# Local Organization SSH Inventory
#
# This file extends or replaces the nextgen inventory for local development,
# testing, and lab environments.
#
# Template structure follows nextgen/hosts.yaml for consistency.

version: 1

facts:
  environment: local
  organization: xdev
  jump_default_port: 22
  jump_default_user: bogdan
  notes:
    - Local lab and development infrastructure
    - Uses SSH key-based auth on all machines
    - is-jumper is the local entry point

ssh_options:
  local_defaults:
    description: Local SSH compatibility options (no legacy algorithms needed)
    options:
      ForwardAgent: yes
      ForwardX11: no
      PasswordAuthentication: no
      HostbasedAuthentication: no
      CheckHostIP: yes
      StrictHostKeyChecking: accept-new
      Tunnel: no
      HashKnownHosts: yes

defaults:
  jump:
    user: bogdan
    port: 22
  final_host:
    user: bogdan
    port: 22
    connect_timeout: 5
    connection_attempts: 1

entrypoints:
  is_jumper:
    aliases: [is-jumper, 192.168.2.100]
    hostname: 192.168.2.100
    user: root
    identity_file: ~/.ssh/keys/is-jumper_ed25519
    identities_only: true

jumps:
  j1:
    aliases: [j1, j1-local]
    hostname: 10.253.51.50
    port: 25904
    role: primary
    proxy_jump: is-jumper
  j2:
    aliases: [j2, j2-local]
    hostname: 10.253.51.52
    port: 25904
    role: failover

groups:
  local_lab:
    description: Local lab and testing machines
    hosts:
      lab_vm1:
        aliases: [lab-vm1, lab1, 192.168.2.110]
        hostname: 192.168.2.110
        user: bogdan
      lab_vm2:
        aliases: [lab-vm2, lab2, 192.168.2.111]
        hostname: 192.168.2.111
        user: bogdan
      lab_vm3:
        aliases: [lab-vm3, lab3, 192.168.2.112]
        hostname: 192.168.2.112
        user: bogdan
      lab_router:
        aliases: [lab-router, router, 192.168.2.1]
        hostname: 192.168.2.1
        user: admin
      lab_switch:
        aliases: [lab-switch, switch, 192.168.2.2]
        hostname: 192.168.2.2
        user: admin

  local_servers:
    description: Local production/staging servers
    hosts:
      local_nexgen:
        aliases: [local-nextgen, nextgen-local, 192.168.2.103]
        hostname: 192.168.2.103
        user: bogdan
      local_backup:
        aliases: [local-backup, backup, 192.168.2.105]
        hostname: 192.168.2.105
        user: bogdan
      local_mgmt:
        aliases: [local-mgmt, mgmt, management, 192.168.2.104]
        hostname: 192.168.2.104
        user: bogdan
      local_mon:
        aliases: [local-mon, monitoring, zabbix, 192.168.2.106]
        hostname: 192.168.2.106
        user: bogdan

  development:
    description: Development and build machines
    hosts:
      dev_build:
        aliases: [dev-build, builder, 192.168.2.120]
        hostname: 192.168.2.120
        user: bogdan
      dev_test:
        aliases: [dev-test, tester, 192.168.2.121]
        hostname: 192.168.2.121
        user: bogdan
      dev_docs:
        aliases: [dev-docs, documentation, 192.168.2.122]
        hostname: 192.168.2.122
        user: bogdan

  reference_infrastructure:
    description: Reference to company infrastructure (for testing routing)
    default_jump: j1
    hosts:
      ref_pbx_bo:
        aliases: [ref-pbx-bo, pbx-bo, 10.253.51.135]
        hostname: 10.253.51.135
        user: bogdan
      ref_porta_db:
        aliases: [ref-porta-db, porta-db, 193.16.148.11]
        hostname: 193.16.148.11
        user: bogdan
      ref_sbc0:
        aliases: [ref-sbc0, sbc0, 10.253.51.130]
        hostname: 10.253.51.130
        user: bogdan
      ref_sbc1:
        aliases: [ref-sbc1, sbc1, 10.253.51.131]
        hostname: 10.253.51.131
        user: bogdan

  legacy_infrastructure:
    description: Legacy xdev.ro and mondo-byte.ro historical servers (local direct access)
    defaults:
      route: local
    hosts:
      # xdev.ro hosts - entry point
      is_jumper:
        aliases: [is-jumper, is-vpn-gw]
        hostname: 192.168.2.100
        user: root
        proxy_jump: none
        identity_file: ~/.ssh/keys/is-jumper_ed25519
        identities_only: true
      # xdev.ro local network hosts (accessed via is-jumper)
      is_mazeri:
        aliases: [is-mazeri]
        hostname: 192.168.2.102
        user: root
      is_toltec:
        aliases: [is-toltec]
        hostname: 192.168.2.103
        user: root
      is_baobab:
        aliases: [is-baobab]
        hostname: 192.168.2.91
        user: root
      is_ebony:
        aliases: [is-ebony]
        hostname: 192.168.2.92
        user: root
      is_tapia:
        aliases: [is-tapia]
        hostname: 192.168.2.93
        user: root
      is_anjohibe:
        aliases: [is-anjohibe]
        hostname: 192.168.2.95
        user: root
      is_andrafiabe:
        aliases: [is-andrafiabe]
        hostname: 192.168.2.96
        user: root
      is_mat:
        aliases: [is-mat]
        hostname: 192.168.2.133
        user: root
      is_nasturel:
        aliases: [is-nasturel]
        hostname: 192.168.2.144
        user: sshd
      # mondo-byte.ro hosts (accessed via is-jumper)
      mt_rabit:
        aliases: [mt-rabit]
        hostname: 89.32.216.4
        user: root
      mt_xpider:
        aliases: [mt-xpider]
        hostname: 89.32.216.5
        user: root

access_policies:
  rules:
    - description: All local hosts use direct SSH (no jump)
      scope: group:local_lab,local_servers,development,legacy_infrastructure
      access: direct

    - description: Reference hosts route through J1 jump
      scope: group:reference_infrastructure
      access: via_jump
      jump_host: j1
      auth_method: key