---
hiera_include:
  - profiles::reposync::webserver

profiles::ssh::sign::principals:
  - packagerepo.service.consul
  - packagerepo.query.consul
  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"

# additional altnames
profiles::pki::vault::alt_names:
  - packagerepo.main.unkin.net
  - packagerepo.service.consul
  - packagerepo.query.consul
  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"

# configure consul service
consul::services:
  packagerepo:
    service_name: 'packagerepo'
    tags:
      - 'packagerepo'
    address: "%{facts.networking.ip}"
    port: 443
    checks:
      - id: 'packagerepo_http_check'
        name: 'packagerepo HTTP Check'
        http: "https://%{facts.networking.fqdn}"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: packagerepo
    disposition: write

profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::webserver::www_root: /shared/apps/packagerepo/snap
profiles::reposync::webserver::cache_root: /data/repos/cache