# {{ ansible_managed }}

{% if nova_libvirtd_listen_tls == 1 %}
# Use of TLS requires that x509 certificates be issued. The default is
# to keep them in /etc/pki/qemu. This directory must contain
#
#  ca-cert.pem - the CA master certificate
#  server-cert.pem - the server certificate signed with ca-cert.pem
#  server-key.pem  - the server private key
#
# and optionally may contain
#
#  dh-params.pem - the DH params configuration file
#
# If the directory does not exist, libvirtd will fail to start. If the
# directory doesn't contain the necessary files, QEMU domains will fail
# to start if they are configured to use TLS.
#
# In order to overwrite the default path alter the following. This path
# definition will be used as the default path for other *_tls_x509_cert_dir
# configuration settings if their default path does not exist or is not
# specifically set.
#
default_tls_x509_cert_dir = "{{ nova_qemu_ssl_dir }}"

# The default TLS configuration only uses certificates for the server
# allowing the client to verify the server's identity and establish
# an encrypted channel.
#
# It is possible to use x509 certificates for authentication too, by
# issuing an x509 certificate to every client who needs to connect.
#
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
#
# The default_tls_x509_cert_dir directory must also contain
#
#  client-cert.pem - the client certificate signed with the ca-cert.pem
#  client-key.pem - the client private key
#
# If this option is supplied it provides the default for the "_verify" option
# of specific TLS users such as vnc, backups, migration, etc. The specific
# users of TLS may override this by setting the specific "_verify" option.
#
# When not supplied the specific TLS users provide their own defaults.
#
default_tls_x509_verify = 1
{% endif %}

# Enable use of TLS encryption on the VNC server. This requires
# a VNC client which supports the VeNCrypt protocol extension.
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
# itself. UltraVNC, RealVNC, TightVNC do not support this
#
# It is necessary to setup CA and issue a server certificate
# before enabling this.
#
vnc_tls = {{ nova_qemu_vnc_tls }}

{% for key, value in _nova_qemu_conf.items() %}
{{ key }} = {{ value }}
{% endfor %}