---
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"

#########
# Vault #
#########

vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"

vault_extra_files: true
# vault_extra_files_list: []

vault_env_variables: {}

#######################
# extra configuration #
#######################

# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.

# vault_extra_configuration: {}

###########
# general #
###########

# vault_cluster_name: vault
# vault_bind_addr: "0.0.0.0"
# vault_cluster_addr: "{{ api_interface_address }}"
# vault_enable_ui: true
# vault_disable_mlock: false
# vault_disable_cache: false

######################
# seal configuration #
######################

vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

#########################
# storage configuration #
#########################

vault_storage_configuration:
  raft:
    path: "{{ vault_data_dir }}"
    node_id: "{{ ansible_hostname }}"
    retry_join: >-
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

##########################
# listener configuration #
##########################

# vault_enable_tls: false
vault_listener_configuration:
  - tcp:
      address: "{{ vault_cluster_addr }}:8200"
      tls_disable: true

vault_tls_listener_configuration:
  - tcp:
      tls_disable: false
      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
      tls_key_file: "{{ vault_certs_dir }}/cert.key"
      tls_disable_client_certs: true

vault_certificates_extra_files_dir: >
  {{
    [] if external_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
      'dest': "{{ vault_certs_dir }}"
    }]
  }}

vault_extra_listener_configuration: []

########################
# service registration #
########################

# vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
  consul:
    address: >-
      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
    token: "{{ _credentials.consul.tokens.vault.secret_id }}"

vault_service_registration_policy: |
  service "vault" {
    policy = "write"
  }

#########################
# plugins configuration #
#########################

# vault_enable_plugins: false
vault_plugins_directory: "{{ vault_config_dir }}/plugins"

#################
# vault logging #
#################

# vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_log_to_file_configuration:
  log_file: "{{ vault_logs_dir }}/vault.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30