---

harbor_version: v2.4.1

harbor_hostname: '{{ stage_server_domain }}'
harbor_external_url: 'https://{{ stage_server_domain }}'

harbor_admin_username: '{{ harbor_admin_username_vault }}'
harbor_admin_password: '{{ harbor_admin_password_vault }}'

traefik_id: '{{ inventory_hostname }}-harbor'

harbor_dockercompose_customized:
  services:
    core:
      extra_hosts:
        - '{{ shared_service_keycloak_hostname }}:{{ shared_service_keycloak_ip }}'
        - '{{ shared_service_mail_hostname }}:{{ shared_service_mail_ip }}'
    proxy:
      networks:
        - harbor
        - front-tier
      ports: [] # not exposing ports - already used by traefik
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.{{ traefik_id }}.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ traefik_id }}.service={{ traefik_id }}"
        - "traefik.http.routers.{{ traefik_id }}.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ traefik_id }}.entrypoints=websecure"
        - "traefik.http.routers.{{ traefik_id }}.tls=true"
        - "traefik.http.routers.{{ traefik_id }}.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ traefik_id }}.loadbalancer.server.port=8080"
        - "traefik.http.middlewares.{{ traefik_id }}-monitor.headers.customrequestheaders.X-Forwarded-Proto=https"
        - "traefik.http.routers.{{ traefik_id }}-monitor.service={{ traefik_id }}-monitor"
        - "traefik.http.routers.{{ traefik_id }}-monitor.rule=Host(`{{ harbor_hostname }}`)"
        - "traefik.http.routers.{{ traefik_id }}-monitor.entrypoints=monitoring-harbor"
        - "traefik.http.routers.{{ traefik_id }}-monitor.tls=true"
        - "traefik.http.routers.{{ traefik_id }}-monitor.tls.certresolver=letsencrypt"
        - "traefik.http.services.{{ traefik_id }}-monitor.loadbalancer.server.port=9090"
  networks:
    front-tier:
      external: true

harbor_base_configuration:
  email_host: '{{ shared_service_mail_hostname }}'
  email_port: 25
  email_from: '{{ ansible_fqdn }}@{{ shared_service_mail_hostname }}'
  email_password: ''
  email_username: ''
  email_insecure: true
  auth_mode: oidc_auth
  oidc_name: docker
  oidc_endpoint: 'https://{{ shared_service_keycloak_hostname }}/auth/realms/docker'
  oidc_client_id: docker-registry
  oidc_groups_claim: groups
  oidc_scope: openid
  oidc_verify_cert: true
  oidc_auto_onboard: true
  oidc_admin_group: '/admin'