Update to 2023-07-03 00:00

2025-10-31 10:51:27 +01:00 · 2023-07-03 00:00:20 +02:00
parent 71179d1d72
commit 53d90f07e0
33 changed files with 312 additions and 283 deletions
--- a/roles/vault/templates/consul-template-vault.service.j2
+++ b/roles/vault/templates/consul-template-vault.service.j2
@@ -1,20 +0,0 @@
-[Unit]
-Description="HashiCorp consul-template"
-Documentation=https://github.com/hashicorp/consul-template
-Requires=network-online.target
-After=network-online.target
-After=vault.service
-ConditionFileNotEmpty={{ vault_root_dir }}/consul-template/consul-template.hcl
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/consul-template -config={{ vault_root_dir }}/consul-template/consul-template.hcl
-SuccessExitStatus=12
-ExecReload=/bin/kill --signal HUP $MAINPID
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=2
-
-[Install]
-WantedBy=multi-user.target
-
--- a/roles/vault/templates/consul-template.hcl.j2
+++ b/roles/vault/templates/consul-template.hcl.j2
@@ -1,18 +0,0 @@
-vault {
-  address      = "{{ vault_secrets.vault_address }}"
-  token        = "{{ vault_secrets.vault_token }}"
-  unwrap_token = false
-}
-
-{% if vault_secrets.nomad.enabled %}
-template {
-  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
-  left_delimiter  = "[["
-  right_delimiter = "]]"
-  destination     = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
-  perms           = 0600
-  exec {
-    command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
-  }
-}
-{% endif %}
--- a/roles/vault/templates/dehydrated_hook.j2
+++ b/roles/vault/templates/dehydrated_hook.j2
@@ -1,22 +0,0 @@
-#!/bin/sh
-
-set -eo pipefail
-
-{% if vault_letsencrypt_cert is defined %}
-
-if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
-  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
-  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
-  chown root:vault {{ vault_root_dir }}/tls/vault.key
-  chown root:root {{ vault_root_dir }}/tls/vault.crt
-  chmod 640 {{ vault_root_dir }}/tls/vault.key
-  chmod 644 {{ vault_root_dir }}/tls/vault.crt
-  systemctl reload vault
-fi
-
-{% else %}
-
-# No Let's Encrypt cert configured, nothing to do
-exit 0
-
-{% endif %}
--- a/roles/vault/templates/logrotate.conf.j2
+++ b/roles/vault/templates/logrotate.conf.j2
@@ -1,8 +0,0 @@
-{{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
-  daily
-  rotate 365
-  compress
-  missingok
-  copytruncate
-  su {{ vault_user }} {{ vault_user }}
-}
--- a/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
@@ -1,8 +0,0 @@
-[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
-[[ .CA ]]
-[[ .Cert ]]
-[[ .Key ]]
-[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
-[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
-[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
-[[ end ]]
--- a/roles/vault/templates/update_nomad_cert.j2
+++ b/roles/vault/templates/update_nomad_cert.j2
@@ -1,25 +0,0 @@
-#!/bin/sh
-  
-set -eo pipefail
-
-NOMAD_TOKEN=$1
-VAULT_TOKEN=$2
-
-VAULT_ADDR={{ vault_conf.api_addr }}
-
-if [ "$(vault status -format=json | jq .is_self)" != "true" ]; then
-  echo "We're not the active vault, exiting"
-elif [ "$(vault status -format=json | jq .sealed)" != "false" ]; then
-  echo "Vault is sealed, exiting"
-elif [ "$(vault status -format=json | jq .initialized)" != "true" ]; then
-  echo "Vault is not initialized yet, exiting"
-else
-  echo Updating Vault certificate to access Nomad API
-  VAULT_TOKEN=$VAULT_TOKEN \
-    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
-      address="{{ vault_secrets.nomad.address }}" \
-      token="$NOMAD_TOKEN" \
-      ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
-      client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
-      client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
-fi
--- a/roles/vault/templates/vault.hcl.j2
+++ b/roles/vault/templates/vault.hcl.j2
@@ -1,73 +0,0 @@
-cluster_name = "{{ vault_conf.cluster_name }}"
-
-log_level = "{{ vault_conf.log_level }}"
-log_format = "{{ vault_conf.log_format }}"
-
-plugin_directory = "{{ vault_conf.plugin_directory }}"
-plugin_file_uid = {{ vault_conf.plugin_file_uid }}
-
-disable_mlock = {{ vault_conf.disable_mlock | ternary('true', 'false') }}
-
-{% for listener in vault_conf.listeners %}
-listener "tcp" {
-  address = "{{ listener.address }}"
-  cluster_address = "{{ listener.cluster_address }}"
-  tls_cert_file = "{{ listener.tls_cert_file }}"
-  tls_key_file = "{{ listener.tls_key_file }}"
-{% if listener.x_forwarded_for_authorized_addrs | length > 0 %}
-  x_forwarded_for_authorized_addrs = "{{ listener.x_forwarded_for_authorized_addrs | join(',') }}"
-  x_forwarded_for_reject_not_present = {{ listener.x_forwarded_for_reject_not_present | ternary('true', 'false') }}
-{% endif %}
-{% if listener.telemetry.unauthenticated_metrics_access %}
-  telemetry {
-    unauthenticated_metrics_access = true
-  }
-{% endif %}
-}
-{% endfor %}
-
-api_addr = "{{ vault_conf.api_addr }}"
-cluster_addr = "{{ vault_conf.cluster_addr }}"
-
-storage "raft" {
-  path = "{{ vault_conf.storage.raft.path }}"
-  node_id = "{{ vault_conf.storage.raft.node_id }}"
-  performance_multiplier = {{ vault_conf.storage.raft.performance_multiplier }}
-{% if vault_conf.storage.raft.retry_join | length > 0 %}
-{% for server in vault_conf.storage.raft.retry_join %}
-{% if server.leader_api_addr is defined and server.leader_api_addr != vault_conf.api_addr %}
-  retry_join {
-{% for key in server.keys() | list %}
-    {{ key }} = "{{ server[key] }}"
-{% endfor %}
-  }
-{% else %}
-  # Skipping {{ server.leader_api_addr }} as it's ourself
-{% endif %}
-{% endfor %}
-{% endif %}
-}
-
-{% if vault_conf.service_registration is defined %}
-service_registration "consul" {
-{% for key in ['address', 'service', 'token', 'tls_ca_file', 'tls_cert_file', 'tls_key_file'] %}
-{% if vault_conf.service_registration[key] is defined %}
-  {{ key }} = "{{ vault_conf.service_registration[key] }}"
-{% endif %}
-{% endfor %}
-{% if vault_conf.service_registration.service_tags is defined %}
-  service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
-{% endif %}
-}
-{% endif %}
-
-ui = {{ vault_conf.ui | ternary('true', 'false') }}
-
-telemetry {
-{% for key in ['prometheus_retention_time'] %}
-  {{ key }} = "{{ vault_conf.telemetry[key] }}"
-{% endfor %}
-{% for key in ['disable_hostname', 'enable_hostname_label'] %}
-  {{ key }} = {{ vault_conf.telemetry[key] | ternary('true', 'false') }}
-{% endfor %}
-}
--- a/roles/vault/templates/vault.service.j2
+++ b/roles/vault/templates/vault.service.j2
@@ -1,35 +0,0 @@
-[Unit]
-Description="HashiCorp Vault - A tool for managing secrets"
-Documentation=https://www.vaultproject.io/docs/
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl
-StartLimitIntervalSec=60
-StartLimitBurst=3
-
-[Service]
-Type=notify
-User={{ vault_user }}
-Group={{ vault_user }}
-ProtectSystem=full
-ProtectHome=read-only
-PrivateTmp=yes
-PrivateDevices=yes
-SecureBits=keep-caps
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
-NoNewPrivileges=yes
-ExecStart={{ vault_root_dir }}/bin/vault server -config={{ vault_root_dir }}/etc/
-ExecReload=/bin/kill --signal HUP $MAINPID
-KillMode=process
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=5
-StartLimitInterval=0
-TimeoutStopSec=30
-LimitNOFILE=65536
-LimitMEMLOCK=infinity
-
-[Install]
-WantedBy=multi-user.target
-