---
hiera_include:
  - profiles::nginx::simpleproxy

profiles::yum::global::repos:
  ceph-reef:
    name: ceph-reef
    descr: ceph reef repository
    target: /etc/yum.repos.d/ceph-reef.repo
    baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
    gpgcheck: 0,
    mirrorlist: absent

profiles::ceph::client::keyrings:
  media:
    key: "%{hiera('ceph::key::media')}"

profiles::base::groups::local:
  media:
    ensure: present
    gid: 20000
    allowdupe: false
    forcelocal: true

ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'

profiles::nginx::simpleproxy::locations:
  # authentication proxy
  authproxy:
    ensure: 'present'
    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
    ssl_only: true
    internal: true
    location: '= /auth-proxy'
    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
    proxy_set_header:
      - 'Content-Length ""'
      - "X-Ldap-URL ldap://%{lookup('ldap_host')}"
      - 'X-Ldap-Starttls "false"'
      - "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
      - "X-Ldap-BindDN %{lookup('ldap_binddn')}"
      - "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
      - 'X-CookieName "nginxauth"'
      - 'Cookie nginxauth=$cookie_nginxauth'
      - "X-Ldap-Template %{lookup('ldap_template')}"
      - 'X-Ldap-Realm "Restricted"'
    proxy_cache: 'cache'
    proxy_cache_valid: '200 10m'
    proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
    location_cfg_append:
      proxy_pass_request_body: 'off'
  # health checks by consul/haproxy
  arrstack_web_healthcheck:
    ensure: 'present'
    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
    ssl_only: true
    location: '/consul/health'
    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
    proxy_set_header:
      - 'Host $host'
      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
      - 'X-Forwarded-Host $host'
      - 'X-Forwarded-Proto $scheme'
      - 'Upgrade $http_upgrade'
      - 'Connection $http_connection'
    proxy_redirect: 'off'
    proxy_http_version: '1.1'
    location_allow:
      - 127.0.0.1
      - "%{facts.networking.ip}"
      - 198.18.13.25
      - 198.18.13.26
    location_deny:
      - all
  # authorised access from external
  arrstack_web_external:
    ensure: 'present'
    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
    ssl_only: true
    location: '/'
    auth_request: '/auth-proxy'
    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
    proxy_set_header:
      - 'Host $host'
      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
      - 'X-Forwarded-Host $host'
      - 'X-Forwarded-Proto $scheme'
      - 'Upgrade $http_upgrade'
      - 'Connection $http_connection'
    proxy_redirect: 'off'
    proxy_http_version: '1.1'
  # location for api, which should be accessible without authentication
  arrstack_api:
    ensure: 'present'
    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
    ssl_only: true
    location: '~ /api'
    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
    location_cfg_append:
      client_max_body_size: '20m'