---
#####################################################
#                                                   #
#                Non-Editable                       #
#                                                   #
#####################################################

vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"

#########################
# vault haproxy backend #
#########################

vault_haproxy_frontend_options:
  - acl is_vault hdr(host) -i {{ vault_fqdn }}
  - use_backend vault_external if is_vault

vault_haproxy_backends:
  - name: vault_external
    options: "{{ vault_external_backend_options + vault_external_backend_servers }}"

vault_external_backend_options:
  - description vault external http backend
  - option forwardfor
  - option httpchk GET /v1/sys/health?standbyok=true&sealedcode=200&standbycode=200&uninitcode=200
  - http-check expect status 200
  - default-server inter 2s fastinter 1s downinter 1s

vault_external_backend_servers: |
  [
    {% for host in groups['vault_servers'] %}
      'server vault-{{ hostvars[host].api_interface_address }} {{ hostvars[host].api_interface_address }}:8200 check {{ 'ssl verify none ' if vault_enable_tls }}inter 5s'{% if not loop.last %},{% endif %}
    {% endfor %}
  ]

######################
# vault internal tls #
######################

vault_certificates_directory: "{{ hashicorp_vault_config_dir }}/tls"
vault_certificates_extra_files_dir:
  - src: "{{ sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}"
    dest: "{{ vault_certificates_directory }}"

#################
# vault plugins #
#################

vault_plugin_directory: "{{ hashicorp_vault_config_dir }}/plugin"
vault_plugin_extra_files_dir:
  - src: "{{ sub_configuration_directories['vault_servers'] }}/plugin"
    dest: "{{ vault_plugin_directory }}"

##############################
# vault service registration #
##############################

vault_service_registration_policy: |
  service "vault" {
    policy = "write"
  }

#################
# vault logging #
#################

vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_logging_configuration:
  log_file: "{{ hashistack_remote_log_dir }}/vault/vault.log"
  log_level: info
  log_rotate_duration: 24h
  log_rotate_max_files: 30

########################
# vault role variables #
########################

hashicorp_vault_start_service: true
hashicorp_vault_service_name: "vault"
hashicorp_vault_version: "{{ vault_version }}"
hashicorp_vault_env_variables: {}
hashicorp_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
hashicorp_vault_data_dir: "{{ hashistack_remote_data_dir }}/vault"
hashicorp_vault_extra_files: true
hashicorp_vault_extra_files_list: "{{ ([] +
  (vault_certificates_extra_files_dir if vault_enable_tls else []) +
  (vault_plugin_extra_files_dir if vault_enable_plugins else []) +
  vault_extra_files_list)
  | unique
  | sort
  }}"
hashicorp_vault_configuration:
  cluster_name: "{{ vault_cluster_name }}"
  cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8201"
  api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ api_interface_address }}:8200"
  ui: "{{ vault_enable_ui }}"
  disable_mlock: false
  disable_cache: false
  listener: "{{ vault_listener_configuration }}"
  storage: "{{ vault_storage_configuration }}"