---

- name: "prepare postgres ssl hosts list"
  hosts: archlinux.org
  tasks:
    - name: assign ipv4 addresses to fact postgres_ssl_hosts4
      set_fact: postgres_ssl_hosts4="{{ [gemini4] + detected_ips }}"
      vars:
        gemini4: "{{ hostvars['gemini.archlinux.org']['ipv4_address'] }}/32"
        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv4_address']) | select() | map('regex_replace', '^(.+)$', '\\1/32') | list }}"
      tags: ["postgres", "firewall"]
    - name: assign ipv6 addresses to fact postgres_ssl_hosts6
      set_fact: postgres_ssl_hosts6="{{ [gemini6] + detected_ips }}"
      vars:
        gemini6: "{{ hostvars['gemini.archlinux.org']['ipv6_address'] }}/128"
        detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ipv6_address']) | select() | map('regex_replace', '^(.+)$', '\\1/128') | list }}"
      tags: ["postgres", "firewall"]

- name: setup archlinux.org
  hosts: archlinux.org
  remote_user: root
  roles:
    - { role: common }
    - { role: tools }
    - { role: sshd }
    - { role: root_ssh }
    - { role: borg_client, tags: ["borg"] }
    - { role: certbot }
    - { role: nginx }
    - { role: postfix, postfix_relayhost: "mail.archlinux.org" }
    - role: postgres
      postgres_listen_addresses: "*"
      postgres_ssl: 'on'
    - { role: sudo }
    - { role: uwsgi }
    - { role: memcached }
    - { role: fetchmail }
    - { role: archweb, archweb_planet: true }
    - { role: fail2ban }
    - { role: prometheus_exporters }
    - { role: promtail }