# Service Manifest
#
# Defines applications, their git repos, data services, and deployment targets.
#
# Usage:
#   ansible-playbook playbooks/data-service.yml -e "service=myapp"

git_base_url: "git@git.infra.example:org"

services:
  myapp:
    description: "Example web application"
    host: app-server
    deploy_path: /opt/myapp
    repos:
      - name: myapp
        dest: myapp
        version: main
    postgres:
      enabled: true
      # restore_from: "databases/dumps/myapp.dump"  # Optional: restore from backup
    valkey:
      enabled: true
      key_prefix: "myapp"  # Access to myapp:* keys only
    s3:
      enabled: true
      bucket: "myapp-media"
    vault_roles:
      - app        # 1h TTL, DML only (SELECT, INSERT, UPDATE, DELETE)
      - migrate    # 15m TTL, DDL+DML (for migrations)

  another-service:
    description: "Another example service"
    host: another-server
    deploy_path: /opt/another
    repos:
      - name: another
        dest: another
        version: main
    postgres:
      enabled: true
    valkey:
      enabled: true
      key_prefix: "another"
    vault_roles:
      - app
      - migrate

# Valkey key prefix allocation:
# All services use database /0 with key prefixes for namespace isolation.
# Each service gets an ACL user that can only access {service}:* keys.
# Credentials are provisioned by data-service.yml and stored in Vault.

# S3 bucket allocation:
# Each service gets its own bucket (default: {service}-media) with a dedicated API key.
# Buckets are created on the Garage cluster with read/write permissions.
# Credentials are provisioned by data-service.yml and stored in Vault at secret/{service}/s3.