jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2023-07-03 00:00

Browse Source
This commit is contained in:
Daniel Berteaud
2023-07-03 00:00:20 +02:00
parent 71179d1d72
commit 53d90f07e0
33 changed files with 312 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
roles/vault/defaults/main.yml
View File

@@ -1,5 +1,3 @@
---
# Version of Vault to install
vault_version: 1.14.0
# URL of the archive
@@ -7,160 +5,3 @@ vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vaul
# Expected sha256 of the archive
vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
# Root dir where Nomad will be installed
vault_root_dir: /opt/vault
# user under which vault will run.
vault_user: vault
# Setting vault_letsencrypt_cert will automate cert configuration
# using Let's Encrypt. The server need to have the letsencrypt role assigned
# Note that you probably want to use dns-01 challenges in this case so you won't have to
# expose your vault server on the public internet
# vault_letsencrypt_cert: "{{ inventory_hostname }}"
# A token having backup (raft snapshot) permission. If set, ansible will
# take a snapshot of the data before upgrading vault
# vault_bkp_token: XXXXX
# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
vault_base_services:
api:
port: 8200
src_ip: []
cluster:
port: 8201
src_ip: [] # You should set this to the IP / CIDR of your other servers
# Exemple
# vault_extra_services:
# cluster:
# src_ip:
# - 10.127.0.10
# - 10.145.99.60
vault_extra_services: {}
vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
# Configuration of the service (which will be converted to JSON)
# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
vault_base_conf:
# Name of the Vault cluster
cluster_name: Vault Cluster
# Log settings
log_level: INFO
log_format: standard
# Plugin settings
plugin_directory: "{{ vault_root_dir }}/plugins"
# This means vault will expect plugins to be owned by root
plugin_file_uid: 0
# Is the UI enabled ?
ui: True
# TCP listeners
listeners:
# Address/port on which vault will bind for API requests
- address: 0.0.0.0:{{ vault_services.api.port }}
# Address/port on which vault will bind for inter-node communications
cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
# Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
# by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
# Only change if you want to manually control the certificate to use
tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
# List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
x_forwarded_for_authorized_addrs: []
# If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
# Default is False which means you can reach vault both directly or through your reverse proxy
x_forwarded_for_reject_not_present: False
telemetry:
# Allow unauthenticated access to /v1/sys/metrics
unauthenticated_metrics_access: True
# URL of the API to advertise
api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
# URL of the inter-node communication endpoint to advertise
cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
# When using integrated raft storage, mlock should be disabled
disable_mlock: True
storage:
# Integrated raf storage
raft:
path: "{{ vault_root_dir }}/data"
node_id: "{{ inventory_hostname }}"
performance_multiplier: 1
# retry_join:
# - leader_api_addr: https://vault-1.example.org:8200
# leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
# - leader_api_addr: https://vault-2.example.org:8200
# - leader_api_addr: https://vault-3.example.org:8200
retry_join: []
# Service registration on consul
#service_registration:
# address: http://localhost:8500
# service: vault
# token: XXXXX
# service_tags:
# - "traefik.enable=true"
# - "traefik.http.routers.http.entrypoints=https"
# - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
# tls_ca_file: /opt/vault/tls/consul_ca.crt
# tls_cert_file: /opt/vault/tls/consul_cert.crt
# tls_key_file: /opt/vault/tls/consul_key.crt
telemetry:
prometheus_retention_time: 1h
disable_hostname: True
enable_hostname_label: True
# You can add additional paramters in vault_extra_conf (or vault_host_conf)
# they will be merged into the vault_base_conf before rendering
# Example
# vault_extra_conf:
# cluster_name: Vault Production
# storage:
# raft:
# retry_join:
# leader_api_addr: https://vault1.example.org:8201
vault_extra_conf: {}
vault_host_conf: {}
# Merge all the conf
vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
# This can be used to spawn a consul-template service which will obtain and renew client cert
# to reach Nomad API, so the Nomad secret can be used securely
vault_base_secrets:
# The vault API to query. Default is our own API
vault_address: "{{ vault_conf.api_addr }}"
# The vault token to use
vault_token: XXXXXXX
nomad:
enabled: False
# The Nomad API address
address: https://nomad.service.consul:4646
# The Nomad management token vault will use to issue tokens for users
token: XXXXXXX
pki:
# The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
path: /pki/nomad
# The role used to issue the certificate
role: nomad-user
# The TTL of the certificate issued for vault
ttl: 72h
# The common name of the certificate
cn: vault
secret:
# The path where the Nomad secret engine is mounted
# Note: the secret must be already mounted
path: nomad
vault_extra_secrets: {}
vault_host_secrets: {}
vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"

12
roles/vault/handlers/main.yml
View File

@@ -1,12 +0,0 @@
---
- name: restart vault
service: name=vault state=restarted
when: vault_service_started is not defined or not vault_service_started.changed
- name: reload vault
service: name=vault state=reloaded
- name: restart consul-template-vault
service: name=consul-template-vault state=restarted
when: vault_secrets.nomad.enabled

5
roles/vault/meta/main.yml
View File

@@ -1,5 +0,0 @@
---
dependencies:
- role: mkdir
- role: consul_template

14
roles/vault/tasks/archive_post.yml
View File

@@ -1,14 +0,0 @@
---
- name: Compress previous version
command: tar cf {{ vault_root_dir }}/archives/{{ vault_current_version }}.tar.zst --use-compress-program=zstd ./
args:
chdir: "{{ vault_root_dir }}/archives/{{ vault_current_version }}"
environment:
ZSTD_CLEVEL: 10
tags: vault
- name: Remove archive dir
file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=absent
tags: vault

21
roles/vault/tasks/archive_pre.yml
View File

@@ -1,21 +0,0 @@
---
- name: Create the archive dir
file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
tags: vault
#- name: Take a snapshot of the data
# command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
# when:
# - vault_bkp_token is defined
# - vault_sys_services.ansible_facts.services['nomad.service'] is defined
# - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
# - vault_status.initialized is defined and vault_status.initialized
# - vault_status.sealed is defined and not vault_status.sealed
# - vault_status.leader_address == vault_conf.api_addr
# tags: vault
- name: Backup previous version
copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
tags: vault

8
roles/vault/tasks/cleanup.yml
View File

@@ -1,8 +0,0 @@
---
- name: Remove tmp and obsolete files
file: path={{ item }} state=absent
loop:
- "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip"
- "{{ vault_root_dir }}/tmp/vault"
tags: vault

45
roles/vault/tasks/conf.yml
View File

@@ -1,45 +0,0 @@
---
- name: Generate self-signed certificate
import_tasks: ../includes/create_selfsigned_cert.yml
vars:
cert_path: "{{ vault_root_dir }}/tls/vault.crt"
cert_key_path: "{{ vault_root_dir }}/tls/vault.key"
cert_key_group: "{{ vault_user }}"
cert_key_mode: 640
tags: vault
- name: Deploy vault configuration
template:
src: vault.hcl.j2
dest: "{{ vault_root_dir }}/etc/vault.hcl"
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: 0400
notify: restart vault
tags: vault
- name: Ensure correct permission on vault private key
file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
tags: vault
- name: Setup logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
tags: vault
- when: vault_secrets.nomad.enabled
block:
- name: Deploy the consul-template conf
template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
notify: restart consul-template-vault
- name: Deploy Nomad certificate bundle template
template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
notify: restart consul-template-vault
- name: Deploy the update cert hook
template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
notify: restart consul-template-vault
tags: vault

48
roles/vault/tasks/directories.yml
View File

@@ -1,48 +0,0 @@
---
- name: Create needed directories
file: path={{ vault_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} recurse={{ item.recurse | default(omit) }}
loop:
- dir: /
owner: root
group: root
mode: 755
- dir: archives
owner: root
group: root
mode: 700
- dir: backup
owner: root
group: root
mode: 700
- dir: log
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: meta
owner: root
group: root
mode: 700
- dir: bin
- dir: plugins
- dir: tmp
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: data
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: etc
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: 700
- dir: tls
owner: root
group: "{{ vault_user }}"
mode: 750
- dir: consul-template
tags: vault

20
roles/vault/tasks/facts.yml
View File

@@ -1,8 +1,16 @@
---
# Load distribution specific variables
- include_vars: "{{ item }}"
with_first_found:
- "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
- "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
tags: vault
- set_fact:
vault_install_mode: 'none'
vault_status: {}
tags: vault
- name: Detect if vault is installed
@@ -20,21 +28,11 @@
shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
changed_when: False
register: vault_current_version
#- command: /usr/local/bin/vault status -format=json -tls-skip-verify
# changed_when: False
# register: vault_status
# failed_when: False # do not fail if vault is not running
- set_fact:
vault_current_version: "{{ vault_current_version.stdout }}"
# vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
tags: vault
- when: vault_bin.stat.exists and vault_current_version != vault_version
set_fact: vault_install_mode='upgrade'
tags: vault
- name: Check the state of the services
service_facts:
register: vault_sys_services
tags: vault

72
roles/vault/tasks/install.yml
View File

@@ -2,11 +2,23 @@
- name: Install needed tools
package:
name:
- tar
- zstd
- unzip
- jq
name: "{{ vault_packages }}"
tags: vault
# Migrate from the old vault role
- name: Check if vualt is a link
stat: path=/usr/local/bin/vault
register: vault_link
tags: vault
- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
block:
- name: Remove vault link
file: path=/usr/local/bin/vault state=absent
- set_fact: vault_install_mode='upgrade'
tags: vault
- when: vault_install_mode != 'none'
@@ -14,63 +26,27 @@
- name: Download vault
get_url:
url: "{{ vault_archive_url }}"
dest: "{{ vault_root_dir }}/tmp"
dest: /tmp
checksum: sha256:{{ vault_archive_sha256 }}
- name: Extract the archive
unarchive:
src: "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip"
dest: "{{ vault_root_dir }}/tmp"
remote_src: True
- name: Install vault binary
copy:
src: "{{ vault_root_dir }}/tmp/vault"
dest: "{{ vault_root_dir }}/bin/vault"
src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
dest: /usr/local/bin
include: vault
remote_src: True
mode: 755
notify: restart vault
- name: Link in /usr/local/bin
file: src={{ vault_root_dir }}/bin/vault dest=/usr/local/bin/vault state=link force=True
- name: Remove ZIP archive
file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
tags: vault
- name: Install bash completion support
copy:
content: |
complete -C {{ vault_root_dir }}/bin/vault vault
complete -C /usr/local/bin/vault vault
dest: /etc/bash_completion.d/vault
mode: 0644
tags: vault
- name: Deploy systemd service unit
template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
register: vault_unit
notify: restart vault
tags: vault
- name: Install consul-template unit
template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
notify: restart consul-template-vault
register: vault_secrets_nomad_unit
tags: vault
- name: Reload systemd
systemd: daemon_reload=True
when: vault_unit.changed or vault_secrets_nomad_unit.changed
tags: vault
- name: Install dehydrated hook
template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
tags: vault
- name: Install profile script
copy:
content: |
#!/bin/sh
export VAULT_ADDR={{ vault_conf.api_addr }}
dest: /etc/profile.d/vault.sh
mode: 0755
tags: vault

9
roles/vault/tasks/iptables.yml
View File

@@ -1,9 +0,0 @@
---
- name: Handle vault ports in the firewall
iptables_raw:
name: vault_port_{{ item }}
state: "{{ (vault_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ vault_services[item].port }} -s {{ vault_services[item].src_ip | flatten | join(',') }} -j ACCEPT"
loop: "{{ vault_services.keys() | list }}"
tags: firewall,vault

28
roles/vault/tasks/main.yml
View File

@@ -1,35 +1,7 @@
---
- include_tasks: user.yml
tags: always
- include_tasks: directories.yml
tags: always
- include_tasks: facts.yml
tags: always
- include_tasks: archive_pre.yml
when: vault_install_mode | default('none') == 'upgrade'
tags: always
- include_tasks: install.yml
tags: always
- include_tasks: conf.yml
tags: always
- include_tasks: iptables.yml
when: iptables_manage | default(True)
tags: always
- include_tasks: services.yml
tags: always
- include_tasks: archive_post.yml
when: vault_install_mode | default('none') == 'upgrade'
tags: always
- include_tasks: cleanup.yml
tags: always

13
roles/vault/tasks/services.yml
View File

@@ -1,13 +0,0 @@
---
- name: Start and enable vault service
service: name=vault state=started enabled=True
register: vault_service_started
tags: vault
- name: Handle consul-template-vault service
service:
name: consul-template-vault
state: "{{ vault_secrets.nomad.enabled | ternary('started', 'stopped') }}"
enabled: "{{ vault_secrets.nomad.enabled | ternary(True, False) }}"
tags: vault

9
roles/vault/tasks/user.yml
View File

@@ -1,9 +0,0 @@
---
- name: Create vault user
user:
name: "{{ vault_user }}"
home: "{{ vault_root_dir }}"
system: True
shell: /sbin/nologin
tags: vault

20
roles/vault/templates/consul-template-vault.service.j2
View File

@@ -1,20 +0,0 @@
[Unit]
Description="HashiCorp consul-template"
Documentation=https://github.com/hashicorp/consul-template
Requires=network-online.target
After=network-online.target
After=vault.service
ConditionFileNotEmpty={{ vault_root_dir }}/consul-template/consul-template.hcl
[Service]
Type=simple
ExecStart=/usr/local/bin/consul-template -config={{ vault_root_dir }}/consul-template/consul-template.hcl
SuccessExitStatus=12
ExecReload=/bin/kill --signal HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
RestartSec=2
[Install]
WantedBy=multi-user.target

18
roles/vault/templates/consul-template.hcl.j2
View File

@@ -1,18 +0,0 @@
vault {
address = "{{ vault_secrets.vault_address }}"
token = "{{ vault_secrets.vault_token }}"
unwrap_token = false
}
{% if vault_secrets.nomad.enabled %}
template {
source = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
left_delimiter = "[["
right_delimiter = "]]"
destination = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
perms = 0600
exec {
command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
}
}
{% endif %}

22
roles/vault/templates/dehydrated_hook.j2
View File

@@ -1,22 +0,0 @@
#!/bin/sh
set -eo pipefail
{% if vault_letsencrypt_cert is defined %}
if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
chown root:vault {{ vault_root_dir }}/tls/vault.key
chown root:root {{ vault_root_dir }}/tls/vault.crt
chmod 640 {{ vault_root_dir }}/tls/vault.key
chmod 644 {{ vault_root_dir }}/tls/vault.crt
systemctl reload vault
fi
{% else %}
# No Let's Encrypt cert configured, nothing to do
exit 0
{% endif %}

8
roles/vault/templates/logrotate.conf.j2
View File

@@ -1,8 +0,0 @@
{{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
daily
rotate 365
compress
missingok
copytruncate
su {{ vault_user }} {{ vault_user }}
}

8
roles/vault/templates/nomad_client_bundle.pem.tpl.j2
View File

@@ -1,8 +0,0 @@
[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
[[ .CA ]]
[[ .Cert ]]
[[ .Key ]]
[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
[[ end ]]

25
roles/vault/templates/update_nomad_cert.j2
View File

@@ -1,25 +0,0 @@
#!/bin/sh
set -eo pipefail
NOMAD_TOKEN=$1
VAULT_TOKEN=$2
VAULT_ADDR={{ vault_conf.api_addr }}
if [ "$(vault status -format=json | jq .is_self)" != "true" ]; then
echo "We're not the active vault, exiting"
elif [ "$(vault status -format=json | jq .sealed)" != "false" ]; then
echo "Vault is sealed, exiting"
elif [ "$(vault status -format=json | jq .initialized)" != "true" ]; then
echo "Vault is not initialized yet, exiting"
else
echo Updating Vault certificate to access Nomad API
VAULT_TOKEN=$VAULT_TOKEN \
vault write {{ vault_secrets.nomad.secret.path }}/config/access \
address="{{ vault_secrets.nomad.address }}" \
token="$NOMAD_TOKEN" \
ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
fi

73
roles/vault/templates/vault.hcl.j2
View File

@@ -1,73 +0,0 @@
cluster_name = "{{ vault_conf.cluster_name }}"
log_level = "{{ vault_conf.log_level }}"
log_format = "{{ vault_conf.log_format }}"
plugin_directory = "{{ vault_conf.plugin_directory }}"
plugin_file_uid = {{ vault_conf.plugin_file_uid }}
disable_mlock = {{ vault_conf.disable_mlock | ternary('true', 'false') }}
{% for listener in vault_conf.listeners %}
listener "tcp" {
address = "{{ listener.address }}"
cluster_address = "{{ listener.cluster_address }}"
tls_cert_file = "{{ listener.tls_cert_file }}"
tls_key_file = "{{ listener.tls_key_file }}"
{% if listener.x_forwarded_for_authorized_addrs | length > 0 %}
x_forwarded_for_authorized_addrs = "{{ listener.x_forwarded_for_authorized_addrs | join(',') }}"
x_forwarded_for_reject_not_present = {{ listener.x_forwarded_for_reject_not_present | ternary('true', 'false') }}
{% endif %}
{% if listener.telemetry.unauthenticated_metrics_access %}
telemetry {
unauthenticated_metrics_access = true
}
{% endif %}
}
{% endfor %}
api_addr = "{{ vault_conf.api_addr }}"
cluster_addr = "{{ vault_conf.cluster_addr }}"
storage "raft" {
path = "{{ vault_conf.storage.raft.path }}"
node_id = "{{ vault_conf.storage.raft.node_id }}"
performance_multiplier = {{ vault_conf.storage.raft.performance_multiplier }}
{% if vault_conf.storage.raft.retry_join | length > 0 %}
{% for server in vault_conf.storage.raft.retry_join %}
{% if server.leader_api_addr is defined and server.leader_api_addr != vault_conf.api_addr %}
retry_join {
{% for key in server.keys() | list %}
{{ key }} = "{{ server[key] }}"
{% endfor %}
}
{% else %}
# Skipping {{ server.leader_api_addr }} as it's ourself
{% endif %}
{% endfor %}
{% endif %}
}
{% if vault_conf.service_registration is defined %}
service_registration "consul" {
{% for key in ['address', 'service', 'token', 'tls_ca_file', 'tls_cert_file', 'tls_key_file'] %}
{% if vault_conf.service_registration[key] is defined %}
{{ key }} = "{{ vault_conf.service_registration[key] }}"
{% endif %}
{% endfor %}
{% if vault_conf.service_registration.service_tags is defined %}
service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
{% endif %}
}
{% endif %}
ui = {{ vault_conf.ui | ternary('true', 'false') }}
telemetry {
{% for key in ['prometheus_retention_time'] %}
{{ key }} = "{{ vault_conf.telemetry[key] }}"
{% endfor %}
{% for key in ['disable_hostname', 'enable_hostname_label'] %}
{{ key }} = {{ vault_conf.telemetry[key] | ternary('true', 'false') }}
{% endfor %}
}

35
roles/vault/templates/vault.service.j2
View File

@@ -1,35 +0,0 @@
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
Type=notify
User={{ vault_user }}
Group={{ vault_user }}
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
ExecStart={{ vault_root_dir }}/bin/vault server -config={{ vault_root_dir }}/etc/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
StartLimitInterval=0
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

8
roles/vault/vars/RedHat.yml Normal file
View File

@@ -0,0 +1,8 @@
---
vault_packages:
- tar
- zstd
- unzip
- jq