---
- node:
    id: awx_{{ item }}
    firewallrules:
      - action: "reject"
        tonode: awx_{{ item }}
        toservice: "control"

- log-level: info

- tcp-listener:
    port: 2222

{% if sign_work|bool %}
- work-signing:
    privatekey: /etc/receptor/work_private_key.pem
    tokenexpiration: 1m
{% endif %}

{% if sign_work|bool %}
- work-verification:
    publickey: /etc/receptor/work_public_key.pem
{% endif %}

{% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
- tcp-peer:
    address: awx_{{ i }}:2222
    redial: true
{% endfor %}

#- tls-server:
#    name: mutual-tls
#    cert: /etc/receptor/certs/awx.crt
#    key: /etc/receptor/certs/awx.key
#    requireclientcert: true
#    clientcas: /etc/receptor/certs/ca.crt

- control-service:
    service: control
    filename: {{ receptor_socket_file }}

- work-command:
    worktype: local
    command: ansible-runner
    params: worker
    allowruntimeparams: true
    verifysignature: {{ sign_work }}

- work-kubernetes:
    worktype: kubernetes-runtime-auth
    authmethod: runtime
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
    verifysignature: {{ sign_work }}

- work-kubernetes:
    worktype: kubernetes-incluster-auth
    authmethod: incluster
    allowruntimeauth: true
    allowruntimepod: true
    allowruntimeparams: true
    verifysignature: {{ sign_work }}