Update to 2022-09-08 18:00

2025-11-04 04:41:27 +01:00 · 2022-09-08 18:00:11 +02:00
parent 472469ee4e
commit 5b5815da8d
16 changed files with 32 additions and 21 deletions
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -95,8 +95,8 @@ vault_base_conf:
      # retry_join:
      #   - leader_api_addr: https://vault-1.example.org:8200
      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
-      #   - https://vault-2.example.org:8200
-      #   - https://vault-3.example.org:8200
+      #   - leader_api_addr: https://vault-2.example.org:8200
+      #   - leader_api_addr: https://vault-3.example.org:8200
      retry_join: []

  # Service registration on consul
--- a/roles/vault/handlers/main.yml
+++ b/roles/vault/handlers/main.yml
@@ -9,3 +9,4 @@

 - name: restart consul-template-vault
  service: name=consul-template-vault state=restarted
+  when: vault_secrets.nomad.enabled
--- a/roles/vault/tasks/install.yml
+++ b/roles/vault/tasks/install.yml
@@ -40,7 +40,7 @@
    content: |
      complete -C {{ vault_root_dir }}/bin/vault vault
    dest: /etc/bash_completion.d/vault
-    mode: 755
+    mode: 0644
  tags: vault

 - name: Deploy systemd service unit
@@ -52,13 +52,12 @@
 - name: Install consul-template unit
  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
  notify: restart consul-template-vault
-  when: vault_secrets.nomad.enabled
  register: vault_secrets_nomad_unit
  tags: vault

 - name: Reload systemd
  systemd: daemon_reload=True
-  when: vault_unit.changed or (vault_secrets_nomad_unit is defined and vault_secrets_nomad_unit.changed)
+  when: vault_unit.changed or vault_secrets_nomad_unit.changed
  tags: vault

 - name: Install dehydrated hook
--- a/roles/vault/tasks/iptables.yml
+++ b/roles/vault/tasks/iptables.yml
@@ -4,7 +4,6 @@
  iptables_raw:
    name: vault_port_{{ item }}
    state: "{{ (vault_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
-    rules: |
-      -A INPUT -m state --state NEW -p tcp --dport {{ vault_services[item].port }} -j ACCEPT
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ vault_services[item].port }} -s {{ vault_services[item].src_ip | flatten | join(',') }} -j ACCEPT"
  loop: "{{ vault_services.keys() | list }}"
  tags: firewall,vault
--- a/roles/vault/templates/vault.service.j2
+++ b/roles/vault/templates/vault.service.j2
@@ -25,6 +25,7 @@ KillMode=process
 KillSignal=SIGINT
 Restart=on-failure
 RestartSec=5
+StartLimitInterval=0
 TimeoutStopSec=30
 LimitNOFILE=65536
 LimitMEMLOCK=infinity