jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 08:15:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2023-07-03 00:00

Browse Source
This commit is contained in:
Daniel Berteaud
2023-07-03 00:00:20 +02:00
parent 71179d1d72
commit 53d90f07e0
33 changed files with 312 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
roles/vault/tasks/archive_post.yml
View File

@@ -1,14 +0,0 @@
---
- name: Compress previous version
command: tar cf {{ vault_root_dir }}/archives/{{ vault_current_version }}.tar.zst --use-compress-program=zstd ./
args:
chdir: "{{ vault_root_dir }}/archives/{{ vault_current_version }}"
environment:
ZSTD_CLEVEL: 10
tags: vault
- name: Remove archive dir
file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=absent
tags: vault

21
roles/vault/tasks/archive_pre.yml
View File

@@ -1,21 +0,0 @@
---
- name: Create the archive dir
file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
tags: vault
#- name: Take a snapshot of the data
# command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
# when:
# - vault_bkp_token is defined
# - vault_sys_services.ansible_facts.services['nomad.service'] is defined
# - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
# - vault_status.initialized is defined and vault_status.initialized
# - vault_status.sealed is defined and not vault_status.sealed
# - vault_status.leader_address == vault_conf.api_addr
# tags: vault
- name: Backup previous version
copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
tags: vault

8
roles/vault/tasks/cleanup.yml
View File

@@ -1,8 +0,0 @@
---
- name: Remove tmp and obsolete files
file: path={{ item }} state=absent
loop:
- "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip"
- "{{ vault_root_dir }}/tmp/vault"
tags: vault

45
roles/vault/tasks/conf.yml
View File

@@ -1,45 +0,0 @@
---
- name: Generate self-signed certificate
import_tasks: ../includes/create_selfsigned_cert.yml
vars:
cert_path: "{{ vault_root_dir }}/tls/vault.crt"
cert_key_path: "{{ vault_root_dir }}/tls/vault.key"
cert_key_group: "{{ vault_user }}"
cert_key_mode: 640
tags: vault
- name: Deploy vault configuration
template:
src: vault.hcl.j2
dest: "{{ vault_root_dir }}/etc/vault.hcl"
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: 0400
notify: restart vault
tags: vault
- name: Ensure correct permission on vault private key
file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
tags: vault
- name: Setup logrotate
template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
tags: vault
- when: vault_secrets.nomad.enabled
block:
- name: Deploy the consul-template conf
template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
notify: restart consul-template-vault
- name: Deploy Nomad certificate bundle template
template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
notify: restart consul-template-vault
- name: Deploy the update cert hook
template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
notify: restart consul-template-vault
tags: vault

48
roles/vault/tasks/directories.yml
View File

@@ -1,48 +0,0 @@
---
- name: Create needed directories
file: path={{ vault_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} recurse={{ item.recurse | default(omit) }}
loop:
- dir: /
owner: root
group: root
mode: 755
- dir: archives
owner: root
group: root
mode: 700
- dir: backup
owner: root
group: root
mode: 700
- dir: log
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: meta
owner: root
group: root
mode: 700
- dir: bin
- dir: plugins
- dir: tmp
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: data
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: u=rwX,g=-,o=-
recurse: True
- dir: etc
owner: "{{ vault_user }}"
group: "{{ vault_user }}"
mode: 700
- dir: tls
owner: root
group: "{{ vault_user }}"
mode: 750
- dir: consul-template
tags: vault

20
roles/vault/tasks/facts.yml
View File

@@ -1,8 +1,16 @@
---
# Load distribution specific variables
- include_vars: "{{ item }}"
with_first_found:
- "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
- "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
tags: vault
- set_fact:
vault_install_mode: 'none'
vault_status: {}
tags: vault
- name: Detect if vault is installed
@@ -20,21 +28,11 @@
shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
changed_when: False
register: vault_current_version
#- command: /usr/local/bin/vault status -format=json -tls-skip-verify
# changed_when: False
# register: vault_status
# failed_when: False # do not fail if vault is not running
- set_fact:
vault_current_version: "{{ vault_current_version.stdout }}"
# vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
tags: vault
- when: vault_bin.stat.exists and vault_current_version != vault_version
set_fact: vault_install_mode='upgrade'
tags: vault
- name: Check the state of the services
service_facts:
register: vault_sys_services
tags: vault

72
roles/vault/tasks/install.yml
View File

@@ -2,11 +2,23 @@
- name: Install needed tools
package:
name:
- tar
- zstd
- unzip
- jq
name: "{{ vault_packages }}"
tags: vault
# Migrate from the old vault role
- name: Check if vualt is a link
stat: path=/usr/local/bin/vault
register: vault_link
tags: vault
- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
block:
- name: Remove vault link
file: path=/usr/local/bin/vault state=absent
- set_fact: vault_install_mode='upgrade'
tags: vault
- when: vault_install_mode != 'none'
@@ -14,63 +26,27 @@
- name: Download vault
get_url:
url: "{{ vault_archive_url }}"
dest: "{{ vault_root_dir }}/tmp"
dest: /tmp
checksum: sha256:{{ vault_archive_sha256 }}
- name: Extract the archive
unarchive:
src: "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip"
dest: "{{ vault_root_dir }}/tmp"
remote_src: True
- name: Install vault binary
copy:
src: "{{ vault_root_dir }}/tmp/vault"
dest: "{{ vault_root_dir }}/bin/vault"
src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
dest: /usr/local/bin
include: vault
remote_src: True
mode: 755
notify: restart vault
- name: Link in /usr/local/bin
file: src={{ vault_root_dir }}/bin/vault dest=/usr/local/bin/vault state=link force=True
- name: Remove ZIP archive
file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
tags: vault
- name: Install bash completion support
copy:
content: |
complete -C {{ vault_root_dir }}/bin/vault vault
complete -C /usr/local/bin/vault vault
dest: /etc/bash_completion.d/vault
mode: 0644
tags: vault
- name: Deploy systemd service unit
template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
register: vault_unit
notify: restart vault
tags: vault
- name: Install consul-template unit
template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
notify: restart consul-template-vault
register: vault_secrets_nomad_unit
tags: vault
- name: Reload systemd
systemd: daemon_reload=True
when: vault_unit.changed or vault_secrets_nomad_unit.changed
tags: vault
- name: Install dehydrated hook
template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
tags: vault
- name: Install profile script
copy:
content: |
#!/bin/sh
export VAULT_ADDR={{ vault_conf.api_addr }}
dest: /etc/profile.d/vault.sh
mode: 0755
tags: vault

9
roles/vault/tasks/iptables.yml
View File

@@ -1,9 +0,0 @@
---
- name: Handle vault ports in the firewall
iptables_raw:
name: vault_port_{{ item }}
state: "{{ (vault_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ vault_services[item].port }} -s {{ vault_services[item].src_ip | flatten | join(',') }} -j ACCEPT"
loop: "{{ vault_services.keys() | list }}"
tags: firewall,vault

28
roles/vault/tasks/main.yml
View File

@@ -1,35 +1,7 @@
---
- include_tasks: user.yml
tags: always
- include_tasks: directories.yml
tags: always
- include_tasks: facts.yml
tags: always
- include_tasks: archive_pre.yml
when: vault_install_mode | default('none') == 'upgrade'
tags: always
- include_tasks: install.yml
tags: always
- include_tasks: conf.yml
tags: always
- include_tasks: iptables.yml
when: iptables_manage | default(True)
tags: always
- include_tasks: services.yml
tags: always
- include_tasks: archive_post.yml
when: vault_install_mode | default('none') == 'upgrade'
tags: always
- include_tasks: cleanup.yml
tags: always

13
roles/vault/tasks/services.yml
View File

@@ -1,13 +0,0 @@
---
- name: Start and enable vault service
service: name=vault state=started enabled=True
register: vault_service_started
tags: vault
- name: Handle consul-template-vault service
service:
name: consul-template-vault
state: "{{ vault_secrets.nomad.enabled | ternary('started', 'stopped') }}"
enabled: "{{ vault_secrets.nomad.enabled | ternary(True, False) }}"
tags: vault

9
roles/vault/tasks/user.yml
View File

@@ -1,9 +0,0 @@
---
- name: Create vault user
user:
name: "{{ vault_user }}"
home: "{{ vault_root_dir }}"
system: True
shell: /sbin/nologin
tags: vault