---
##########################
# General options ########
##########################

enable_haproxy: "yes"
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "no"

haproxy_version: "2.8"
nomad_version: "latest"
consul_version: "latest"
vault_version: "1.15.6"

deployment_method: "docker"

consul_fqdn: consul.ednz.lab
vault_fqdn: vault.ednz.lab
nomad_fqdn: nomad.ednz.lab

hashistack_external_vip_interface: "eth0"
hashistack_external_vip_addr: "192.168.121.100"
hashistack_internal_vip_interface: "eth1"
# hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
hashistack_internal_vip_addr: "192.168.100.100"
# hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"

# api_interface: "eth0"
api_interface: "eth1"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"

########################
# external tls options #
########################

enable_tls_external: true
external_tls_externally_managed_certs: false

#####################################################
#                                                   #
#                Consul                             #
#                                                   #
#####################################################

consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"

################################
# consul address configuration #
################################

consul_address_configuration:
  # The address to which Consul will bind client interfaces,
  # including the HTTP and DNS servers.
  client_addr: "0.0.0.0"
  # The address that should be bound to for internal cluster communications.
  bind_addr: "{{ api_interface_address }}"
  # The advertise address is used to change the address that we advertise to other nodes in the cluster.
  advertise_addr: "{{ api_interface_address }}"

############################
# consul ACL configuration #
############################

consul_acl_configuration:
  enabled: true
  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

############################
# consul DNS configuration #
############################

consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true

###########################
# consul ui configuration #
###########################

consul_ui_configuration:
  enabled: "{{ 'consul_servers' in group_names }}"

#####################################
# consul service mesh configuration #
#####################################

consul_mesh_configuration:
  enabled: true

############################
# consul tls configuration #
############################

consul_enable_tls: false
consul_tls_configuration:
  default:
    ca_file: "/etc/ssl/certs/ca-certificates.crt"
    cert_file: "{{ hashi_consul_config_dir }}/tls/cert.pem"
    key_file: "{{ hashi_consul_config_dir }}/tls/key.pem"
    verify_incoming: false
    verify_outgoing: true
  internal_rpc:
    verify_server_hostname: true

#######################
# extra configuration #
#######################

consul_extra_configuration: {}

#####################################################
#                                                   #
#                Vault                              #
#                                                   #
#####################################################

vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

#################
# vault storage #
#################

vault_storage_configuration:
  raft:
    path: "{{ hashi_vault_data_dir }}/data"
    node_id: "{{ ansible_hostname }}"
    retry_join: |
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

##################
# vault listener #
##################

vault_enable_tls: true
vault_tls_verify: false
vault_listener_configuration:
  tcp:
    address: "0.0.0.0:8200"
    tls_disable: true

vault_tls_listener_configuration:
  tcp:
    tls_disable: false
    tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
    tls_key_file: "{{ vault_certificates_directory }}/key.pem"
    tls_disable_client_certs: true

vault_extra_listener_configuration: {}

########################
# service registration #
########################

vault_enable_service_registration: false
vault_service_registration_configuration:
  consul:
    address: "127.0.0.1:8500"
    scheme: "http"
    token: ""

#################
# vault plugins #
#################

vault_enable_plugins: false

###########
# logging #
###########

vault_enable_log_to_file: false
vault_logging_configuration:
  log_level: info
  log_format: standard
  log_rotate_duration: 24h
  log_rotate_max_files: 30

###########################
# vault container volumes #
###########################

extra_vault_container_volumes: []

#####################
# extra configuration
#####################

vault_extra_configuration: {}
vault_extra_files_list: []