{
  "domain": "REQUIRED",
  "domain_internal": "= domain.sub(/\\..*$/,'.i')",
  "name": {
    "en": "REQUIRED"
  },
  "description": {
    "en": "REQUIRED"
  },
  "contacts": {
    "default": ["REQUIRED"],
    "english": "= contacts.default.map {|email| email.split('@').join(' at the domain ')}.join(', ')"
  },
  "languages": ["en"],
  "default_language": "en",
  "enrollment_policy": "open",
  "service": {
    "levels": [
      // bandwidth limit is in Bytes, storage limit is in MB.
      {"id": 1, "name": "free", "storage":50},
      {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]},
      {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]}
    ],
    "default_service_level": 1,
    "bandwidth_limit": 102400,
    "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?",
    "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?",
    "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
    "allow_registration": "= provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
    "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
    "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
  },
  "ca": {
    "name": "= provider.ca.organization + ' Root CA'",
    "organization": "= provider.name[provider.default_language]",
    "organizational_unit": "= 'https://' + provider.domain",
    "bit_size": 4096,
    "digest": "SHA256",
    "life_span": "10y",
    "server_certificates": {
      "bit_size": 2048,
      "digest": "SHA256",
      "life_span": "1y"
    },
    "client_certificates": {
      "bit_size": 2048,
      "digest": "SHA256",
      "life_span": "2m",
      "limited_prefix": "LIMITED",
      "unlimited_prefix": "UNLIMITED"
    }
  },
  "hiera_sync_destination": "/etc/leap",
  "client_version": {
    "min": "0.5",
    "max": null
  }
}