---

# Version of Vault to install
vault_version: 1.11.4
# URL of the archive
vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
# Expected sha256 of the archive
vault_archive_sha256: 8764a55bdd69faedaaf5d50325d5e6806041e6305b1e66454b46dc6426d26556

# Root dir where Nomad will be installed
vault_root_dir: /opt/vault

# user under which vault will run.
vault_user: vault

# Setting vault_letsencrypt_cert will automate cert configuration
# using Let's Encrypt. The server need to have the letsencrypt role assigned
# Note that you probably want to use dns-01 challenges in this case so you won't have to
# expose your vault server on the public internet
# vault_letsencrypt_cert: "{{ inventory_hostname }}"

# A token having backup (raft snapshot) permission. If set, ansible will
# take a snapshot of the data before upgrading vault
# vault_bkp_token: XXXXX

# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
vault_base_services:
  api:
    port: 8200
    src_ip: []
  cluster:
    port: 8201
    src_ip: [] # You should set this to the IP / CIDR of your other servers

# Exemple
# vault_extra_services:
#   cluster:
#     src_ip:
#       - 10.127.0.10
#       - 10.145.99.60
vault_extra_services: {}
vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"

# Configuration of the service (which will be converted to JSON)
# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
vault_base_conf:
  # Name of the Vault cluster
  cluster_name: Vault Cluster

  # Log settings
  log_level: INFO
  log_format: standard

  # Plugin settings
  plugin_directory: "{{ vault_root_dir }}/plugins"
  # This means vault will expect plugins to be owned by root
  plugin_file_uid: 0

  # Is the UI enabled ?
  ui: True

  # TCP listeners
  listeners:
    # Address/port on which vault will bind for API requests
    - address: 0.0.0.0:{{ vault_services.api.port }}
      # Address/port on which vault will bind for inter-node communications
      cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}

      # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
      # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
      # Only change if you want to manually control the certificate to use
      tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
      tls_key_file: "{{ vault_root_dir }}/tls/vault.key"

      # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
      x_forwarded_for_authorized_addrs: []
      # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
      # Default is False which means you can reach vault both directly or through your reverse proxy
      x_forwarded_for_reject_not_present: False

  # URL of the API to advertise
  api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
  # URL of the inter-node communication endpoint to advertise
  cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}

  # When using integrated raft storage, mlock should be disabled
  disable_mlock: True

  storage:
    # Integrated raf storage
    raft:
      path: "{{ vault_root_dir }}/data"
      node_id: "{{ inventory_hostname }}"
      performance_multiplier: 1
      # retry_join:
      #   - leader_api_addr: https://vault-1.example.org:8200
      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
      #   - leader_api_addr: https://vault-2.example.org:8200
      #   - leader_api_addr: https://vault-3.example.org:8200
      retry_join: []

  # Service registration on consul
  #service_registration:
  #  address: http://localhost:8500
  #  service: vault
  #  token: XXXXX
  #  service_tags:
  #    - "traefik.enable=true"
  #    - "traefik.http.routers.http.entrypoints=https"
  #    - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
  #  tls_ca_file: /opt/vault/tls/consul_ca.crt
  #  tls_cert_file: /opt/vault/tls/consul_cert.crt
  #  tls_key_file: /opt/vault/tls/consul_key.crt

  telemetry:
    prometheus_retention_time: 1h
    disable_hostname: True

# You can add additional paramters in vault_extra_conf (or vault_host_conf)
# they will be merged into the vault_base_conf before rendering
# Example
# vault_extra_conf:
#   cluster_name: Vault Production
#   storage:
#     raft:
#       retry_join:
#         leader_api_addr: https://vault1.example.org:8201
vault_extra_conf: {}
vault_host_conf: {}
# Merge all the conf
vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"

# This can be used to spawn a consul-template service which will obtain and renew client cert
# to reach Nomad API, so the Nomad secret can be used securely
vault_base_secrets:
  # The vault API to query. Default is our own API
  vault_address: "{{ vault_conf.api_addr }}"
  # The vault token to use
  vault_token: XXXXXXX
  nomad:
    enabled: False
    # The Nomad API address
    address: https://nomad.service.consul:4646
    # The Nomad management token vault will use to issue tokens for users
    token: XXXXXXX
    pki:
      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
      path: /pki/nomad
      # The role used to issue the certificate
      role: nomad-user
      # The TTL of the certificate issued for vault
      ttl: 72h
      # The common name of the certificate
      cn: vault
    secret:
      # The path where the Nomad secret engine is mounted
      # Note: the secret must be already mounted
      path: nomad
vault_extra_secrets: {}
vault_host_secrets: {}
vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"