ansible-roles/roles/consul/tasks/conf.yml

---

# Ensure certificates exists. This is needed so first consul service starts doesn't fail
# when consul-template hasn't populated the cert yet
- name: Generate self-signed certificate
  import_tasks: ../includes/create_selfsigned_cert.yml
  vars:
    cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
    cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
    cert_key_group: "{{ consul_user }}"
    cert_key_mode: 640
  tags: consul

- name: Check if CA exists
  stat: path={{ consul_conf.tls.defaults.ca_file }}
  register: consul_ca_file
  tags: consul

- name: Copy cert as CA
  copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True
  when: not consul_ca_file.stat.exists
  tags: consul

- name: Deploy consul configuration
  block:
    - name: Deploy consul configuration
      template:
        src: consul.hcl.j2
        dest: "{{ consul_root_dir }}/etc/consul.hcl"
        owner: root
        group: "{{ consul_user }}"
        mode: 0640
        backup: True
      register: consul_main_conf
      notify: restart consul

    - name: Deploy consul reloadable configuration
      template:
        src: reload.hcl.j2
        dest: "{{ consul_root_dir }}/etc/reload.hcl"
        owner: root
        group: "{{ consul_user }}"
        mode: 0640
        backup: True
      register: consul_reload_conf
      notify: reload consul

    - name: Validate configuration
      command: consul validate {{ consul_root_dir }}/etc
      changed_when: False
      become_user: "{{ consul_user }}"
      register: consul_conf_validation

  rescue:
    - block:
        - name: Restore main configuration
          copy:
            src: "{{ consul_main_conf.backup_file }}"
            dest: "{{ consul_root_dir }}/etc/consul.hcl"
            remote_src: True
            owner: root
            group: "{{ consul_user }}"
            mode: 0640
          when: consul_main_conf.backup_file is defined
  
        - name: Restore reloadable configuration
          copy:
            src: "{{ consul_reload_conf.backup_file }}"
            dest: "{{ consul_root_dir }}/etc/reload.hcl"
            remote_src: True
            owner: root
            group: "{{ consul_user }}"
            mode: 0640
          when: consul_reload_conf.backup_file is defined

  tags: consul

- name: Fail if configuration validation failed
  fail:
    msg: "Failed to validate configuration: {{ consul_conf_validation.stdout }}"
  when: consul_conf_validation.rc != 0
  tags: consul

# Now we remove the backup config to prevent consul warning about invalid config files
- name: List backup conf
  shell: ls -1 {{ consul_root_dir }}/etc/*.hcl.*
  failed_when: False
  changed_when: False
  register: consul_backup_configs
  tags: consul

- name: Remove backup configs
  file: path={{ item }} state=absent
  loop: "{{ consul_backup_configs.stdout_lines }}"
  tags: consul

- name: Deploy consul-template config
  template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled
  tags: consul

- name: Deploy consul-template agent cert template
  template: src=agent_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root
  loop:
    - what: certificate
      where: agent.crt.tpl
    - what: private_key
      where: agent.key.tpl
    - what: issuing_ca
      where: ca.crt.tpl
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled
  tags: consul

- name: Deploy consul-template cli cert template
  template: src=cli_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root
  loop:
    - what: certificate
      where: cli.crt.tpl
    - what: private_key
      where: cli.key.tpl
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled and consul_conf.server
  tags: consul

- name: Deploy the consul-template agent token template
  template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.tokens.enabled
  tags: consul

- name: Set ACL on the TLS dir
  shell: |
    setfacl -R -b -x {{ consul_root_dir }}/tls
    {% if consul_admin_groups | length > 0 %}
    setfacl -R -m {% for group in consul_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
    setfacl -R -m {% for group in consul_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
    {% endif %}
  changed_when: False
  failed_when: False # Do not fail if eg, the FS doesn't support ACL
  tags: consul

- name: Deploy profile script
  template: src=profile.sh.j2 dest=/etc/profile.d/consul.sh
  tags: consul
Update to 2022-07-21 01:00 2022-07-21 01:00:17 +02:00			`---`

Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00			`# Ensure certificates exists. This is needed so first consul service starts doesn't fail`
			`# when consul-template hasn't populated the cert yet`
			`- name: Generate self-signed certificate`
			`import_tasks: ../includes/create_selfsigned_cert.yml`
			`vars:`
			`cert_path: "{{ consul_conf.tls.defaults.cert_file }}"`
			`cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"`
			`cert_key_group: "{{ consul_user }}"`
			`cert_key_mode: 640`
			`tags: consul`

			`- name: Check if CA exists`
			`stat: path={{ consul_conf.tls.defaults.ca_file }}`
			`register: consul_ca_file`
			`tags: consul`

			`- name: Copy cert as CA`
			`copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True`
			`when: not consul_ca_file.stat.exists`
			`tags: consul`

Update to 2022-07-21 01:00 2022-07-21 01:00:17 +02:00			`- name: Deploy consul configuration`
Update to 2022-08-09 13:00 2022-08-09 13:00:15 +02:00			`block:`
			`- name: Deploy consul configuration`
			`template:`
			`src: consul.hcl.j2`
			`dest: "{{ consul_root_dir }}/etc/consul.hcl"`
			`owner: root`
			`group: "{{ consul_user }}"`
			`mode: 0640`
			`backup: True`
			`register: consul_main_conf`
			`notify: restart consul`

			`- name: Deploy consul reloadable configuration`
			`template:`
			`src: reload.hcl.j2`
			`dest: "{{ consul_root_dir }}/etc/reload.hcl"`
			`owner: root`
			`group: "{{ consul_user }}"`
			`mode: 0640`
			`backup: True`
			`register: consul_reload_conf`
			`notify: reload consul`

			`- name: Validate configuration`
			`command: consul validate {{ consul_root_dir }}/etc`
			`changed_when: False`
			`become_user: "{{ consul_user }}"`
			`register: consul_conf_validation`

			`rescue:`
			`- block:`
			`- name: Restore main configuration`
			`copy:`
			`src: "{{ consul_main_conf.backup_file }}"`
			`dest: "{{ consul_root_dir }}/etc/consul.hcl"`
			`remote_src: True`
			`owner: root`
			`group: "{{ consul_user }}"`
			`mode: 0640`
			`when: consul_main_conf.backup_file is defined`

			`- name: Restore reloadable configuration`
			`copy:`
			`src: "{{ consul_reload_conf.backup_file }}"`
			`dest: "{{ consul_root_dir }}/etc/reload.hcl"`
			`remote_src: True`
			`owner: root`
			`group: "{{ consul_user }}"`
			`mode: 0640`
			`when: consul_reload_conf.backup_file is defined`

Update to 2022-07-21 01:00 2022-07-21 01:00:17 +02:00			`tags: consul`
Update to 2022-08-09 13:00 2022-08-09 13:00:15 +02:00
			`- name: Fail if configuration validation failed`
			`fail:`
			`msg: "Failed to validate configuration: {{ consul_conf_validation.stdout }}"`
			`when: consul_conf_validation.rc != 0`
			`tags: consul`

Update to 2022-08-11 11:00 2022-08-11 11:00:17 +02:00			`# Now we remove the backup config to prevent consul warning about invalid config files`
			`- name: List backup conf`
			`shell: ls -1 {{ consul_root_dir }}/etc/.hcl.`
			`failed_when: False`
			`changed_when: False`
			`register: consul_backup_configs`
			`tags: consul`

			`- name: Remove backup configs`
			`file: path={{ item }} state=absent`
			`loop: "{{ consul_backup_configs.stdout_lines }}"`
			`tags: consul`
Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00
Update to 2022-09-06 18:00 2022-09-06 18:00:22 +02:00			`- name: Deploy consul-template config`
			`template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root`
			`notify: restart consul-template-consul`
			`when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled`
Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00			`tags: consul`

Update to 2022-09-06 18:00 2022-09-06 18:00:22 +02:00			`- name: Deploy consul-template agent cert template`
			`template: src=agent_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root`
			`loop:`
			`- what: certificate`
			`where: agent.crt.tpl`
			`- what: private_key`
			`where: agent.key.tpl`
			`- what: issuing_ca`
			`where: ca.crt.tpl`
			`notify: restart consul-template-consul`
			`when: consul_vault_secrets.pki.enabled`
			`tags: consul`
Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00
Update to 2022-09-06 18:00 2022-09-06 18:00:22 +02:00			`- name: Deploy consul-template cli cert template`
			`template: src=cli_cert.tpl.j2 dest={{ consul_root_dir }}/consul-template/{{ item.where }} owner=root group=root`
			`loop:`
			`- what: certificate`
			`where: cli.crt.tpl`
			`- what: private_key`
			`where: cli.key.tpl`
			`notify: restart consul-template-consul`
			`when: consul_vault_secrets.pki.enabled and consul_conf.server`
			`tags: consul`
Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00
Update to 2022-09-06 18:00 2022-09-06 18:00:22 +02:00			`- name: Deploy the consul-template agent token template`
			`template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root`
			`notify: restart consul-template-consul`
			`when: consul_vault_secrets.tokens.enabled`
Update to 2022-09-04 14:00 2022-09-04 14:00:17 +02:00			`tags: consul`

			`- name: Set ACL on the TLS dir`
			`shell: \|`
			`setfacl -R -b -x {{ consul_root_dir }}/tls`
			`{% if consul_admin_groups \| length > 0 %}`
			`setfacl -R -m {% for group in consul_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls`
			`setfacl -R -m {% for group in consul_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls`
			`{% endif %}`
			`changed_when: False`
			`failed_when: False # Do not fail if eg, the FS doesn't support ACL`
			`tags: consul`

			`- name: Deploy profile script`
			`template: src=profile.sh.j2 dest=/etc/profile.d/consul.sh`
			`tags: consul`