---
##########################
# General options ########
##########################

enable_vault: "no"
enable_consul: "yes"
enable_nomad: "no"

nomad_version: latest
consul_version: latest
vault_version: latest

deployment_method: "host"
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"

##########################
# Helper options #########
##########################

# manage_pip_packages_allow_break_system_packages: true

vault_versions:
  host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
  docker: "{{ vault_version }}"

consul_versions:
  host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
  docker: "{{ consul_version }}"

nomad_versions:
  host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
  docker: "{{ nomad_version }}"

configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories:
  nomad_servers: "{{ configuration_directory }}/nomad_servers"
  vault_servers: "{{ configuration_directory }}/vault_servers"
  consul_servers: "{{ configuration_directory }}/consul_servers"

configuration_global_vars_file: "globals.yml"

default_container_extra_volumes:
  - "/etc/timezone:/etc/timezone"
  - "/etc/localtime:/etc/localtime"

#################
# Support options
#################

hashistack_supported_distributions:
  - ubuntu
  - debian

hashistack_supported_distribution_versions:
  debian:
    - "11"
    - "12"
  ubuntu:
    - "20.04"
    - "22.04"

preflight_enable_host_ntp_checks: true
haproxy_required_ports: [80, 443]
vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: []

#####################################################
#                                                   #
#                HAProxy Configuration              #
#                                                   #
#####################################################

deploy_haproxy_deploy_method: host # deployment method, either host or docker
deploy_haproxy_version: "2.8"

deploy_haproxy_env_variables: {}
deploy_haproxy_start_service: true
deploy_haproxy_cert_dir: ""
deploy_haproxy_extra_container_volumes: []
deploy_haproxy_global:
  - log /dev/log local0
  - log /dev/log local1 notice
  - stats socket {{ deploy_haproxy_socket }} level admin
  - chroot {{ deploy_haproxy_chroot }}
  - daemon
  - description hashistack haproxy

deploy_haproxy_defaults:
  - log global
  - mode http
  - option httplog
  - option dontlognull
  - timeout connect 5000
  - timeout client  5000
  - timeout server  5000

deploy_haproxy_frontends:
  []
  # - name: default
  #   options:
  #     - description default frontend
  #     - mode http
  #     - bind :80
  #     - default_backend default

deploy_haproxy_backends:
  []
  # - name: default
  #   options:
  #     - description default backend
  #     - option forwardfor
  #     - option httpchk
  #     - http-check send meth GET uri /
  #     - server srv_nginx1 172.17.0.4:80 check inter 5s
  #     - server srv_nginx2 172.17.0.3:80 check inter 5s

deploy_haproxy_listen:
  - name: monitoring
    options:
      - bind :9000
      - mode http
      - option httpchk
      - stats enable
      - stats uri /stats
      - stats refresh 30s
      - stats show-desc
      - stats show-legends
      - stats auth admin:password
      - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
      - http-check expect status 200
      - acl health_check_ok nbsrv() ge 1
      - monitor-uri /health
      - http-request use-service prometheus-exporter if { path /metrics }

deploy_keepalived_deploy_method: "host"
deploy_keepalived_version: "latest"
deploy_keepalived_start_service: true
deploy_keepalived_env_variables: {}

deploy_keepalived_vrrp_instance_name: "{{ ansible_hostname }}"
deploy_keepalived_interface: "{{ ansible_default_ipv4.interface }}"
deploy_keepalived_state: "BACKUP"
deploy_keepalived_router_id: 50
deploy_keepalived_priority: 100
deploy_keepalived_advert_interval: 1
deploy_keepalived_unicast_source: "{{ ansible_default_ipv4.address }}"
deploy_keepalived_unicast_peers: []
deploy_keepalived_auth_passwd: "password"
deploy_keepalived_virtual_ips:
  - 192.168.1.100/32
deploy_keepalived_notify_script: notify.sh

deploy_keepalived_custom_scripts_src:
deploy_keepalived_extra_container_volumes: []

deploy_keepalived_use_custom_config: false
deploy_keepalived_custom_config_src:

#####################################################
#                                                   #
#                Nomad Configuration                #
#                                                   #
#####################################################

hashi_nomad_cni_plugins_install: true
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
hashi_nomad_version: latest
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {}
hashi_nomad_data_dir: /opt/nomad
hashi_nomad_extra_files: false
hashi_nomad_extra_files_src: /tmp/extra_files
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashi_nomad_configuration: {}

#####################################################
#                                                   #
#                Consul Configuration               #
#                                                   #
#####################################################

consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true

##############################
# consul address configuration
##############################

consul_address_configuration:
  # The address to which Consul will bind client interfaces,
  # including the HTTP and DNS servers.
  client_addr: "0.0.0.0"
  # The address that should be bound to for internal cluster communications.
  bind_addr: "{{ api_interface_address }}"
  # The advertise address is used to change the address that we advertise to other nodes in the cluster.
  advertise_addr: "{{ api_interface_address }}"

##########################
# consul ACL configuration
##########################

consul_acl_configuration:
  enabled: true
  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

consul_default_agent_policy: |
  agent_prefix "" {
    policy = "write"
  }
  node_prefix "" {
    policy = "write"
  }
  service_prefix "" {
    policy = "read"
  }

##########################
# consul DNS configuration
##########################

consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true

#########################
# consul ui configuration
#########################

consul_ui_configuration:
  enabled: true

###################################
# consul service mesh configuration
###################################

consul_mesh_configuration:
  enabled: true

#####################
# extra configuration
#####################

consul_extra_configuration: {}

###############
# configuration
###############

hashi_consul_start_service: true
hashi_consul_version: latest
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_cosul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: v1.27.2
hashi_consul_configuration:
  domain: "{{ consul_domain }}"
  datacenter: "{{ consul_datacenter }}"
  primary_datacenter: "{{ consul_primary_datacenter }}"
  data_dir: "{{ hashi_consul_data_dir }}"
  encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
  server: "{{ 'consul_servers' in group_names }}"
  retry_join: "{{
    groups['consul_servers'] |
    map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
    list |
    to_json |
    from_json
    }}"
  ui_config: "{{ consul_ui_configuration }}"
  connect: "{{ consul_mesh_configuration }}"
  leave_on_terminate: true
  rejoin_after_leave: true
  enable_script_checks: true
  enable_syslog: true
  log_level: INFO
  acl: "{{ consul_acl_configuration }}"
  dns_config: "{{ consul_dns_configuration }}"
  ports:
    dns: 8600
    http: 8500
    https: -1
    grpc: 8502
    grpc_tls: 8503
    server: 8300
    serf_lan: 8301
    serf_wan: 8302
    sidecar_min_port: 21000
    sidecar_max_port: 21255
    expose_min_port: 21500
    expose_max_port: 21755

# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
  bootstrap_expect: {{ (groups['consul_servers'] | length) }}

#####################################################
#                                                   #
#                Vault Configuration                #
#                                                   #
#####################################################

vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

#########
# storage
#########

vault_storage_configuration:
  raft:
    path: "{{ hashi_vault_data_dir }}/data"
    node_id: "{{ ansible_hostname }}"
    retry_join: |
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

##########
# listener
##########

vault_enable_tls: false
vault_listener_configuration:
  tcp:
    address: "0.0.0.0:8200"
    tls_disable: true

vault_tls_listener_configuration:
  tcp:
    tls_disable: false
    tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
    tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"

vault_extra_listener_configuration: {}

######################
# service registration
######################

vault_enable_service_registration: false
vault_service_registration_configuration:
  consul:
    address: "127.0.0.1:8500"
    scheme: "http"

#########
# plugins
#########

vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"

#########
# logging
#########

vault_enable_log_to_file: false
vault_logging_configuration:
  log_level: info
  log_format: standard
  log_rotate_duration: 24h
  log_rotate_max_files: 30

#########################
# vault container volumes
#########################

extra_vault_container_volumes: []

#####################
# extra configuration
#####################

vault_extra_configuration: {}

###############
# configuration
###############

hashi_vault_start_service: true
hashi_vault_version: latest
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
  cluster_name: "{{ vault_cluster_name }}"
  cluster_addr: "http://{{ api_interface_address }}:8201"
  api_addr: "http://{{ api_interface_address }}:8200"
  ui: "{{ vault_enable_ui }}"
  disable_mlock: false
  disable_cache: false
  listener: "{{ vault_listener_configuration }}"
  storage: "{{ vault_storage_configuration }}"