---

vault_agent_root_dir: /opt/vault_agent

# Address of the vault server
vault_agent_vault_address: https://vault.service.consul

# Type of authentication. Can be token or approle
vault_agent_auth: approle

# If auth is approle, you have to set vault_agent_approle_role_id and vault_agent_approle_secret_id
# vault_agent_approle_role_id: XXXXX
# vault_agent_approle_secret_id: XXXXXXX

# If auth is token, you have to set vault_agent_token
# vault_agent_token: XXXXX

# List of sinks where the token can be written
vault_agent_sinks: []
# vault_agent_sinks:
#   - path: /tmp/vault.token
#     wrap_ttl: 20s
#     mode: 600


# List of templates
vault_agent_templates: []
# vault_agent_templates:
#     # Use only one of source or contents
#   - source: /srv/foo.tpl
#     contents: "{{ with secret \"kv/bar\" }}{{.Data.data.baz}}{{ end }}"
#     destination: /src/foo
#     left_delimiter = "[["
#     right_delimiter = "]]"
#     perms: 0600
#     exec:
#       timeout: 30s
#       command: systemctl restart foo.service

vault_agent_nomad_base:
  # Should vault-agent fetch a vault token for use by Nomad
  vault_token:
    enabled: False
    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}

  # Should vault-agent fetch certificates from vault for use by Nomad agent
  nomad_pki:
    enabled: False
    path: pki/nomad
    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}
    ttl: 72h
    # Vault can get a client certificate for administrative tasks
    cli:
      enabled: "{{ nomad_conf.server.enabled | ternary(True, False) }}"
      role: nomad-user
      ttl: 72h
      # When renewing this cert, vault-agent can update nomad secret (so vault can connect to the Nomad API to manage tokens)
      # secret_path: nomad

  # Should vault-agent fetch a certificate to connect on Consul. This is required when using Consul Connect
  # Even if a Consul agent is available on localhost with no TLS
  consul_pki:
    enabled: False
    path: pki/consul
    role: nomad-client # Only Nomad clients will use Consul PKI
    ttl: 72h

  # Should vault-agent fetch a consul token. It'll be used to register services in Consul service catalog
  consul_token:
    enabled: False
    # The path of the consul secret engine
    path: consul
    # The role used to get the token
    role: nomad-{{ nomad_conf.server.enabled | ternary('server', 'client') }}

vault_agent_nomad_extra: {}
vault_agent_nomad_host: {}
vault_agent_nomad: "{{ vault_agent_nomad_base | combine(vault_agent_nomad_extra, recursive=True) | combine(vault_agent_nomad_host, recursive=True) }}"


vault_agent_consul_base:
  # Should vault-agent fetch certificates for Consul agent
  consul_pki:
    enabled: False
    path: pki/consul
    role: consul-{{ consul_conf.server | ternary('server', 'client') }}
    ttl: 72h

vault_agent_consul_extra: {}
vault_agent_consul_host: {}
vault_agent_consul: "{{ vault_agent_consul_base | combine(vault_agent_consul_extra, recursive=True) | combine(vault_agent_consul_host, recursive=True) }}"