---
hiera_include:
  - incus
  - zfs

profiles::packages::include:
  bridge-utils: {}
  dnsmasq: {}

profiles::pki::vault::alt_names:
  - incus-images.service.consul
  - incus-images.query.consul
  - "incus-images.service.%{facts.country}-%{facts.region}.consul"

profiles::ssh::sign::principals:
  - incus-images.service.consul
  - incus-images.query.consul
  - "incus-images.service.%{facts.country}-%{facts.region}.consul"

# configure consul service
consul::services:
  incus-images:
    service_name: 'incus-images'
    tags:
      - 'incus'
      - 'images'
      - 'container'
      - 'lxd'
    address: "%{facts.networking.ip}"
    port: 8443
    checks:
      - id: 'incus_https_check'
        name: 'incus HTTPS Check'
        http: "https://%{facts.networking.fqdn}:8443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: incus-images
    disposition: write

# additional repos
profiles::yum::global::repos:
  zfs-kmod:
    name: zfs-kmod
    descr: zfs-kmod repository
    target: /etc/yum.repos.d/zfs-kmod.repo
    baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
    gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
    mirrorlist: absent

# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 429496729 # 400MB
zfs::zpools:
  fastpool:
    ensure: present
    disk: /dev/vdb
    ashift: 12
zfs::datasets:
  fastpool:
    canmount: 'off'
    acltype: posix
    atime: 'off'
    relatime: 'off'
    compression: 'zstd'
    xattr: 'sa'
  fastpool/data:
    canmount: 'on'
    mountpoint: '/data'
  fastpool/data/incus:
    canmount: 'on'
    mountpoint: '/data/incus'

# manage incus
incus::init: true
incus::server_port: 8443
incus::storage_images_volume: fastpool/imagestore

# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
  - incus-admin

# sysctl recommendations
sysctl::base::values:
  fs.aio-max-nr:
    value: '524288'
  fs.inotify.max_queued_events:
    value: '1048576'
  fs.inotify.max_user_instances:
    value: '1048576'
  fs.inotify.max_user_watches:
    value: '1048576'
  kernel.dmesg_restrict:
    value: '1'
  kernel.keys.maxbytes:
    value: '2000000'
  kernel.keys.maxkeys:
    value: '2000'
  net.core.bpf_jit_limit:
    value: '1000000000'
  net.ipv4.neigh.default.gc_thresh3:
    value: '8192'
  net.ipv6.neigh.default.gc_thresh3:
    value: '8192'
  vm.max_map_count:
    value: '262144'
  net.ipv4.conf.all.forwarding:
    value: '1'
  net.ipv6.conf.all.forwarding:
    value: '1'

# limits.d recommendations
limits::entries:
  '*/nofile':
    both: 1048576
  'root/nofile':
    both: 1048576
  '*/memlock':
    both: unlimited
  'root/memlock':
    both: unlimited