---

# user account under which consul will run (will be created if needed)
consul_user: consul

# Root directory where consul will be installed
consul_root_dir: /opt/consul

# List of Unix group which will be consul admins
# Used for example to grant access to cli cert with ACL
consul_admin_groups: "{{ system_admin_groups | default([]) }}"

# An optional CONSUL_HTTP_TOKEN to use to take a snapshot of raft logs during pre-backup
# for example:
# consul_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
# or a more advanced use
# # consul_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id consul/creds/admin ttl=1m)

# List of consul servers name or IP
consul_servers: []

# Consul configuration (which will be converted to JSON)
# The configuration is splited in a base conf and an extra conf, so you can override part of the config easily
consul_base_conf:
  client_addr: 0.0.0.0
  log_level: INFO
  bind_addr: 0.0.0.0

  # Recursive DNS resolver to which non authoritative queries will be sent
  recursors: "{{ ansible_dns.nameservers }}"

  # Domain handled by consul, on which services will be published
  # All queries in this domain are assumed to be handled by Consul and will not be recursively resolved
  # domain: consul.

  # An optional alternative domain
  # alt_domain: consul.example.org.

  # Address that is advertised to the other nodes
  advertise_addr: "{{ ansible_default_ipv4.address }}"
  # You can also advertise the WAN addr
  # advertise_addr_wan: x.x.x.x

  # You can define the datacenter in which this agent is running. The default value is dc1
  # datacenter: dc1

  # When several DC are used, one must be set as the primary. This DC will be used as the
  # source for ACL replication
  # primary_datacenter: dc1

  # Node name, which should be uniq in the region. Default is the hostname
  # node_name: consule-fr-zone-c

  # Arbitrary metadata
  # node_meta:
  #   instance_type: t2.medium
  #   env: staging
  node_meta: {}

  # Optional encryption key for the gossip protocol
  # You can generate one with cinsul keygen. The key should be the same on all the members
  # encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=

  retry_join: "{{ consul_servers }}"
  bootstrap_expect: "{{ consul_servers | length }}"

  server: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"

  ui_config:
    enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"

  performance:
    raft_multiplier: 1

  telemetry:
    prometheus_retention_time: 1h

  connect:
    # Enable consul service mesh on servers
    enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
    # ca_provider: vault
    ca_config:
      # address: https://active.vault.service.consul:8200
      root_pki_path: pki/root
      intermediate_pki_path: pki/connect
      #auth_method:
      #  approle:
      #    role_id: XXXX
      #    secret_id: YYYY

  acl:
    enabled: False
    # The default_policy is also used for intentions in the service mesh
    default_policy: deny
    enable_token_persistence: True
    # You can set tokens used by the agent
    # tokens:
    #   default: ab47bc38-d97f-19af-93a5-17b528d154c9
    #   agent: 5459979a-3f23-8b1f-ff8a-2478856e9216
    tokens: {}

  tls:
    # No TLS will be stup unless this is set to True
    enabled: False
    # Default TLS settings
    defaults:
      ca_file: "{{ consul_root_dir }}/tls/ca.crt"
      cert_file: "{{ consul_root_dir }}/tls/consul.crt"
      key_file: "{{ consul_root_dir }}/tls/consul.key"
      verify_incoming: True
      verify_outgoing: True
    # TLS settings for interal RPC
    internal_rpc:
      verify_server_hostname: True

consul_extra_conf: {}
consul_host_conf: {}
consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}"

# For example
# consul_extra_conf:
#   datacenter: my-dc
#   domain: dev.example.org
#   encrypt: WSnGbK30nI6K/xk9w+AAtk0Y3RMXKoAlsj4VEICqi0I=
#   ui_config:
#     enabled: False

# List of services exposed by consul, the ports they use, and the list of IP
# for which the service is accessible at the firewall level (if iptables_manage == True)
consul_base_services:
  dns:
    port: 8600
    src_ip: []
    proto: [tcp,udp]
  http:
    port: 8500
    src_ip: []
    proto: [tcp]
  https:
    port: 8501
    src_ip: []
    proto: [tcp]
  grpc:
    port: 8502
    src_ip: []
    proto: [tcp]
  grpc_tls:
    port: 8503
    src_ip: []
    proto: [tcp]
  serf_lan:
    port: 8301
    src_ip: []
    proto: [tcp,udp]
  serf_wan:
    port: 8302
    src_ip: []
    proto: [tcp,udp]
  server:
    port: 8300
    src_ip: []
    proto: [tcp]
  sidecar:
    port: 21000:21255
    src_ip: []
    proto: [tcp]
  expose:
    port: 21500:21755
    src_ip: []
    proto: [tcp]
consul_extra_services: {}
consul_host_services: {}
consul_services: "{{ consul_base_services | combine(consul_extra_services, recursive=True) | combine(consul_host_services, recursive=True) }}"

# Services can be manually registered on the catalog
# consul_extra_catalog_services:
#   service-id:
#     name: my-service
#     address: 10.1.0.26
#     port: 8080
consul_base_catalog_services: {}
consul_extra_catalog_services: {}
consul_host_catalog_services: {}
consul_catalog_services: "{{ consul_base_catalog_services | combine(consul_extra_catalog_services, recursive=True) | combine(consul_host_catalog_services, recursive=True) }}"

# Control memory of the service
consul_memory_max: 1024M
consul_swap_max: 10M