---
# additional altnames
profiles::pki::vault::alt_names:
  - droneci.main.unkin.net
  - droneci.service.consul
  - droneci.query.consul
  - "droneci.service.%{facts.country}-%{facts.region}.consul"

profiles::ssh::sign::principals:
  - droneci.main.unkin.net
  - droneci.service.consul
  - droneci.query.consul

hiera_include:
  - docker
  - profiles::sql::postgresdb
  - droneci

docker::version: latest
docker::curl_ensure: false

profiles::sql::postgresdb::dbname: droneci
profiles::sql::postgresdb::dbuser: droneci
profiles::sql::postgresdb::dbpass: "%{hiera('droneci_server::postgres_password')}"
profiles::sql::postgresdb::members_lookup: true
profiles::sql::postgresdb::members_role: roles::infra::droneci::server

droneci::ports:
  - 80:80
  - 443:443
droneci::volumes:
  - type=bind,source=/var/lib/drone,target=/data
  - type=bind,source=/etc/pki/tls/vault/certificate.crt,target=/etc/pki/tls/vault/certificate.crt,readonly
  - type=bind,source=/etc/pki/tls/vault/private.key,target=/etc/pki/tls/vault/private.key,readonly
  - type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/pki/tls/certs/ca-bundle.crt,readonly
  - type=bind,source=/etc/pki/tls/certs/ca-bundle.crt,target=/etc/ssl/certs/ca-certificates.crt,readonly
droneci::env_vars:
  DRONE_GITEA_SERVER: https://git.query.consul
  DRONE_GITEA_CLIENT_ID: 3f6abbd9-1838-4d22-8023-f9bd8cf27c82
  DRONE_GITEA_CLIENT_SECRET: "%{hiera('droneci_server::gitea_client_secret')}"
  DRONE_RPC_SECRET: "%{hiera('droneci_server::rpc_secret')}"
  DRONE_SERVER_HOST: droneci.query.consul
  DRONE_SERVER_PROTO: https
  DRONE_TLS_CERT: /etc/pki/tls/vault/certificate.crt
  DRONE_TLS_KEY: /etc/pki/tls/vault/private.key
  DRONE_COOKIE_SECRET: "%{hiera('droneci_server::cookie_secret')}"
  DRONE_COOKIE_TIMEOUT: 720h
  DRONE_HTTP_SSL_REDIRECT: true
  DRONE_HTTP_SSL_TEMPORARY_REDIRECT: true
  DRONE_HTTP_SSL_HOST: droneci.query.consul
  DRONE_LOGS_TEXT: true
  DRONE_LOGS_PRETTY: true
  DRONE_LOGS_COLOR: true
  DRONE_DATABASE_SECRET: "%{hiera('droneci_server::database_secret')}"
  DRONE_DATABASE_DRIVER: postgres
  DRONE_DATABASE_DATASOURCE: "postgres://droneci:%{hiera('droneci_server::postgres_password')}@master.patroni-prod.service.au-syd1.consul:5432/droneci?sslmode=disable"
  DRONE_REDIS_CONNECTION: "redis://%{hiera('droneci_server::redis_password')}@redis-master-prod.service.au-syd1.consul:6379/2"

consul::services:
  droneci:
    service_name: 'droneci'
    tags:
      - 'drone'
      - 'droneci'
    address: "%{facts.networking.ip}"
    port: 443
    checks:
      - id: 'droneci_https_check'
        name: 'droneci HTTPS Check'
        http: "https://%{facts.networking.fqdn}:443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: droneci
    disposition: write