---
hiera_include:
  - profiles::rundeck::server
  - profiles::nginx::simpleproxy

profiles::packages::exclude:
  - jq

profiles::ssh::sign::principals:
  - rundeck.main.unkin.net
  - rundeck.service.consul
  - rundeck.query.consul

# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
  - rundeck.main.unkin.net
  - rundeck.service.consul
  - rundeck.query.consul
  - "rundeck.service.%{facts.country}-%{facts.region}.consul"

profiles::nginx::simpleproxy::proxy_port: 4440
profiles::nginx::simpleproxy::proxy_path: '/'
nginx::client_max_body_size: 20M
# additional altnames
profiles::pki::vault::alt_names:
  - rundeck.main.unkin.net
  - rundeck.service.consul
  - rundeck.query.consul
  - "rundeck.service.%{facts.country}-%{facts.region}.consul"

# configure consul service
consul::services:
  rundeck:
    service_name: 'rundeck'
    tags:
      - 'automation'
      - 'rundeck'
    address: "%{facts.networking.ip}"
    port: 443
    checks:
      - id: 'glauth_http_check'
        name: 'glauth HTTP Check'
        http: "http://%{facts.networking.fqdn}:4440"
        method: 'GET'
        tls_skip_verify: true
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: rundeck
    disposition: write

profiles::rundeck::server::mysql_backend: true
profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
profiles::rundeck::server::auth_config:
  file:
    auth_flag: 'sufficient'
    jaas_config:
      file: '/etc/rundeck/realm.properties'
    realm_config:
      admin_user: 'admin'
      admin_password: "%{hiera('rundeck_admin_pass')}"
  ldap:
    jaas_config:
      debug: 'true'
      providerUrl: 'ldap://ldap.service.consul:389'
      bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
      bindPassword: "%{hiera('ldap_bindpass')}"
      authenticationMethod: 'simple'
      forceBindingLogin: 'true'
      userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
      userRdnAttribute: 'uid'
      userIdAttribute: 'uid'
      userPasswordAttribute: 'userPassword'
      userObjectClass: 'posixAccount'
      roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
      roleNameAttribute: 'uid'
      roleMemberAttribute: 'uniqueMember'
      roleObjectClass: 'groupOfUniqueNames'
      nestedGroups: 'true'

profiles::rundeck::server::key_storage_config:
  - type: 'db'
    path: 'keys'
  - type: 'vault-storage'
    path: 'vault'
    config:
      prefix: 'rundeck'
      address: https://vault.query.consul:8200
      storageBehaviour: 'vault'
      secretBackend: rundeck
      engineVersion: '2'
      authBackend: approle
      approleAuthMount: approle
      approleId: "%{hiera('vault::roleid')}"

profiles::rundeck::server::cli_projects:
  Self-Service:
    update_method: 'set'
    config:
      project.description: 'self-service tasks'
      project.disable.executions: 'false'
  Infrastructure:
    config:
      project.description: 'infrastructure management'
      project.disable.schedule: 'false'

profiles::rundeck::server::acl_policies:
  global_admin_policy:
    acl_policies:
      - description: 'Global Admin, all access'
        context:
          application: "rundeck"
        for:
          project:
            - allow: '*'
          resource:
            - allow: '*'
          storage:
            - allow: '*'
        by:
          - group: ['rundeck_globaladmin']
      - description: 'Global Admin, all access'
        context:
          project: '.*'
        for:
          resource:
            - allow: '*'
          adhoc:
            - allow: '*'
          job:
            - allow: '*'
          node:
            - allow: '*'
        by:
          - group: ['rundeck_globaladmin']
  selfservice_admin_policy:
    acl_policies:
      - description: 'Admin, all access for Self-Service project'
        context:
          project: 'Self-Service'
        for:
          resource:
            - allow: '*'
          adhoc:
            - allow: '*'
          job:
            - allow: '*'
          node:
            - allow: '*'
        by:
          - group: ['rundeck_selfserice_admin']
  selfservice_user_policy:
    acl_policies:
      - description: 'Users can execute tasks but not edit for Self-Service project'
        context:
          project: 'Self-Service'
        for:
          resource:
            - allow: ['read']
          adhoc:
            - allow: ['run']
          job:
            - allow: ['read', 'run']
          node:
            - allow: ['read', 'run']
        by:
          - group: ['rundeck_selfserice_user']
  infrastructure_admin_policy:
    acl_policies:
      - description: 'Admin, all access for Infrastructure project'
        context:
          project: 'Infrastructure'
        for:
          resource:
            - allow: '*'
          adhoc:
            - allow: '*'
          job:
            - allow: '*'
          node:
            - allow: '*'
        by:
          - group: ['rundeck_infrastructure_admin']
  infrastructure_user_policy:
    acl_policies:
      - description: 'Users can execute tasks but not edit for Infrastructure project'
        context:
          project: 'Infrastructure'
        for:
          resource:
            - allow: ['read']
          adhoc:
            - allow: ['run']
          job:
            - allow: ['read', 'run']
          node:
            - allow: ['read', 'run']
        by:
          - group: ['rundeck_infrastructure_user']