From 53d90f07e0d61823d8d33c026902c89acf2f417a Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Mon, 3 Jul 2023 00:00:20 +0200 Subject: [PATCH] Update to 2023-07-03 00:00 --- roles/squid/defaults/main.yml | 1 - roles/squid/files/acl/service_fws.domains | 3 - roles/squid/files/acl/software_fws.domains | 2 - .../squid/files/acl/software_various.domains | 13 +- roles/squid/tasks/main.yml | 8 + roles/vault/defaults/main.yml | 159 ----------------- roles/vault/tasks/archive_pre.yml | 21 --- roles/vault/tasks/facts.yml | 20 +-- roles/vault/tasks/install.yml | 72 +++----- roles/vault/tasks/main.yml | 28 --- roles/vault/vars/RedHat.yml | 8 + roles/vault_server/defaults/main.yml | 166 ++++++++++++++++++ .../{vault => vault_server}/handlers/main.yml | 0 roles/{vault => vault_server}/meta/main.yml | 1 + .../tasks/archive_post.yml | 0 roles/vault_server/tasks/archive_pre.yml | 10 ++ .../{vault => vault_server}/tasks/cleanup.yml | 0 roles/{vault => vault_server}/tasks/conf.yml | 0 .../tasks/directories.yml | 0 roles/vault_server/tasks/facts.yml | 11 ++ roles/vault_server/tasks/install.yml | 34 ++++ .../tasks/iptables.yml | 0 roles/vault_server/tasks/main.yml | 35 ++++ .../tasks/services.yml | 0 roles/{vault => vault_server}/tasks/user.yml | 0 .../consul-template-vault.service.j2 | 0 .../templates/consul-template.hcl.j2 | 0 .../templates/dehydrated_hook.j2 | 0 .../templates/logrotate.conf.j2 | 0 .../templates/nomad_client_bundle.pem.tpl.j2 | 0 .../templates/update_nomad_cert.j2 | 0 .../templates/vault.hcl.j2 | 0 .../templates/vault.service.j2 | 3 +- 33 files changed, 312 insertions(+), 283 deletions(-) delete mode 100644 roles/squid/files/acl/service_fws.domains delete mode 100644 roles/squid/files/acl/software_fws.domains delete mode 100644 roles/vault/tasks/archive_pre.yml create mode 100644 roles/vault/vars/RedHat.yml create mode 100644 roles/vault_server/defaults/main.yml rename roles/{vault => vault_server}/handlers/main.yml (100%) rename roles/{vault => vault_server}/meta/main.yml (79%) rename roles/{vault => vault_server}/tasks/archive_post.yml (100%) create mode 100644 roles/vault_server/tasks/archive_pre.yml rename roles/{vault => vault_server}/tasks/cleanup.yml (100%) rename roles/{vault => vault_server}/tasks/conf.yml (100%) rename roles/{vault => vault_server}/tasks/directories.yml (100%) create mode 100644 roles/vault_server/tasks/facts.yml create mode 100644 roles/vault_server/tasks/install.yml rename roles/{vault => vault_server}/tasks/iptables.yml (100%) create mode 100644 roles/vault_server/tasks/main.yml rename roles/{vault => vault_server}/tasks/services.yml (100%) rename roles/{vault => vault_server}/tasks/user.yml (100%) rename roles/{vault => vault_server}/templates/consul-template-vault.service.j2 (100%) rename roles/{vault => vault_server}/templates/consul-template.hcl.j2 (100%) rename roles/{vault => vault_server}/templates/dehydrated_hook.j2 (100%) rename roles/{vault => vault_server}/templates/logrotate.conf.j2 (100%) rename roles/{vault => vault_server}/templates/nomad_client_bundle.pem.tpl.j2 (100%) rename roles/{vault => vault_server}/templates/update_nomad_cert.j2 (100%) rename roles/{vault => vault_server}/templates/vault.hcl.j2 (100%) rename roles/{vault => vault_server}/templates/vault.service.j2 (87%) diff --git a/roles/squid/defaults/main.yml b/roles/squid/defaults/main.yml index 647590e..fecd60b 100644 --- a/roles/squid/defaults/main.yml +++ b/roles/squid/defaults/main.yml @@ -91,7 +91,6 @@ squid_base_acl: type: dstdomain items: - '"/etc/squid/acl/software_windows.domains"' - - '"/etc/squid/acl/service_fws.domains"' - '"/etc/squid/acl/service_dbd.domains"' - '"/etc/squid/acl/service_various.domains"' - '"/etc/squid/acl/software_epel.domains"' diff --git a/roles/squid/files/acl/service_fws.domains b/roles/squid/files/acl/service_fws.domains deleted file mode 100644 index 4635dbe..0000000 --- a/roles/squid/files/acl/service_fws.domains +++ /dev/null @@ -1,3 +0,0 @@ -.firewall-services.com -.fws.fr -iptek.biz diff --git a/roles/squid/files/acl/software_fws.domains b/roles/squid/files/acl/software_fws.domains deleted file mode 100644 index 9b042d7..0000000 --- a/roles/squid/files/acl/software_fws.domains +++ /dev/null @@ -1,2 +0,0 @@ -repo.firewall-services.com -rpms.fws.fr diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index e6167f3..1d7993e 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -41,12 +41,6 @@ www.piwheels.org # Ruby api.rubygems.org -# Seadrive -download.seadrive.org -rpm.seadrive.org -linux-clients.seafile.com -s3.eu-central-1.amazonaws.com - # GLPI forge.glpi-project.org @@ -255,6 +249,7 @@ www.zimbra.com openzal.org update.zextras.com download.zextras.com +go.zextras.com # ZFS On Linux download.zfsonlinux.org @@ -371,9 +366,6 @@ www.cloudflare.com static.metabase.com downloads.metabase.com -# Zimbra / Zextras -go.zextras.com - # Zulip www.zulip.org packages.groonga.org @@ -393,3 +385,6 @@ releases.hashicorp.com # Traefik plugins .plugin.pilot.traefik.io + +# COPR repositories +download.copr.fedorainfracloud.org diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml index eab98f6..d4df720 100644 --- a/roles/squid/tasks/main.yml +++ b/roles/squid/tasks/main.yml @@ -94,6 +94,14 @@ notify: reload squid tags: proxy +- name: Remove obsolete acl files + file: path=/etc/squid/acl/{{ item }} state=absent + loop: + - software_fws.domains + - service_fws.domains + notify: reload squid + tags: proxy + - name: Deploy local white and blacklists template: src={{ item }}.j2 dest=/etc/squid/acl/{{ item }} with_items: diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index 0995b0a..6def85a 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -1,5 +1,3 @@ ---- - # Version of Vault to install vault_version: 1.14.0 # URL of the archive @@ -7,160 +5,3 @@ vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vaul # Expected sha256 of the archive vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50 -# Root dir where Nomad will be installed -vault_root_dir: /opt/vault - -# user under which vault will run. -vault_user: vault - -# Setting vault_letsencrypt_cert will automate cert configuration -# using Let's Encrypt. The server need to have the letsencrypt role assigned -# Note that you probably want to use dns-01 challenges in this case so you won't have to -# expose your vault server on the public internet -# vault_letsencrypt_cert: "{{ inventory_hostname }}" - -# A token having backup (raft snapshot) permission. If set, ansible will -# take a snapshot of the data before upgrading vault -# vault_bkp_token: XXXXX - -# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall -vault_base_services: - api: - port: 8200 - src_ip: [] - cluster: - port: 8201 - src_ip: [] # You should set this to the IP / CIDR of your other servers - -# Exemple -# vault_extra_services: -# cluster: -# src_ip: -# - 10.127.0.10 -# - 10.145.99.60 -vault_extra_services: {} -vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}" - -# Configuration of the service (which will be converted to JSON) -# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily -vault_base_conf: - # Name of the Vault cluster - cluster_name: Vault Cluster - - # Log settings - log_level: INFO - log_format: standard - - # Plugin settings - plugin_directory: "{{ vault_root_dir }}/plugins" - # This means vault will expect plugins to be owned by root - plugin_file_uid: 0 - - # Is the UI enabled ? - ui: True - - # TCP listeners - listeners: - # Address/port on which vault will bind for API requests - - address: 0.0.0.0:{{ vault_services.api.port }} - # Address/port on which vault will bind for inter-node communications - cluster_address: 0.0.0.0:{{ vault_services.cluster.port }} - - # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated - # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here - # Only change if you want to manually control the certificate to use - tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt" - tls_key_file: "{{ vault_root_dir }}/tls/vault.key" - - # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR - x_forwarded_for_authorized_addrs: [] - # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected - # Default is False which means you can reach vault both directly or through your reverse proxy - x_forwarded_for_reject_not_present: False - - telemetry: - # Allow unauthenticated access to /v1/sys/metrics - unauthenticated_metrics_access: True - - # URL of the API to advertise - api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }} - # URL of the inter-node communication endpoint to advertise - cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }} - - # When using integrated raft storage, mlock should be disabled - disable_mlock: True - - storage: - # Integrated raf storage - raft: - path: "{{ vault_root_dir }}/data" - node_id: "{{ inventory_hostname }}" - performance_multiplier: 1 - # retry_join: - # - leader_api_addr: https://vault-1.example.org:8200 - # leader_ca_cert: /opt/vault/tls/ca-vault-1.crt - # - leader_api_addr: https://vault-2.example.org:8200 - # - leader_api_addr: https://vault-3.example.org:8200 - retry_join: [] - - # Service registration on consul - #service_registration: - # address: http://localhost:8500 - # service: vault - # token: XXXXX - # service_tags: - # - "traefik.enable=true" - # - "traefik.http.routers.http.entrypoints=https" - # - "traefik.http.routers.http.rule=Host(`vault.example.org`)" - # tls_ca_file: /opt/vault/tls/consul_ca.crt - # tls_cert_file: /opt/vault/tls/consul_cert.crt - # tls_key_file: /opt/vault/tls/consul_key.crt - - telemetry: - prometheus_retention_time: 1h - disable_hostname: True - enable_hostname_label: True - -# You can add additional paramters in vault_extra_conf (or vault_host_conf) -# they will be merged into the vault_base_conf before rendering -# Example -# vault_extra_conf: -# cluster_name: Vault Production -# storage: -# raft: -# retry_join: -# leader_api_addr: https://vault1.example.org:8201 -vault_extra_conf: {} -vault_host_conf: {} -# Merge all the conf -vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}" - -# This can be used to spawn a consul-template service which will obtain and renew client cert -# to reach Nomad API, so the Nomad secret can be used securely -vault_base_secrets: - # The vault API to query. Default is our own API - vault_address: "{{ vault_conf.api_addr }}" - # The vault token to use - vault_token: XXXXXXX - nomad: - enabled: False - # The Nomad API address - address: https://nomad.service.consul:4646 - # The Nomad management token vault will use to issue tokens for users - token: XXXXXXX - pki: - # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured - path: /pki/nomad - # The role used to issue the certificate - role: nomad-user - # The TTL of the certificate issued for vault - ttl: 72h - # The common name of the certificate - cn: vault - secret: - # The path where the Nomad secret engine is mounted - # Note: the secret must be already mounted - path: nomad -vault_extra_secrets: {} -vault_host_secrets: {} -vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}" diff --git a/roles/vault/tasks/archive_pre.yml b/roles/vault/tasks/archive_pre.yml deleted file mode 100644 index 56e26cd..0000000 --- a/roles/vault/tasks/archive_pre.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Create the archive dir - file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory - tags: vault - -#- name: Take a snapshot of the data -# command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap -# when: -# - vault_bkp_token is defined -# - vault_sys_services.ansible_facts.services['nomad.service'] is defined -# - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started' -# - vault_status.initialized is defined and vault_status.initialized -# - vault_status.sealed is defined and not vault_status.sealed -# - vault_status.leader_address == vault_conf.api_addr -# tags: vault - -- name: Backup previous version - copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True - tags: vault - diff --git a/roles/vault/tasks/facts.yml b/roles/vault/tasks/facts.yml index 8b27ea5..9096ab2 100644 --- a/roles/vault/tasks/facts.yml +++ b/roles/vault/tasks/facts.yml @@ -1,8 +1,16 @@ --- +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: vault + - set_fact: vault_install_mode: 'none' - vault_status: {} tags: vault - name: Detect if vault is installed @@ -20,21 +28,11 @@ shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/' changed_when: False register: vault_current_version - #- command: /usr/local/bin/vault status -format=json -tls-skip-verify - # changed_when: False - # register: vault_status - # failed_when: False # do not fail if vault is not running - set_fact: vault_current_version: "{{ vault_current_version.stdout }}" - # vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}" tags: vault - when: vault_bin.stat.exists and vault_current_version != vault_version set_fact: vault_install_mode='upgrade' tags: vault -- name: Check the state of the services - service_facts: - register: vault_sys_services - tags: vault - diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml index f5d9e85..e5c38ff 100644 --- a/roles/vault/tasks/install.yml +++ b/roles/vault/tasks/install.yml @@ -2,11 +2,23 @@ - name: Install needed tools package: - name: - - tar - - zstd - - unzip - - jq + name: "{{ vault_packages }}" + tags: vault + +# Migrate from the old vault role +- name: Check if vualt is a link + stat: path=/usr/local/bin/vault + register: vault_link + tags: vault + +- when: vault_link.stat.islnk is defined and vault_link.stat.islnk + block: + + - name: Remove vault link + file: path=/usr/local/bin/vault state=absent + + - set_fact: vault_install_mode='upgrade' + tags: vault - when: vault_install_mode != 'none' @@ -14,63 +26,27 @@ - name: Download vault get_url: url: "{{ vault_archive_url }}" - dest: "{{ vault_root_dir }}/tmp" + dest: /tmp checksum: sha256:{{ vault_archive_sha256 }} - name: Extract the archive unarchive: - src: "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip" - dest: "{{ vault_root_dir }}/tmp" - remote_src: True - - - name: Install vault binary - copy: - src: "{{ vault_root_dir }}/tmp/vault" - dest: "{{ vault_root_dir }}/bin/vault" + src: /tmp/vault_{{ vault_version }}_linux_amd64.zip + dest: /usr/local/bin + include: vault remote_src: True mode: 755 - notify: restart vault - - name: Link in /usr/local/bin - file: src={{ vault_root_dir }}/bin/vault dest=/usr/local/bin/vault state=link force=True + - name: Remove ZIP archive + file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent tags: vault - name: Install bash completion support copy: content: | - complete -C {{ vault_root_dir }}/bin/vault vault + complete -C /usr/local/bin/vault vault dest: /etc/bash_completion.d/vault mode: 0644 tags: vault -- name: Deploy systemd service unit - template: src=vault.service.j2 dest=/etc/systemd/system/vault.service - register: vault_unit - notify: restart vault - tags: vault - -- name: Install consul-template unit - template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service - notify: restart consul-template-vault - register: vault_secrets_nomad_unit - tags: vault - -- name: Reload systemd - systemd: daemon_reload=True - when: vault_unit.changed or vault_secrets_nomad_unit.changed - tags: vault - -- name: Install dehydrated hook - template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755 - tags: vault - -- name: Install profile script - copy: - content: | - #!/bin/sh - export VAULT_ADDR={{ vault_conf.api_addr }} - dest: /etc/profile.d/vault.sh - mode: 0755 - tags: vault - diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml index a517c66..3e2dceb 100644 --- a/roles/vault/tasks/main.yml +++ b/roles/vault/tasks/main.yml @@ -1,35 +1,7 @@ --- -- include_tasks: user.yml - tags: always - -- include_tasks: directories.yml - tags: always - - include_tasks: facts.yml tags: always -- include_tasks: archive_pre.yml - when: vault_install_mode | default('none') == 'upgrade' - tags: always - - include_tasks: install.yml tags: always - -- include_tasks: conf.yml - tags: always - -- include_tasks: iptables.yml - when: iptables_manage | default(True) - tags: always - -- include_tasks: services.yml - tags: always - -- include_tasks: archive_post.yml - when: vault_install_mode | default('none') == 'upgrade' - tags: always - -- include_tasks: cleanup.yml - tags: always - diff --git a/roles/vault/vars/RedHat.yml b/roles/vault/vars/RedHat.yml new file mode 100644 index 0000000..033fbfb --- /dev/null +++ b/roles/vault/vars/RedHat.yml @@ -0,0 +1,8 @@ +--- + +vault_packages: + - tar + - zstd + - unzip + - jq + diff --git a/roles/vault_server/defaults/main.yml b/roles/vault_server/defaults/main.yml new file mode 100644 index 0000000..0995b0a --- /dev/null +++ b/roles/vault_server/defaults/main.yml @@ -0,0 +1,166 @@ +--- + +# Version of Vault to install +vault_version: 1.14.0 +# URL of the archive +vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip +# Expected sha256 of the archive +vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50 + +# Root dir where Nomad will be installed +vault_root_dir: /opt/vault + +# user under which vault will run. +vault_user: vault + +# Setting vault_letsencrypt_cert will automate cert configuration +# using Let's Encrypt. The server need to have the letsencrypt role assigned +# Note that you probably want to use dns-01 challenges in this case so you won't have to +# expose your vault server on the public internet +# vault_letsencrypt_cert: "{{ inventory_hostname }}" + +# A token having backup (raft snapshot) permission. If set, ansible will +# take a snapshot of the data before upgrading vault +# vault_bkp_token: XXXXX + +# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall +vault_base_services: + api: + port: 8200 + src_ip: [] + cluster: + port: 8201 + src_ip: [] # You should set this to the IP / CIDR of your other servers + +# Exemple +# vault_extra_services: +# cluster: +# src_ip: +# - 10.127.0.10 +# - 10.145.99.60 +vault_extra_services: {} +vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}" + +# Configuration of the service (which will be converted to JSON) +# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily +vault_base_conf: + # Name of the Vault cluster + cluster_name: Vault Cluster + + # Log settings + log_level: INFO + log_format: standard + + # Plugin settings + plugin_directory: "{{ vault_root_dir }}/plugins" + # This means vault will expect plugins to be owned by root + plugin_file_uid: 0 + + # Is the UI enabled ? + ui: True + + # TCP listeners + listeners: + # Address/port on which vault will bind for API requests + - address: 0.0.0.0:{{ vault_services.api.port }} + # Address/port on which vault will bind for inter-node communications + cluster_address: 0.0.0.0:{{ vault_services.cluster.port }} + + # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated + # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here + # Only change if you want to manually control the certificate to use + tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt" + tls_key_file: "{{ vault_root_dir }}/tls/vault.key" + + # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR + x_forwarded_for_authorized_addrs: [] + # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected + # Default is False which means you can reach vault both directly or through your reverse proxy + x_forwarded_for_reject_not_present: False + + telemetry: + # Allow unauthenticated access to /v1/sys/metrics + unauthenticated_metrics_access: True + + # URL of the API to advertise + api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }} + # URL of the inter-node communication endpoint to advertise + cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }} + + # When using integrated raft storage, mlock should be disabled + disable_mlock: True + + storage: + # Integrated raf storage + raft: + path: "{{ vault_root_dir }}/data" + node_id: "{{ inventory_hostname }}" + performance_multiplier: 1 + # retry_join: + # - leader_api_addr: https://vault-1.example.org:8200 + # leader_ca_cert: /opt/vault/tls/ca-vault-1.crt + # - leader_api_addr: https://vault-2.example.org:8200 + # - leader_api_addr: https://vault-3.example.org:8200 + retry_join: [] + + # Service registration on consul + #service_registration: + # address: http://localhost:8500 + # service: vault + # token: XXXXX + # service_tags: + # - "traefik.enable=true" + # - "traefik.http.routers.http.entrypoints=https" + # - "traefik.http.routers.http.rule=Host(`vault.example.org`)" + # tls_ca_file: /opt/vault/tls/consul_ca.crt + # tls_cert_file: /opt/vault/tls/consul_cert.crt + # tls_key_file: /opt/vault/tls/consul_key.crt + + telemetry: + prometheus_retention_time: 1h + disable_hostname: True + enable_hostname_label: True + +# You can add additional paramters in vault_extra_conf (or vault_host_conf) +# they will be merged into the vault_base_conf before rendering +# Example +# vault_extra_conf: +# cluster_name: Vault Production +# storage: +# raft: +# retry_join: +# leader_api_addr: https://vault1.example.org:8201 +vault_extra_conf: {} +vault_host_conf: {} +# Merge all the conf +vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}" + +# This can be used to spawn a consul-template service which will obtain and renew client cert +# to reach Nomad API, so the Nomad secret can be used securely +vault_base_secrets: + # The vault API to query. Default is our own API + vault_address: "{{ vault_conf.api_addr }}" + # The vault token to use + vault_token: XXXXXXX + nomad: + enabled: False + # The Nomad API address + address: https://nomad.service.consul:4646 + # The Nomad management token vault will use to issue tokens for users + token: XXXXXXX + pki: + # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured + path: /pki/nomad + # The role used to issue the certificate + role: nomad-user + # The TTL of the certificate issued for vault + ttl: 72h + # The common name of the certificate + cn: vault + secret: + # The path where the Nomad secret engine is mounted + # Note: the secret must be already mounted + path: nomad +vault_extra_secrets: {} +vault_host_secrets: {} +vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}" diff --git a/roles/vault/handlers/main.yml b/roles/vault_server/handlers/main.yml similarity index 100% rename from roles/vault/handlers/main.yml rename to roles/vault_server/handlers/main.yml diff --git a/roles/vault/meta/main.yml b/roles/vault_server/meta/main.yml similarity index 79% rename from roles/vault/meta/main.yml rename to roles/vault_server/meta/main.yml index c9fe3ab..3417d2e 100644 --- a/roles/vault/meta/main.yml +++ b/roles/vault_server/meta/main.yml @@ -2,4 +2,5 @@ dependencies: - role: mkdir + - role: vault - role: consul_template diff --git a/roles/vault/tasks/archive_post.yml b/roles/vault_server/tasks/archive_post.yml similarity index 100% rename from roles/vault/tasks/archive_post.yml rename to roles/vault_server/tasks/archive_post.yml diff --git a/roles/vault_server/tasks/archive_pre.yml b/roles/vault_server/tasks/archive_pre.yml new file mode 100644 index 0000000..236f6e5 --- /dev/null +++ b/roles/vault_server/tasks/archive_pre.yml @@ -0,0 +1,10 @@ +--- + +- name: Create the archive dir + file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory + tags: vault + +- name: Backup previous version + copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True + tags: vault + diff --git a/roles/vault/tasks/cleanup.yml b/roles/vault_server/tasks/cleanup.yml similarity index 100% rename from roles/vault/tasks/cleanup.yml rename to roles/vault_server/tasks/cleanup.yml diff --git a/roles/vault/tasks/conf.yml b/roles/vault_server/tasks/conf.yml similarity index 100% rename from roles/vault/tasks/conf.yml rename to roles/vault_server/tasks/conf.yml diff --git a/roles/vault/tasks/directories.yml b/roles/vault_server/tasks/directories.yml similarity index 100% rename from roles/vault/tasks/directories.yml rename to roles/vault_server/tasks/directories.yml diff --git a/roles/vault_server/tasks/facts.yml b/roles/vault_server/tasks/facts.yml new file mode 100644 index 0000000..419b3de --- /dev/null +++ b/roles/vault_server/tasks/facts.yml @@ -0,0 +1,11 @@ +--- + +- block: + - name: Detect installed version + shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/' + changed_when: False + register: vault_current_version + - set_fact: + vault_current_version: "{{ vault_current_version.stdout }}" + tags: vault + diff --git a/roles/vault_server/tasks/install.yml b/roles/vault_server/tasks/install.yml new file mode 100644 index 0000000..edb108e --- /dev/null +++ b/roles/vault_server/tasks/install.yml @@ -0,0 +1,34 @@ +--- + +- name: Deploy systemd service unit + template: src=vault.service.j2 dest=/etc/systemd/system/vault.service + register: vault_unit + notify: restart vault + tags: vault + +- name: Install consul-template unit + template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service + notify: restart consul-template-vault + register: vault_secrets_nomad_unit + tags: vault + +- name: Reload systemd + systemd: daemon_reload=True + when: vault_unit.changed or vault_secrets_nomad_unit.changed + tags: vault + +- name: Install dehydrated hook + template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755 + tags: vault + +- name: Install profile script + copy: + content: | + #!/bin/sh + export VAULT_ADDR={{ vault_conf.api_addr }} + dest: /etc/profile.d/vault.sh + mode: 0755 + tags: vault + +- name: Write version + copy: content={{ vault_version }} destination={{ vault_root_dir }}/meta/ansible_version diff --git a/roles/vault/tasks/iptables.yml b/roles/vault_server/tasks/iptables.yml similarity index 100% rename from roles/vault/tasks/iptables.yml rename to roles/vault_server/tasks/iptables.yml diff --git a/roles/vault_server/tasks/main.yml b/roles/vault_server/tasks/main.yml new file mode 100644 index 0000000..a517c66 --- /dev/null +++ b/roles/vault_server/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- include_tasks: user.yml + tags: always + +- include_tasks: directories.yml + tags: always + +- include_tasks: facts.yml + tags: always + +- include_tasks: archive_pre.yml + when: vault_install_mode | default('none') == 'upgrade' + tags: always + +- include_tasks: install.yml + tags: always + +- include_tasks: conf.yml + tags: always + +- include_tasks: iptables.yml + when: iptables_manage | default(True) + tags: always + +- include_tasks: services.yml + tags: always + +- include_tasks: archive_post.yml + when: vault_install_mode | default('none') == 'upgrade' + tags: always + +- include_tasks: cleanup.yml + tags: always + diff --git a/roles/vault/tasks/services.yml b/roles/vault_server/tasks/services.yml similarity index 100% rename from roles/vault/tasks/services.yml rename to roles/vault_server/tasks/services.yml diff --git a/roles/vault/tasks/user.yml b/roles/vault_server/tasks/user.yml similarity index 100% rename from roles/vault/tasks/user.yml rename to roles/vault_server/tasks/user.yml diff --git a/roles/vault/templates/consul-template-vault.service.j2 b/roles/vault_server/templates/consul-template-vault.service.j2 similarity index 100% rename from roles/vault/templates/consul-template-vault.service.j2 rename to roles/vault_server/templates/consul-template-vault.service.j2 diff --git a/roles/vault/templates/consul-template.hcl.j2 b/roles/vault_server/templates/consul-template.hcl.j2 similarity index 100% rename from roles/vault/templates/consul-template.hcl.j2 rename to roles/vault_server/templates/consul-template.hcl.j2 diff --git a/roles/vault/templates/dehydrated_hook.j2 b/roles/vault_server/templates/dehydrated_hook.j2 similarity index 100% rename from roles/vault/templates/dehydrated_hook.j2 rename to roles/vault_server/templates/dehydrated_hook.j2 diff --git a/roles/vault/templates/logrotate.conf.j2 b/roles/vault_server/templates/logrotate.conf.j2 similarity index 100% rename from roles/vault/templates/logrotate.conf.j2 rename to roles/vault_server/templates/logrotate.conf.j2 diff --git a/roles/vault/templates/nomad_client_bundle.pem.tpl.j2 b/roles/vault_server/templates/nomad_client_bundle.pem.tpl.j2 similarity index 100% rename from roles/vault/templates/nomad_client_bundle.pem.tpl.j2 rename to roles/vault_server/templates/nomad_client_bundle.pem.tpl.j2 diff --git a/roles/vault/templates/update_nomad_cert.j2 b/roles/vault_server/templates/update_nomad_cert.j2 similarity index 100% rename from roles/vault/templates/update_nomad_cert.j2 rename to roles/vault_server/templates/update_nomad_cert.j2 diff --git a/roles/vault/templates/vault.hcl.j2 b/roles/vault_server/templates/vault.hcl.j2 similarity index 100% rename from roles/vault/templates/vault.hcl.j2 rename to roles/vault_server/templates/vault.hcl.j2 diff --git a/roles/vault/templates/vault.service.j2 b/roles/vault_server/templates/vault.service.j2 similarity index 87% rename from roles/vault/templates/vault.service.j2 rename to roles/vault_server/templates/vault.service.j2 index baf0975..7089e65 100644 --- a/roles/vault/templates/vault.service.j2 +++ b/roles/vault_server/templates/vault.service.j2 @@ -7,6 +7,7 @@ ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl StartLimitIntervalSec=60 StartLimitBurst=3 +# Vault version {{ vault_current_version }} [Service] Type=notify User={{ vault_user }} @@ -19,7 +20,7 @@ SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE NoNewPrivileges=yes -ExecStart={{ vault_root_dir }}/bin/vault server -config={{ vault_root_dir }}/etc/ +ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/ ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT