---

instance: lemonldap-ng

llng:

  nomad:
    # A lot of services depends on lemonldap
    # so make it a bit higher priority than normal
    priority: 60
    # Ensure we run different alloc on different hosts
    constraints:
      - operator: distinct_hosts
        value: true

  # The same engine can run portal, manager and handler
  # The settings below are for the uwsgi engine itself
  engine:

    # Number of instance to run
    count: 1

    # Version of Lemonldap::NG to use
    version: 2.19.0

    # Docker image to use
    image: '[[ .docker.repo ]]lemonldap-ng:[[ .llng.engine.version ]]-2'

    # Resource allocation
    resources:
      cpu: 500
      memory: 512

    # Connect to the database from the service mesh
    consul:
      connect:
        upstreams:
          - destination_name: postgres[[ .consul.suffix ]]
            local_bind_port: 5432

    wait_for:
      - service: postgres[[ .consul.suffix ]]

    # Vault policices
    vault:
      policies:
        - '[[ .instance ]][[ .consul.suffix ]]'

    # Database settings
    postgres:
      database: '[[ .instance ]]'
      user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
      password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'

    # Additional env vars to pass to the container
    env:
      # Max number of uwsgi workers. You might need to allocation more memory
      # if you need to rise this value (or you can just run several instances instead)
      LLNG_WORKERS: 6

    # Download assets (used to customize the portal)
    artifacts:
      defaults:
        source: git::https://git.lapiole.org/nomad/lemonldap-ng.git//files/assets
        destination: local/assets/static/common

    # Log level of the engine
    log_level: notice

  # Settings for the portal itself
  portal:
    # URL used by users to reach the portal
    public_url: https://sso.example.org

    # Available languages on the portal
    languages:
      - en
      - fr
      - es
      - it
      - de

    # Traefik settings
    traefik:

      # If disabled, the portal won't be exposed by Traefik
      enabled: true

      # Disable default CSP as Lemonldap::NG handles it itself
      csp: false

      auto_rule: false
      router: '[[ .instance ]]-portal[[ .consul.suffix ]]'

    # Cron jobs
    cron:
      # Rotate oidc keys (default is disabled)
      rotate_oidc_keys: ''
      # Cleanup global session store by removing obsolete ones
      # Note that this task will only be scheduled on the first allocation (NOMAD_ALLOC_INDEX 0)
      # as there's no need to do the cleanup on every instance
      clean_global_cache: '@every 10m'
      # Cleanup local session and config cache
      # This task will also only be scheduled on the first allocation
      clean_local_cache: '@every 1h'

  # Settings for the configuration manager
  manager:
    # protection can be "none" (no authentication) or "manager" (the manager is protected by Lemonldap::NG itself, and you must add appropriate
    # access rules to access the manager). On initial configuration, you will likely need to set this to none, and switch back to manager only after
    # the configuration is working
    protection: manager

    # The URL to reach the manager
    public_url: https://manager.example.org

    # Available languages for the manager
    languages:
      - en

    # Traefik settings
    traefik:

      # If disabled, the manager will not be exposed by Traefik
      enabled: true

      # Disable default CSP as Lemonldap::NG handle CSP itself
      csp: false

      router: manager

  # The API is exposed by the portal, but usually must be secured differently
  # The following settings only apply to the REST/SOAP API
  api:
    
    # Traefik settings
    traefik:

      # If disabled, Traefik won't expose the API
      enabled: false

      csp: false

      middlewares:
        compression: false

      auto_rule: false
      router: api