rules:
    deploy_traefik_in_swarm: false
    use_external_proxy_network: true
    notes:
      - "Services should attach to swarm overlay proxy-net for east-west traffic."
      - "Ingress is terminated by external Traefik at 10.0.0.151 via traefik-kop updates."

# === SERVICE SECRETS (set via: ansible-vault encrypt_string) ===
vault_gitea_db_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62323135663563386162633134616430633034366465376439663133346634616639376431356165
          6361376530363938656235623330396530643631616266330a323962373736383339353064633634
          36636664383530386539366137666632393134366435356634383061643566366335376164656531
          6464333566326261610a306366346638366439333535393161643066643234653165636636623832
          3135

vlan_defaults:
  dns_domain: "home.lab"
  ntp_servers:
    - "10.0.10.2"

# Plex bootstrap claim token — used only on first server claim.
vault_plex_claim: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          65626432323737386462666132336161303635633438326432666631383339663835356238343838
          3533306232623437376263353161633530646533343739300a323730643330386633626661353234
          31643631346666666431666534613539333835623562306335376534626463633936643838323666
          6432626262323231660a323965393163366230363838623165643532356438393863346361656162
          63323966386333323236353861623333623339626538396565643965323562383636

# Usage notes:
# - Treat this file as the single source of truth for IPs and VLANs.
# - Ansible playbooks should read `networks` and `lab_hosts` to render configs,
#   update `inventory/hosts.ini`, and generate DHCP reservation templates.