datacenter          = "{{ main_dc_name }}"
primary_datacenter  = "{{ main_dc_name }}"
domain              = "{{ consul_domain }}"
node_name           = "{{ inventory_hostname_short }}"
server              = true
bootstrap_expect    = 3
ui                  = true

encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"

verify_outgoing         = true
verify_server_hostname  = true
verify_incoming_https   = false
verify_incoming_rpc     = true
ca_file                 = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file               = "{{ consul_config_path }}/certs/consul-server.pem"
key_file                = "{{ consul_config_path }}/certs/consul-server.key"

auto_encrypt {
  allow_tls = true
}

bind_addr           = "{{ ansible_default_ipv4.address }}"
start_join          = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]

data_dir            = "/opt/consul"
log_level           = "INFO"
raft_protocol       = 3

enable_local_script_checks = true

addresses {
  http  = "127.0.0.1"
  https = "0.0.0.0"
  dns   = "0.0.0.0"
}

ports {
  http  = 8500
  https = 8501
}

performance {
  raft_multiplier = 1
}

acl {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  tokens {
    default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
  }
}