---
##########################
# General options ########
##########################

enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "no"

nomad_version: latest
consul_version: latest
vault_version: latest

deployment_method: "host"
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"

##########################
# Helper options #########
##########################

vault_versions:
  host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
  docker: "{{ vault_version }}"

consul_versions:
  host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
  docker: "{{ consul_version }}"

nomad_versions:
  host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
  docker: "{{ nomad_version }}"

configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories:
  nomad_servers: "{{ configuration_directory }}/nomad_servers"
  vault_servers: "{{ configuration_directory }}/vault_servers"
  consul_servers: "{{ configuration_directory }}/consul_servers"

configuration_global_vars_file: "globals.yml"

default_container_extra_volumes:
  - "/etc/timezone:/etc/timezone"
  - "/etc/localtime:/etc/localtime"

#################
# Support options
#################

hashistack_supported_distributions:
  - ubuntu
  - debian

hashistack_supported_distribution_versions:
  debian:
    - "11"
    - "12"
  ubuntu:
    - "20.04"
    - "22.04"

preflight_enable_host_ntp_checks: true
vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: []

##########################
# Nomad options ##########
##########################

hashi_nomad_cni_plugins_install: true
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
hashi_nomad_version: latest
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {}
hashi_nomad_data_dir: /opt/nomad
hashi_nomad_extra_files: false
hashi_nomad_extra_files_src: /tmp/extra_files
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashi_nomad_configuration: {}

##########################
# Consul options #########
##########################

consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true

##############################
# consul address configuration
##############################

consul_address_configuration:
  # The address to which Consul will bind client interfaces,
  # including the HTTP and DNS servers.
  client_addr: "0.0.0.0"
  # The address that should be bound to for internal cluster communications.
  bind_addr: "{{ api_interface_address }}"
  # The advertise address is used to change the address that we advertise to other nodes in the cluster.
  advertise_addr: "{{ api_interface_address }}"

##########################
# consul ACL configuration
##########################

consul_acl_configuration:
  enabled: true
  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

#####################
# extra configuration
#####################

consul_extra_configuration: {}

##########################
# consul DNS configuration
##########################

consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true

hashi_consul_start_service: true
hashi_consul_version: latest
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_cosul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: latest
hashi_consul_configuration:
  domain: "{{ consul_domain }}"
  datacenter: "{{ consul_datacenter }}"
  primary_datacenter: "{{ consul_primary_datacenter }}"
  data_dir: "{{ hashi_consul_data_dir }}"
  encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
  server: "{{ 'consul_servers' in group_names }}"
  retry_join: "{{
    groups['consul_servers'] |
    map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
    list |
    to_json |
    from_json
    }}"
  ui_config:
    enabled: true
  connect:
    enabled: false
  leave_on_terminate: true
  rejoin_after_leave: true
  enable_script_checks: true
  enable_syslog: true
  log_level: INFO
  acl: "{{ consul_acl_configuration }}"
  dns_config: "{{ consul_dns_configuration }}"
  ports:
    dns: 8600
    http: 8500
    https: -1
    grpc: 8502
    grpc_tls: 8503
    server: 8300
    serf_lan: 8301
    serf_wan: 8302
    sidecar_min_port: 21000
    sidecar_max_port: 21255
    expose_min_port: 21500
    expose_max_port: 21755

# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
  bootstrap_expect: {{ (groups['consul_servers'] | length) }}

##########################
# Vault options ##########
##########################

vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
  key_shares: 3
  key_threshold: 2

#########
# storage
#########
vault_storage_configuration:
  raft:
    path: "{{ hashi_vault_data_dir }}/data"
    node_id: "{{ ansible_hostname }}"
    retry_join: |
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]

##########
# listener
##########
vault_enable_tls: false
vault_listener_configuration:
  tcp:
    address: "0.0.0.0:8200"
    tls_disable: true

vault_tls_listener_configuration:
  tcp:
    tls_disable: false
    tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
    tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"

vault_extra_listener_configuration: {}

######################
# service registration
######################

vault_enable_service_registration: false
vault_service_registration_configuration:
  consul:
    address: "127.0.0.1:8500"
    scheme: "http"

#########
# plugins
#########
vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"

#########
# logging
#########
vault_enable_log_to_file: false
vault_logging_configuration:
  log_level: info
  log_format: standard
  log_rotate_duration: 24h
  log_rotate_max_files: 30

#########################
# vault container volumes
#########################
extra_vault_container_volumes: []

#####################
# extra configuration
#####################

vault_extra_configuration: {}

###############
# configuration
###############
hashi_vault_start_service: true
hashi_vault_version: latest
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
  cluster_name: "{{ vault_cluster_name }}"
  cluster_addr: "http://{{ api_interface_address }}:8201"
  api_addr: "http://{{ api_interface_address }}:8200"
  ui: "{{ vault_enable_ui }}"
  disable_mlock: false
  disable_cache: false
  listener: "{{ vault_listener_configuration }}"
  storage: "{{ vault_storage_configuration }}"