---
hiera_include:
  - incus

profiles::packages::include:
  bridge-utils: {}
  dnsmasq: {}
  squashfs-tools: {}
  iptables-nft: {}

profiles::pki::vault::alt_names:
  - incus-images.service.consul
  - incus-images.query.consul
  - "incus-images.service.%{facts.country}-%{facts.region}.consul"

profiles::ssh::sign::principals:
  - incus-images.service.consul
  - incus-images.query.consul
  - "incus-images.service.%{facts.country}-%{facts.region}.consul"

# configure consul service
consul::services:
  incus-images:
    service_name: 'incus-images'
    tags:
      - 'incus'
      - 'images'
      - 'container'
      - 'lxd'
    address: "%{facts.networking.ip}"
    port: 8443
    checks:
      - id: 'incus_https_check'
        name: 'incus HTTPS Check'
        http: "https://%{facts.networking.fqdn}:8443"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: incus-images
    disposition: write

# manage incus
incus::init: true
incus::server_port: 8443

# add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups:
  - incus-admin

# sysctl recommendations
sysctl::base::values:
  net.ipv4.conf.all.forwarding:
    value: '1'
  net.ipv6.conf.all.forwarding:
    value: '1'

# limits.d recommendations
limits::entries:
  '*/nofile':
    both: 1048576
  'root/nofile':
    both: 1048576