{% if software_type == slap_software_type -%}
{#
XXX: This template only supports exactly one IPv4 and one IPv6 per
partition. No more (undefined result), no less (IndexError).
-#}
# TODO: insert varnish between apache & haproxy.
# And think of a way to specify which urls goe through varnish, which go
# directly to haproxy. (maybe just passing literal configuration file chunk)
{% set ipv4 = (ipv4_set | list)[0] -%}
{% set ipv6 = (ipv6_set | list)[0] -%}
[buildout]
extends = {{ parameter_dict['instance-logrotate-cfg'] }}
parts +=
  publish
  logrotate-apache
eggs-directory = {{ eggs_directory }}
develop-eggs-directory = {{ develop_eggs_directory }}
offline = true

[publish]
recipe = slapos.cookbook:publish
url = ${apache:scheme}://[${apache:ip}]:${apache:port}

[haproxy]
recipe = slapos.cookbook:haproxy
name = haproxy
conf-path = ${directory:etc}/haproxy.cfg
ip = {{ ipv4 }}
port = 8001
maxconn = {{ slapparameter_dict['haproxy-maxconn'] }}
# XXX: should be optional (check recipe code)
server-check-path = {{ slapparameter_dict['haproxy-server-check-path'] }}
wrapper-path = ${directory:services}/haproxy
binary-path = {{ parameter_dict['haproxy'] }}/sbin/haproxy
backend-list = {{ slapparameter_dict['zope-address-list'] }}

[apache]
recipe = slapos.cookbook:apache.zope.backend
backend = http://${haproxy:ip}:${haproxy:port}
ip = {{ ipv6 }}
port = 8000
wrapper = ${directory:bin}/apache
scheme = https
key-file = ${directory:apache-conf}/apache.key
cert-file = ${directory:apache-conf}/apache.crt
configuration-file = ${directory:apache-conf}/apache.conf
access-control-string = {{ slapparameter_dict['apache-access-control-string'] }}
pid-file = ${directory:run}/apache.pid
lock-file = ${directory:run}/apache.lock
ssl-session-cache = $${directory:log}/apache-ssl-session-cache
error-log = ${directory:log}/apache-error.log
access-log = ${directory:log}/apache-access.log
apache-binary = {{ parameter_dict['apache'] }}/bin/httpd
ssl-authentication = {{ slapparameter_dict['apache-ssl-authentication'] }}
backend-path = {{ slapparameter_dict['apache-backend-path'] }}
# Note: Without certificate-authority main certificate have to be hardcoded
ssl-authentication-certificate = ${certificate-authority:ca-dir}/cacert.pem
ssl-authentication-crl = ${certificate-authority:ca-crl}

[certificate-authority]
recipe = slapos.cookbook:certificate_authority
openssl-binary = {{ parameter_dict['openssl'] }}/bin/openssl
ca-dir = ${directory:ca-dir}
requests-directory = ${directory:requests}
wrapper = ${directory:services}/ca
ca-private = ${directory:private}
ca-certs = ${directory:certs}
ca-newcerts = ${directory:newcerts}
ca-crl = ${directory:crl}
{% set ca = slapparameter_dict['ca'] -%}
country-code = {{ ca['country-code'] }}
email = {{ ca['email'] }}
state = {{ ca['state'] }}
city = {{ ca['city'] }}
company = {{ ca['company'] }}

[logrotate-apache]
recipe = slapos.cookbook:logrotate.d
logrotate-entries = ${logrotate:logrotate-entries}
backup = ${logrotate:logrotate-backup}
name = apache
log = ${apache:error-log} ${apache:access-log}
post = {{ bin_directory }}/killpidfromfile ${apache:pid-file} SIGUSR1

[directory]
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
bin = ${buildout:directory}/bin
etc = ${buildout:directory}/etc
services = ${:etc}/run
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
ca-dir = ${buildout:directory}/srv/ssl
requests = ${:ca-dir}/requests
private = ${:ca-dir}/private
certs = ${:ca-dir}/certs
newcerts = ${:ca-dir}/newcerts
crl = ${:ca-dir}/crl
{% endif %}