mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-10-31 19:01:28 +01:00
Update to 2023-07-03 00:00
This commit is contained in:
Daniel Berteaud
@@ -1,5 +1,3 @@
|
||||
---
|
||||
|
||||
# Version of Vault to install
|
||||
vault_version: 1.14.0
|
||||
# URL of the archive
|
||||
@@ -7,160 +5,3 @@ vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vaul
|
||||
# Expected sha256 of the archive
|
||||
vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
|
||||
|
||||
# Root dir where Nomad will be installed
|
||||
vault_root_dir: /opt/vault
|
||||
|
||||
# user under which vault will run.
|
||||
vault_user: vault
|
||||
|
||||
# Setting vault_letsencrypt_cert will automate cert configuration
|
||||
# using Let's Encrypt. The server need to have the letsencrypt role assigned
|
||||
# Note that you probably want to use dns-01 challenges in this case so you won't have to
|
||||
# expose your vault server on the public internet
|
||||
# vault_letsencrypt_cert: "{{ inventory_hostname }}"
|
||||
|
||||
# A token having backup (raft snapshot) permission. If set, ansible will
|
||||
# take a snapshot of the data before upgrading vault
|
||||
# vault_bkp_token: XXXXX
|
||||
|
||||
# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
|
||||
vault_base_services:
|
||||
api:
|
||||
port: 8200
|
||||
src_ip: []
|
||||
cluster:
|
||||
port: 8201
|
||||
src_ip: [] # You should set this to the IP / CIDR of your other servers
|
||||
|
||||
# Exemple
|
||||
# vault_extra_services:
|
||||
# cluster:
|
||||
# src_ip:
|
||||
# - 10.127.0.10
|
||||
# - 10.145.99.60
|
||||
vault_extra_services: {}
|
||||
vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
|
||||
|
||||
# Configuration of the service (which will be converted to JSON)
|
||||
# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
|
||||
vault_base_conf:
|
||||
# Name of the Vault cluster
|
||||
cluster_name: Vault Cluster
|
||||
|
||||
# Log settings
|
||||
log_level: INFO
|
||||
log_format: standard
|
||||
|
||||
# Plugin settings
|
||||
plugin_directory: "{{ vault_root_dir }}/plugins"
|
||||
# This means vault will expect plugins to be owned by root
|
||||
plugin_file_uid: 0
|
||||
|
||||
# Is the UI enabled ?
|
||||
ui: True
|
||||
|
||||
# TCP listeners
|
||||
listeners:
|
||||
# Address/port on which vault will bind for API requests
|
||||
- address: 0.0.0.0:{{ vault_services.api.port }}
|
||||
# Address/port on which vault will bind for inter-node communications
|
||||
cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
|
||||
|
||||
# Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
|
||||
# by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
|
||||
# Only change if you want to manually control the certificate to use
|
||||
tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
|
||||
tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
|
||||
|
||||
# List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
|
||||
x_forwarded_for_authorized_addrs: []
|
||||
# If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
|
||||
# Default is False which means you can reach vault both directly or through your reverse proxy
|
||||
x_forwarded_for_reject_not_present: False
|
||||
|
||||
telemetry:
|
||||
# Allow unauthenticated access to /v1/sys/metrics
|
||||
unauthenticated_metrics_access: True
|
||||
|
||||
# URL of the API to advertise
|
||||
api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
|
||||
# URL of the inter-node communication endpoint to advertise
|
||||
cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
|
||||
|
||||
# When using integrated raft storage, mlock should be disabled
|
||||
disable_mlock: True
|
||||
|
||||
storage:
|
||||
# Integrated raf storage
|
||||
raft:
|
||||
path: "{{ vault_root_dir }}/data"
|
||||
node_id: "{{ inventory_hostname }}"
|
||||
performance_multiplier: 1
|
||||
# retry_join:
|
||||
# - leader_api_addr: https://vault-1.example.org:8200
|
||||
# leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
|
||||
# - leader_api_addr: https://vault-2.example.org:8200
|
||||
# - leader_api_addr: https://vault-3.example.org:8200
|
||||
retry_join: []
|
||||
|
||||
# Service registration on consul
|
||||
#service_registration:
|
||||
# address: http://localhost:8500
|
||||
# service: vault
|
||||
# token: XXXXX
|
||||
# service_tags:
|
||||
# - "traefik.enable=true"
|
||||
# - "traefik.http.routers.http.entrypoints=https"
|
||||
# - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
|
||||
# tls_ca_file: /opt/vault/tls/consul_ca.crt
|
||||
# tls_cert_file: /opt/vault/tls/consul_cert.crt
|
||||
# tls_key_file: /opt/vault/tls/consul_key.crt
|
||||
|
||||
telemetry:
|
||||
prometheus_retention_time: 1h
|
||||
disable_hostname: True
|
||||
enable_hostname_label: True
|
||||
|
||||
# You can add additional paramters in vault_extra_conf (or vault_host_conf)
|
||||
# they will be merged into the vault_base_conf before rendering
|
||||
# Example
|
||||
# vault_extra_conf:
|
||||
# cluster_name: Vault Production
|
||||
# storage:
|
||||
# raft:
|
||||
# retry_join:
|
||||
# leader_api_addr: https://vault1.example.org:8201
|
||||
vault_extra_conf: {}
|
||||
vault_host_conf: {}
|
||||
# Merge all the conf
|
||||
vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
|
||||
|
||||
# This can be used to spawn a consul-template service which will obtain and renew client cert
|
||||
# to reach Nomad API, so the Nomad secret can be used securely
|
||||
vault_base_secrets:
|
||||
# The vault API to query. Default is our own API
|
||||
vault_address: "{{ vault_conf.api_addr }}"
|
||||
# The vault token to use
|
||||
vault_token: XXXXXXX
|
||||
nomad:
|
||||
enabled: False
|
||||
# The Nomad API address
|
||||
address: https://nomad.service.consul:4646
|
||||
# The Nomad management token vault will use to issue tokens for users
|
||||
token: XXXXXXX
|
||||
pki:
|
||||
# The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
|
||||
path: /pki/nomad
|
||||
# The role used to issue the certificate
|
||||
role: nomad-user
|
||||
# The TTL of the certificate issued for vault
|
||||
ttl: 72h
|
||||
# The common name of the certificate
|
||||
cn: vault
|
||||
secret:
|
||||
# The path where the Nomad secret engine is mounted
|
||||
# Note: the secret must be already mounted
|
||||
path: nomad
|
||||
vault_extra_secrets: {}
|
||||
vault_host_secrets: {}
|
||||
vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"
|
||||
|
||||
Reference in New Issue
Block a user