nodes['home.router'] = {
    'hostname': '172.19.138.1',
    'bundles': {
        'bird',
        'kea-dhcp-server',
        'nginx',
        'pppd',
        'radvd',
        'unbound',
        'vnstat',
        'wide-dhcp6c',
        'wireguard',
    },
    'groups': {
        'debian-bookworm',
    },
    'metadata': {
        'interfaces': {
            'enp1s0.1138': {
                'ips': {
                    '172.19.138.1/24',
                },
            },
            'enp1s0.1139': {
                'ips': {
                    '172.19.139.1/24',
                },
            },
        },
        'backups': {
            'exclude_from_backups': True,
        },
        'bird': {
            'static_routes': {
                '172.19.138.0/24',
                '172.19.139.0/24',
            },
        },
#        'cron': {
#            'jobs': {
#                # Our internet provider resets the connection if you're
#                # connected longer than 24 hours. We install this cronjob
#                # to make sure we don't get disconnected randomly during the
#                # day.
#                'restart_pppd': '23 2 * * *    root    systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status',
#            },
#        },
        'kea-dhcp-server': {
            'subnets': {
                'enp1s0.1138': {
                    'lower':  '172.19.138.100',
                    'higher': '172.19.138.250',
                    'subnet': '172.19.138.0/24',
                    'options': {
                        'domain-name': 'franzi-home.kunbox.net',
                        'domain-name-servers': '172.19.138.1',
                        'domain-search': 'home.kunbox.net',
                        'routers': '172.19.138.1',
                    },
                },
                'enp1s0.1139': {
                    'lower':  '172.19.139.200',
                    'higher': '172.19.139.250',
                    'subnet': '172.19.139.0/24',
                    'options': {
                        'domain-name-servers': '172.19.139.1',
                        'routers': '172.19.139.1',
                    },
                },
            },
        },
        'icinga_options': {
            # override group default
            'also_affected_by': atomic(set()),
            # disabled on group level
            # XXX reenable this once we can leave the house safely again
            #'vars.notification.sms': True
        },
        'nftables': {
            'forward': {
                '50-router': [
                    'ct state { related, established } accept',
                    'ip6 nexthdr ipv6-icmp accept',
                    'tcp dport 22 accept',
                ],
            },
            'prerouting': {
                '50-router': [
                    'tcp dport 2022 dnat 172.19.138.20:22',
                ],
            },
        },
        'nginx': {
            'restrict-to': {
                '172.19.136.0/25',
                '172.19.138.0/24',
            },
            'vhosts': {
                'vnstat': {
                    'domain': 'router.home.kunbox.net',
                    'ssl': '_.home.kunbox.net',
                },
            },
        },
        'radvd': {
            'interfaces': {
                'enp1s0.1138': {},
                'enp1s0.1139': {},
            },
        },
        'postfix': {
            'mynetworks': {
                '172.19.138.0/24',
            },
        },
        'pppd': {
            'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='),
            'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='),
            'interface': 'enp1s0.7',
            'dyndns': {
                'domain': 'franzi-home.kunbox.net',
                'url': 'https://ns-mephisto.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ips}',
                'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
                'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
            },
            'nftables-rules.d': {
                'inet filter forward iifname enp1s0.1138 accept',
                'inet filter forward iifname enp1s0.1139 oifname $INTERFACE accept',
            },
        },
        'unbound': {
            'restrict-to': {
                '172.19.138.0/23',
            },
        },
        'users': {
            'f2k1de': {
                'ssh_pubkey': {
                    'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e',
                    'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up',
                },
            },
            'fkunsmann': {
                'sudo_commands': {
                    'ALL',
                },
            },
        },
        'vnstat': {
            'interface': 'enp1s0.7',
        },
        'vm': {
            'cpu': 2,
            'ram': 4,
        },
        'wide-dhcp6c': {
            'source': 'ppp0',
            'targets': {
                'enp1s0.1138': '1',
                'enp1s0.1139': '2',
            },
        },
        'wireguard': {
            'snat_ip': '172.19.138.1',
        },
    },
}