---
##########################
# General options ########
##########################

enable_haproxy: "yes"
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "yes"

haproxy_version: "2.8"
nomad_version: "1.8.1"
consul_version: "1.18.1"
vault_version: "1.16.2"

consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab

hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"

api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"

########################
# external tls options #
########################

enable_tls_external: false
external_tls_externally_managed_certs: false

#####################################################
#                                                   #
#                Consul                             #
#                                                   #
#####################################################

consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}"
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true

################################
# consul address configuration #
################################

consul_address_configuration:
  client_addr: "0.0.0.0"
  bind_addr: "{{ api_interface_address }}"
  advertise_addr: "{{ api_interface_address }}"

############################
# consul ACL configuration #
############################

consul_acl_configuration:
  enabled: true
  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

############################
# consul DNS configuration #
############################

consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true

###########################
# consul ui configuration #
###########################

consul_ui_configuration:
  enabled: "{{ 'consul_servers' in group_names }}"

#####################################
# consul service mesh configuration #
#####################################

consul_mesh_configuration:
  enabled: true

############################
# consul tls configuration #
############################

consul_enable_tls: false
consul_tls_configuration:
  defaults:
    ca_file: "/etc/ssl/certs/ca-certificates.crt"
    cert_file: "{{ consul_certificates_directory }}/cert.pem"
    key_file: "{{ consul_certificates_directory }}/key.pem"
    verify_incoming: false
    verify_outgoing: true
  internal_rpc:
    verify_server_hostname: true

############################
# consul container volumes #
############################

extra_consul_container_volumes: []

##############################
# consul extra configuration #
##############################

consul_extra_configuration: {}
consul_extra_files_list: []

#####################################################
#                                                   #
#                Vault                              #
#                                                   #
#####################################################

vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

#################
# vault storage #
#################

vault_storage_configuration:
  raft:
    path: "{{ hashicorp_vault_data_dir }}"
    node_id: "{{ ansible_hostname }}"
    retry_join: |
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

##################
# vault listener #
##################

vault_enable_tls: false
vault_tls_verify: false
vault_listener_configuration:
  tcp:
    address: "0.0.0.0:8200"
    tls_disable: true

vault_tls_listener_configuration:
  tcp:
    tls_disable: false
    tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
    tls_key_file: "{{ vault_certificates_directory }}/key.pem"
    tls_disable_client_certs: true

vault_extra_listener_configuration: {}

########################
# service registration #
########################

vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
  consul:
    address: "127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
    token: "{{ _credentials.consul.tokens.vault.secret_id }}"

#################
# vault plugins #
#################

vault_enable_plugins: false

###########
# logging #
###########

vault_enable_log_to_file: false
vault_logging_configuration:
  log_level: info
  log_format: standard
  log_rotate_duration: 24h
  log_rotate_max_files: 30

###########################
# vault container volumes #
###########################

extra_vault_container_volumes: []

#############################
# vault extra configuration #
#############################

vault_extra_configuration: {}
vault_extra_files_list: []

#####################################################
#                                                   #
#                Nomad                              #
#                                                   #
#####################################################

nomad_datacenter: dc1
nomad_region: global

###########################
# nomad ACL configuration #
###########################

nomad_acl_configuration:
  enabled: true
  token_ttl: 30s
  policy_ttl: 60s
  role_ttl: 60s

############################
# nomad consul integration #
############################

nomad_enable_consul_integration: "{{ enable_consul | bool }}"
nomad_consul_integration_configuration:
  address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
  auto_advertise: true
  ssl: "{{ consul_enable_tls | bool }}"
  token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
  tags: []

############################
# nomad vault integration #
############################

nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}

###############################
# nomad drivers configuration #
###############################

nomad_driver_enable_docker: yes
nomad_driver_enable_podman: no
nomad_driver_enable_raw_exec: no
nomad_driver_enable_java: no
nomad_driver_enable_qemu: no

nomad_driver_extra_configuration: {}

######################
# nomad internal tls #
######################

nomad_enable_tls: false
nomad_tls_configuration:
  http: true
  rpc: true
  ca_file: "/etc/ssl/certs/ca-certificates.crt"
  cert_file: "{{ nomad_certificates_directory }}/cert.pem"
  key_file: "{{ nomad_certificates_directory }}/key.pem"
  verify_server_hostname: true

#############################
# nomad extra configuration #
#############################

nomad_extra_configuration: {}
nomad_extra_files_list: []