server           = true
bootstrap_expect = 3

ca_file   = "/etc/consul.d/certs/consul-agent-ca.pem"
cert_file = "/etc/consul.d/certs/dc1-server-consul-1.pem"
key_file = "/etc/consul.d/certs/dc1-server-consul-1-key.pem"

acl {
  enabled                  = true
  default_policy           = "deny"
  enable_token_persistence = true

  tokens {
    master  = "<%= @manager_hosts %>"
    agent   = "<%= @manager_hosts %>"
    default = "<%= @manager_hosts %>"
  }
}

ui_config {
  enabled = true

  metrics_provider = "prometheus"
  metrics_proxy {
    base_url = "http://192.168.10.101:9090"
  }
}

config_entries {
  bootstrap = [
    {
      kind = "proxy-defaults"
      name = "global"
      config {
        envoy_prometheus_bind_addr = "0.0.0.0:9102"
      }
    }
  ]
}

auto_config {
  authorization {
    enabled = true
    static {
      oidc_discovery_url = "http://vault.homelab:8200/v1/identity/oidc"
      bound_issuer = "http://vault.homelab:8200/v1/identity/oidc"
      bound_audiences = [ "dc1" ]
    }
  }
}