mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-09-13 19:14:49 +02:00
76 lines
2.9 KiB
YAML
76 lines
2.9 KiB
YAML
|
---
|
||
|
|
|
||
|
|
vault_unseal_version: 0.7.2
|
||
|
|
vault_unseal_bin_url: https://github.com/lrstanley/vault-unseal/releases/download/v{{ vault_unseal_version }}/vault-unseal_linux_amd64
|
||
|
|
vault_unseal_bin_sha256: f6e2ee07a4e10e73b9518a6d45e22ff68797c8a78dbedc7df5789dc279b60284
|
||
|
|
vault_unseal_root_dir: /opt/vault_unseal
|
||
|
|
vault_unseal_user: vault-unseal
|
||
|
|
|
||
|
|
vault_unseal_base_conf:
|
||
|
|
# named environment that vault-unseal is running in, gets passed in when sending
|
||
|
|
# email alerts.
|
||
|
|
environment: dev
|
||
|
|
|
||
|
|
# delay between seal-checks of each vault node.
|
||
|
|
check_interval: 15s
|
||
|
|
|
||
|
|
# maximum delay between checks of each vault node. when an error occurs, we will
|
||
|
|
# add a backoff delay, up to this maximum.
|
||
|
|
max_check_interval: 30m
|
||
|
|
|
||
|
|
# list of vault nodes to check, must include http/https, and a port (unless 80/443).
|
||
|
|
vault_nodes: []
|
||
|
|
|
||
|
|
# unseal tokens necessary to unseal any of the given vaults in the above node
|
||
|
|
# list.
|
||
|
|
#
|
||
|
|
# WARNING: do not put enough tokens in this list that can be used to unseal a
|
||
|
|
# vault instance. I.e. if vault requires 3 of 5 tokens, DO NOT PUT 3 TOKENS HERE.
|
||
|
|
# the goal is to put less than the required amount, but have more instances of
|
||
|
|
# vault-unseal setup with the other missing tokens from the list. this ensures
|
||
|
|
# that if the server was compromised, they don't have all of the needed tokens.
|
||
|
|
#
|
||
|
|
# i.e. 1 instance of vault-unseal on each of the three nodes, each with two
|
||
|
|
# tokens. given A, B, and C tokens required, each instance should have the
|
||
|
|
# following tokens:
|
||
|
|
# * 1: AB
|
||
|
|
# * 2: BC
|
||
|
|
# * 3: AC
|
||
|
|
unseal_tokens: []
|
||
|
|
|
||
|
|
# skip tls checks for the given vault instance. useful if your instance doesn't
|
||
|
|
# have a certificate which has all of the server hostnames on it.
|
||
|
|
tls_skip_verify: false
|
||
|
|
|
||
|
|
# email notifications. setting this to false will disable all notifications.
|
||
|
|
email:
|
||
|
|
enabled: false
|
||
|
|
hostname: 127.0.0.1
|
||
|
|
port: 25
|
||
|
|
# username: your-username
|
||
|
|
# password: your-password
|
||
|
|
# address to send from.
|
||
|
|
from_addr: vault-unseal-{{ ansible_hostname }}@{{ ansible_domain }}
|
||
|
|
# addresses to send to. the first will be the TO, the second and on will be CC'd
|
||
|
|
# onto the message.
|
||
|
|
send_addrs:
|
||
|
|
- "{{ system_admin_email }}"
|
||
|
|
# Skip TLS certificate validation.
|
||
|
|
# tls_skip_verify: false
|
||
|
|
# Require TLS for SMTP connections.
|
||
|
|
# The default is opportunistic.
|
||
|
|
# mandatory_tls: false
|
||
|
|
|
||
|
|
# notifications in vault-unseal queue up to prevent email spam (e.g. 20 alerts
|
||
|
|
# in one email). this is the max allotted time an event can be queued before
|
||
|
|
# the queue is sent as a notification.
|
||
|
|
notify_max_elapsed: 10m
|
||
|
|
|
||
|
|
# queue delay is the amount of time vault-unseal waits after the last received
|
||
|
|
# notification, before it sends all of them in bulk.
|
||
|
|
notify_queue_delay: 60s
|
||
|
|
|
||
|
|
vault_unseal_extra_conf: {}
|
||
|
|
vault_unseal_host_conf: {}
|
||
|
|
vault_unseal_conf: "{{ vault_unseal_base_conf | combine(vault_unseal_extra_conf, recursive=True) | combine(vault_unseal_host_conf, recursive=True) }}"
|