# {{ ansible_managed }}

[DEFAULT]
use_journal = True
# Disable stderr logging
use_stderr = False
# Show debugging output in logs (sets DEBUG log level output)
debug = {{ debug }}

# Host name, for use in HATEOAS-style references
#  Note: Typically this would be the load balanced endpoint that clients would use
#  communicate back with this service.
host_href = {{ barbican_service_publicurl }}

sql_connection = mysql+pymysql://{{ barbican_galera_user }}:{{ barbican_galera_password }}@{{ barbican_galera_address }}:{{ barbican_galera_port }}/{{ barbican_galera_database }}?charset=utf8{% if barbican_galera_use_ssl | bool %}&ssl_verify_cert=true{% if barbican_galera_ssl_ca_cert | length > 0 %}&ssl_ca={{ barbican_galera_ssl_ca_cert }}{% endif %}{% endif +%}
sql_pool_max_overflow = {{ barbican_db_max_overflow }}
sql_pool_size = {{ barbican_db_max_pool_size }}
sql_idle_timeout = {{ barbican_db_connection_recycle_time }}

# Rabbit and HA configuration:
ampq_durable_queues = True
rabbit_ha_queues = True
transport_url = {{ barbican_oslomsg_rpc_transport }}://{% for host in barbican_oslomsg_rpc_servers.split(',') %}{{ barbican_oslomsg_rpc_userid }}:{{ barbican_oslomsg_rpc_password }}@{{ host }}:{{ barbican_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ _barbican_oslomsg_rpc_vhost_conf }}{% if barbican_oslomsg_rpc_use_ssl | bool %}?ssl=1&ssl_version={{ barbican_oslomsg_rpc_ssl_version }}&ssl_ca_file={{ barbican_oslomsg_rpc_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

[oslo_messaging_notifications]
driver = {{ (barbican_ceilometer_enabled | bool) | ternary('messagingv2', 'noop') }}
transport_url = {{ barbican_oslomsg_notify_transport }}://{% for host in barbican_oslomsg_notify_servers.split(',') %}{{ barbican_oslomsg_notify_userid }}:{{ barbican_oslomsg_notify_password }}@{{ host }}:{{ barbican_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ _barbican_oslomsg_notify_vhost_conf }}{% if barbican_oslomsg_notify_use_ssl | bool %}?ssl=1&ssl_version={{ barbican_oslomsg_notify_ssl_version }}&ssl_ca_file={{ barbican_oslomsg_notify_ssl_ca_file }}{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

{% if barbican_oslomsg_rpc_transport == 'rabbit' %}
[oslo_messaging_rabbit]
ssl = {{ barbican_oslomsg_notify_use_ssl | bool }}
rabbit_quorum_queue = {{ barbican_oslomsg_rabbit_quorum_queues }}
rabbit_quorum_delivery_limit = {{ barbican_oslomsg_rabbit_quorum_delivery_limit }}
rabbit_quorum_max_memory_bytes = {{ barbican_oslomsg_rabbit_quorum_max_memory_bytes }}
{% endif %}

{% if barbican_keystone_auth | bool %}
[keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ barbican_keystone_auth_plugin }}
auth_url = {{ keystone_service_adminurl }}
www_authenticate_uri = {{ keystone_service_internaluri }}
project_domain_id = {{ barbican_service_project_domain_id }}
user_domain_id = {{ barbican_service_user_domain_id }}
project_name = {{ barbican_service_project_name }}
username = {{ barbican_service_user_name }}
password = {{ barbican_service_password }}
region_name = {{ keystone_service_region }}

service_token_roles_required = {{ barbican_service_token_roles_required | bool }}
service_token_roles = {{ barbican_service_token_roles | join(',') }}
service_type = {{ barbican_service_type }}

memcached_servers = {{ barbican_memcached_servers }}

token_cache_time = 300

# if your memcached server is shared, use these settings to avoid cache poisoning
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}

{% endif %}

# ================= Secret Store Plugin ===================
[secretstore]
{% if barbican_backends_config | length > 1 %}
enable_multiple_secret_stores = True
stores_lookup_suffix = {{ barbican_backends_config.keys() | join(',') }}

{%   for section, config in barbican_backends_config.items() %}
[secretstore:{{ section }}]
{%     for key, value in config.items() %}
{{ key }} = {{ value }}
{%     endfor %}
{%   endfor %}
{% else %}
{% for config in barbican_backends_config.values() %}
enabled_secretstore_plugins = {{ config['secret_store_plugin'] }}

{%   if 'crypto_plugin' in config %}
# ================= Crypto plugin ===================
[crypto]
enabled_crypto_plugins = {{ config['crypto_plugin'] }}
{%   endif %}
{% endfor %}
{% endif %}

{% for section, config in barbican_plugins_config.items() %}
[{{ section }}]
{%   for key, value in config.items() %}
{{ key }} = '{{ value }}'
{%   endfor %}
{% endfor %}

[certificate]
enabled_certificate_plugins = simple_certificate
enabled_certificate_plugins = snakeoil_ca

[certificate_event]
enabled_certificate_event_plugins = simple_certificate

[snakeoil_ca_plugin]
ca_cert_path = /etc/barbican/snakeoil-ca.crt
ca_cert_key_path = /etc/barbican/snakeoil-ca.key
ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain
ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b
subca_cert_key_directory=/etc/barbican/snakeoil-cas