diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index ec3b57c..867677d 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -76,6 +76,15 @@ consul_base_conf: connect: # Enable consul service mesh on servers enabled: "{{ (inventory_hostname in consul_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}" + # ca_provider: vault + ca_config: + # address: https://active.vault.service.consul:8200 + root_pki_path: pki/root + intermediate_pki_path: pki/connect + #auth_method: + # approle: + # role_id: XXXX + # secret_id: YYYY acl: enabled: False @@ -106,22 +115,6 @@ consul_extra_conf: {} consul_host_conf: {} consul_conf: "{{ consul_base_conf | combine(consul_extra_conf, recursive=True) | combine(consul_host_conf, recursive=True) }}" -# TLS certs and token retrival from vault -consul_base_vault_secrets: - # vault_address: https://active.vault.service.consul:8200 - # vault_token: XXXXXX - pki: - enabled: False - path: /pki/consul - role: consul-{{ consul_conf.server | ternary('server', 'client') }} - tokens: - enabled: False - path: /consul - role: consul-agent -consul_extra_vault_secrets: {} -consul_host_vault_secrets: {} -consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault_secrets, recursive=True) | combine(consul_host_vault_secrets, recursive=True) }}" - # For example # consul_extra_conf: # datacenter: my-dc @@ -130,6 +123,23 @@ consul_vault_secrets: "{{ consul_base_vault_secrets | combine(consul_extra_vault # ui_config: # enabled: False +consul_base_vault_agent: + # vault_address: https://active.vault.service.consul:8200 + # + ## Only one of approle or token should be used + # auth: + # approle: + # role_id: XXXX + # secret_id: YYYY + # token: XXXXXXX + pki: + enabled: False + path: pki/consul + role: consul-{{ consul_conf.server | ternary('server', 'client') }} +consul_extra_vault_agent: {} +consul_host_vault_agent: {} +consul_vault_agent: "{{ consul_base_vault_agent | combine(consul_extra_vault_agent, recursive=True) | combine(consul_host_vault_agent, recursive=True) }}" + # List of services exposed by consul, the ports they use, and the list of IP # for which the service is accessible at the firewall level (if iptables_manage == True) consul_base_services: diff --git a/roles/consul/handlers/main.yml b/roles/consul/handlers/main.yml index b40d996..c9a5024 100644 --- a/roles/consul/handlers/main.yml +++ b/roles/consul/handlers/main.yml @@ -8,6 +8,5 @@ service: name=consul state=reloaded when: consul_service_started is not defined or not consul_service_started.changed -- name: restart consul-template-consul - service: name=consul-template-consul state=restarted - +- name: restart consul-vault-agent + service: name=consul-vault-agent state=restarted diff --git a/roles/consul/meta/main.yml b/roles/consul/meta/main.yml index 37d4959..623e770 100644 --- a/roles/consul/meta/main.yml +++ b/roles/consul/meta/main.yml @@ -2,4 +2,3 @@ dependencies: - role: consul_bin - - role: consul_template diff --git a/roles/consul/tasks/cleanup.yml b/roles/consul/tasks/cleanup.yml index 57f5c3e..1b69085 100644 --- a/roles/consul/tasks/cleanup.yml +++ b/roles/consul/tasks/cleanup.yml @@ -4,5 +4,6 @@ file: path={{ item }} state=absent loop: - "{{ consul_root_dir }}/archives" - - "{{ consul_root_dir }}/bin" + - /etc/systemd/system/consul-template-consul.service + - "{{ consul_root_dir }}/consul-template" tags: consul diff --git a/roles/consul/tasks/conf.yml b/roles/consul/tasks/conf.yml index 1970605..ee0eb06 100644 --- a/roles/consul/tasks/conf.yml +++ b/roles/consul/tasks/conf.yml @@ -1,24 +1,27 @@ --- # Ensure certificates exists. This is needed so first consul service starts doesn't fail -# when consul-template hasn't populated the cert yet +# when vault-agent hasn't populated the cert yet - name: Generate self-signed certificate import_tasks: ../includes/create_selfsigned_cert.yml vars: cert_path: "{{ consul_conf.tls.defaults.cert_file }}" cert_key_path: "{{ consul_conf.tls.defaults.key_file }}" + cert_key_user: "{{ consul_user }}" cert_key_group: "{{ consul_user }}" - cert_key_mode: 640 + cert_key_mode: 660 + when: consul_conf.tls.enabled tags: consul - name: Check if CA exists stat: path={{ consul_conf.tls.defaults.ca_file }} register: consul_ca_file + when: consul_conf.tls.enabled tags: consul - name: Copy cert as CA copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True - when: not consul_ca_file.stat.exists + when: consul_conf.tls.enabled and not consul_ca_file.stat.exists tags: consul - name: Deploy consul configuration @@ -94,33 +97,38 @@ loop: "{{ consul_backup_configs.stdout_lines }}" tags: consul -- name: Deploy consul-template config - template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root - notify: restart consul-template-consul - when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled +- name: Deploy vault agent configuration + template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }} + notify: restart consul-vault-agent + when: consul_vault_agent.pki.enabled tags: consul -- name: Deploy agent bundle template - template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root - notify: restart consul-template-consul - when: consul_vault_secrets.pki.enabled +- name: Deploy agent cert bundle template + template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root + notify: restart consul-vault-agent + when: consul_vault_agent.pki.enabled tags: consul -- name: Deploy consul-template cli bundle template - template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root - notify: restart consul-template-consul - when: consul_vault_secrets.pki.enabled and consul_conf.server - tags: consul - -- name: Deploy the consul-template agent token template - template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root - notify: restart consul-template-consul - when: consul_vault_secrets.tokens.enabled +- when: + - consul_vault_agent.auth is defined + - consul_vault_agent.auth.approle is defined + - consul_vault_agent.auth.approle.role_id is defined + - consul_vault_agent.auth.approle.secret_id is defined + name: Setup AppRole auth + block: + - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640 + - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640 tags: consul - name: Set ACL on the TLS dir shell: | setfacl -R -b -k {{ consul_root_dir }}/tls + chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls + chmod 775 {{ consul_root_dir }}/tls + chmod 660 {{ consul_root_dir }}/tls/* + setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls + setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls + setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/* {% if consul_admin_groups | length > 0 %} setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls diff --git a/roles/consul/tasks/directories.yml b/roles/consul/tasks/directories.yml index 188a133..3d03aa2 100644 --- a/roles/consul/tasks/directories.yml +++ b/roles/consul/tasks/directories.yml @@ -28,9 +28,10 @@ group: "{{ consul_user }}" mode: 750 - dir: tls + - dir: vault + mode: 750 owner: root - group: root - mode: 755 - - dir: consul-template - mode: 755 + group: "{{ consul_user }}" + - dir: vault/templates + - dir: bin tags: consul diff --git a/roles/consul/tasks/facts.yml b/roles/consul/tasks/facts.yml index f28920a..4b5c615 100644 --- a/roles/consul/tasks/facts.yml +++ b/roles/consul/tasks/facts.yml @@ -8,3 +8,7 @@ - set_fact: consul_current_version={{ consul_current_version.stdout }} tags: consul +- name: Check if the consul-template service still exists + stat: path=/etc/systemd/system/consul-template + register: consul_ct_service + tags: consul diff --git a/roles/consul/tasks/install.yml b/roles/consul/tasks/install.yml index 402f080..152a36b 100644 --- a/roles/consul/tasks/install.yml +++ b/roles/consul/tasks/install.yml @@ -6,15 +6,9 @@ notify: restart consul tags: consul -- name: Install consul-template unit - template: src=consul-template-consul.service.j2 dest=/etc/systemd/system/consul-template-consul.service - register: consul_template_tpl_unit - notify: restart consul-template-consul - tags: consul - -- name: Reload systemd - systemd: daemon_reload=True - when: consul_unit.changed or consul_template_tpl_unit.changed +- name: Deploy consul service wrapper + template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755 + notify: restart consul tags: consul - name: Install backup hooks @@ -27,9 +21,8 @@ - name: Create tmpfiles fragment copy: content: | - d /run/nomad 770 root {{ consul_user }} + d /run/consul 770 root {{ consul_user }} dest: /etc/tmpfiles.d/consul.conf - notify: systemd-tmpfiles register: consul_tmpfiles tags: consul @@ -37,3 +30,15 @@ command: systemd-tmpfiles --create when: consul_tmpfiles.changed tags: consul + +- name: Install vault agent unit file + template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service + register: consul_vault_agent_unit + notify: restart consul-vault-agent + tags: consul + +- name: Reload systemd + systemd: daemon_reload=True + when: consul_unit.changed or consul_vault_agent_unit.changed + tags: consul + diff --git a/roles/consul/tasks/services.yml b/roles/consul/tasks/services.yml index 76930b9..e95c9be 100644 --- a/roles/consul/tasks/services.yml +++ b/roles/consul/tasks/services.yml @@ -5,10 +5,18 @@ register: consul_service_started tags: consul -- name: Handle consul-template-consul service +- name: Stop consul-template-consul service service: name: consul-template-consul - state: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}" - enabled: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary(True, False) }}" + state: stopped + enabled: False + when: consul_ct_service.stat.exists + tags: consul + +- name: Handle consul-vault-agent service + service: + name: consul-vault-agent + state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}" + enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}" tags: consul diff --git a/roles/consul/templates/agent.token.tpl.j2 b/roles/consul/templates/agent.token.tpl.j2 deleted file mode 100644 index a1554db..0000000 --- a/roles/consul/templates/agent.token.tpl.j2 +++ /dev/null @@ -1,3 +0,0 @@ -[[ with secret "{{ consul_vault_secrets.tokens.path }}/creds/{{ consul_vault_secrets.tokens.role }}" ]] -[[ .Data.token ]] -[[ end ]] diff --git a/roles/consul/templates/agent_bundle.pem.tpl.j2 b/roles/consul/templates/agent_bundle.pem.tpl.j2 deleted file mode 100644 index 569df3f..0000000 --- a/roles/consul/templates/agent_bundle.pem.tpl.j2 +++ /dev/null @@ -1,18 +0,0 @@ -{% if consul_conf.server %} -[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=localhost,consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %}consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" ]] -[[ .CA ]] -[[ .Cert ]] -[[ .Key ]] -[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]] -[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" ]] -[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "root" "{{ consul_user }}" "0640" ]] -[[ end ]] -[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] -[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "root" "root" "0644" "append,newline" ]] -[[ end ]] -{% else %} -[[ with secret "{{ consul_vault_secrets.pki.path }}/cert/ca" ]] -[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "root" "root" "0644" ]] -[[ end ]] -{% endif %} - diff --git a/roles/consul/templates/agent_token.tpl.j2 b/roles/consul/templates/agent_token.tpl.j2 new file mode 100644 index 0000000..32b11e6 --- /dev/null +++ b/roles/consul/templates/agent_token.tpl.j2 @@ -0,0 +1,3 @@ +[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]] +[[ .Data.token ]] +[[ end ]] diff --git a/roles/consul/templates/cli_bundle.pem.tpl.j2 b/roles/consul/templates/cli_bundle.pem.tpl.j2 deleted file mode 100644 index 355fa39..0000000 --- a/roles/consul/templates/cli_bundle.pem.tpl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[[ with pkiCert "{{ consul_vault_secrets.pki.path }}/issue/{{ consul_vault_secrets.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] -[[ .CA ]] -[[ .Cert ]] -[[ .Key ]] -[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "root" "root" "0644" ]] -[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "root" "root" "0640" ]] -[[ end ]] diff --git a/roles/consul/templates/consul-template-consul.service.j2 b/roles/consul/templates/consul-template-consul.service.j2 deleted file mode 100644 index 5eaab2e..0000000 --- a/roles/consul/templates/consul-template-consul.service.j2 +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description="HashiCorp consul-template" -Documentation=https://github.com/hashicorp/consul-template -Requires=network-online.target -After=network-online.target -ConditionFileNotEmpty={{ consul_root_dir }}/consul-template/consul-template.hcl - -[Service] -Type=simple -ExecStart=/usr/local/bin/consul-template -config={{ consul_root_dir }}/consul-template/consul-template.hcl -SuccessExitStatus=12 -ExecReload=/bin/kill --signal HUP $MAINPID -KillSignal=SIGINT -Restart=on-failure -RestartSec=2 - -[Install] -WantedBy=multi-user.target diff --git a/roles/consul/templates/consul-template.hcl.j2 b/roles/consul/templates/consul-template.hcl.j2 deleted file mode 100644 index 7fcf36b..0000000 --- a/roles/consul/templates/consul-template.hcl.j2 +++ /dev/null @@ -1,42 +0,0 @@ -vault { - address = "{{ consul_vault_secrets.vault_address }}" - token = "{{ consul_vault_secrets.vault_token }}" - unwrap_token = false -} - -template { - source = "{{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_root_dir }}/tls/agent_bundle.pem" - perms = 0640 - exec { - command = "sh -c 'systemctl reload consul || true'" - } -} - -{% if consul_conf.server %} -template { - source = "{{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_root_dir }}/tls/cli_bundle.pem" - perms = 0640 - exec { - command = "sh -c 'systemctl reload consul || true'" - } -} -{% endif %} - -{% if consul_vault_secrets.tokens.enabled %} -template { - source = "{{ consul_root_dir }}/consul-template/agent.token.tpl" - left_delimiter = "[[" - right_delimiter = "]]" - destination = "{{ consul_root_dir }}/tmp/agent.token" - perms = 0600 - exec { - command = "sh -c 'consul acl set-agent-token default $(grep -P \'^[^\s]\' {{ consul_root_dir }}/tmp/agent.token)'" - } -} -{% endif %} diff --git a/roles/consul/templates/consul.hcl.j2 b/roles/consul/templates/consul.hcl.j2 index dedc257..bcb8c9a 100644 --- a/roles/consul/templates/consul.hcl.j2 +++ b/roles/consul/templates/consul.hcl.j2 @@ -69,6 +69,28 @@ telemetry { {% if consul_conf.connect.enabled %} connect { enabled = true +{% if consul_conf.connect.ca_provider is defined %} + ca_provider = "{{ consul_conf.connect.ca_provider }}" + ca_config { +{% for key in ['address', 'token', 'root_pki_path', 'intermediate_pki_path'] %} +{% if consul_conf.connect.ca_config[key] is defined %} + {{ key }} = "{{ consul_conf.connect.ca_config[key] }}" +{% endif %} +{% endfor %} +{% if consul_conf.connect.ca_config.auth_method is defined %} + auth_method { +{% if consul_conf.connect.ca_config.auth_method.approle is defined %} + type = "approle" + params { +{% for key in ['role_id', 'secret_id'] %} + {{ key }} = "{{ consul_conf.connect.ca_config.auth_method.approle[key] }}" +{% endfor %} + } +{% endif %} + } +{% endif %} + } +{% endif %} } {% endif %} diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 index d9447ce..49ffb0d 100644 --- a/roles/consul/templates/consul.service.j2 +++ b/roles/consul/templates/consul.service.j2 @@ -3,6 +3,10 @@ Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target After=network-online.target +After=consul-vault-agent.service +{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %} +Requires=consul-vault-agent.service +{% endif %} ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl # Consul version {{ consul_current_version }} @@ -11,7 +15,7 @@ Type=notify EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env User={{ consul_user }} Group={{ consul_user }} -ExecStart=/usr/local/bin/consul agent -config-dir={{ consul_root_dir }}/etc/ +ExecStart={{ consul_root_dir }}/bin/consul ExecReload=/bin/kill --signal HUP $MAINPID SuccessExitStatus=1 Restart=on-failure diff --git a/roles/consul/templates/consul.sh.j2 b/roles/consul/templates/consul.sh.j2 new file mode 100644 index 0000000..3495d05 --- /dev/null +++ b/roles/consul/templates/consul.sh.j2 @@ -0,0 +1,19 @@ +#!/bin/sh + +{% if consul_vault_agent.vault_address is defined and consul_vault_agent.pki.enabled %} +if [ -f /run/consul/vault_token ]; then + exec env VAULT_TOKEN=$(vault unwrap -field=token $(jq -r '.token' /run/consul/vault_token)) \ + /usr/local/bin/consul \ + agent \ + -config-dir={{ consul_root_dir }}/etc/ \ + -pid-file /run/consul/consul_agent.pid +else + echo "Consul service failed due to missing Vault token" + exit 1 +fi +{% else %} +exec /usr/local/bin/consul \ + agent \ + -config-dir={{ consul_root_dir }}/etc/ \ + -pid-file /run/consul/consul_agent.pid +{% endif %} diff --git a/roles/consul/templates/profile.sh.j2 b/roles/consul/templates/profile.sh.j2 index ee61577..971e2e1 100644 --- a/roles/consul/templates/profile.sh.j2 +++ b/roles/consul/templates/profile.sh.j2 @@ -1,12 +1,5 @@ -{% if consul_conf.tls.enabled and consul_conf.server %} -export CONSUL_HTTP_ADDR=https://localhost:{{ consul_services.https.port }} -export CONSUL_HTTP_SSL=true -export CONSUL_CACERT={{ consul_conf.tls.defaults.ca_file }} -{% if consul_vault_secrets.pki.enabled %} -export CONSUL_CLIENT_CERT={{ consul_root_dir }}/tls/cli.crt -export CONSUL_CLIENT_KEY={{ consul_root_dir }}/tls/cli.key -export CONSUL_TLS_SERVER_NAME=server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }} -{% endif %} +{% if consul_conf.server %} +export CONSUL_HTTP_ADDR=http://localhost:{{ consul_services.http.port }} {% else %} -# TLS not enabled or not running in server mode +# not running in server mode {% endif %} diff --git a/roles/consul/templates/vault/agent.hcl.j2 b/roles/consul/templates/vault/agent.hcl.j2 new file mode 100644 index 0000000..ede3f1d --- /dev/null +++ b/roles/consul/templates/vault/agent.hcl.j2 @@ -0,0 +1,44 @@ +vault { + address = "{{ consul_vault_agent.vault_address }}" +} + +auto_auth { +{% if consul_vault_agent.auth.approle is defined %} + method { + type = "approle" + config { + role_id_file_path = "{{ consul_root_dir }}/vault/role_id" + secret_id_file_path = "{{ consul_root_dir }}/vault/secret_id" + remove_secret_id_file_after_reading = false + } + } +{% elif consul_vault_agent.auth.token is defined %} + method { + type = "token_file" + config { + token_file_path = "{{ consul_root_dir }}/vault/token" + } + } +{% endif %} + + sink { + type = "file" + wrap_ttl = "30s" + config = { + path = "/run/consul/vault_token" + mode = 640 + } + } +} + +template { + source = "{{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl" + destination = "{{ consul_root_dir }}/tls/agent_bundle.pem" + left_delimiter = "[[" + right_delimiter = "]]" + perms = 0640 + exec { + command = ["sh", "-c", "kill -USR1 $(cat /run/consul/consul_agent.pid)"] + } +} + diff --git a/roles/consul/templates/vault/agent.service.j2 b/roles/consul/templates/vault/agent.service.j2 new file mode 100644 index 0000000..bda46a1 --- /dev/null +++ b/roles/consul/templates/vault/agent.service.j2 @@ -0,0 +1,34 @@ +[Unit] +Description="HashiCorp Vault Agent for Consul" +Documentation=https://www.vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty={{ consul_root_dir }}/vault/agent.hcl +StartLimitIntervalSec=60 +StartLimitBurst=3 +PartOf=consul.service + +[Service] +Type=notify +User={{ consul_user }} +Group={{ consul_user }} +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes +ExecStart=/usr/local/bin/vault agent -config={{ consul_root_dir }}/vault/agent.hcl +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target diff --git a/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 b/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 new file mode 100644 index 0000000..6d81192 --- /dev/null +++ b/roles/consul/templates/vault/agent_bundle.pem.tpl.j2 @@ -0,0 +1,17 @@ +{% if consul_conf.server %} +[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=server-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" "alt_names=consul.service.{{ consul_conf.domain | default('consul') }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}{% if consul_conf.alt_domain is defined %},consul.service.{{ consul_conf.alt_domain }},server.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.alt_domain }}{% endif %}" "ttl=72h" ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .CA | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] +[[ .Cert | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] +[[ .Key | writeToFile "{{ consul_conf.tls.defaults.key_file }}" "{{ consul_user }}" "{{ consul_user }}" "0640" ]] +[[ end ]] +[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.cert_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" "append,newline" ]] +[[ end ]] +{% else %} +[[ with secret "{{ consul_vault_agent.pki.path }}/cert/ca" ]] +[[ .Data.certificate | writeToFile "{{ consul_conf.tls.defaults.ca_file }}" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] +[[ end ]] +{% endif %} diff --git a/roles/consul/templates/vault/agent_token.tpl.j2 b/roles/consul/templates/vault/agent_token.tpl.j2 new file mode 100644 index 0000000..32b11e6 --- /dev/null +++ b/roles/consul/templates/vault/agent_token.tpl.j2 @@ -0,0 +1,3 @@ +[[ with secret "{{ consul_vault_agent.tokens.path }}/creds/{{ consul_vault_agent.tokens.role }}" ]] +[[ .Data.token ]] +[[ end ]] diff --git a/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 b/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 new file mode 100644 index 0000000..dd988b8 --- /dev/null +++ b/roles/consul/templates/vault/cli_bundle.pem.tpl.j2 @@ -0,0 +1,7 @@ +[[ with pkiCert "{{ consul_vault_agent.pki.path }}/issue/{{ consul_vault_agent.pki.role }}" "common_name=cli-{{ ansible_fqdn | regex_replace('\\.', '-') }}.{{ consul_conf.datacenter | default('dc1') }}.{{ consul_conf.domain | default('consul') }}" ]] +[[ .CA ]] +[[ .Cert ]] +[[ .Key ]] +[[ .Cert | writeToFile "{{ consul_root_dir }}/tls/cli.crt" "{{ consul_user }}" "{{ consul_user }}" "0644" ]] +[[ .Key | writeToFile "{{ consul_root_dir }}/tls/cli.key" "{{ consul_user }}" "{{ consul_user }}" "0640" ]] +[[ end ]] diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index dca69b1..beb77dc 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to install -gitea_version: 1.19.3 +gitea_version: 1.19.4 # URL to the binary gitea_bin_url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64 # sha256 of the binary -gitea_bin_sha256: 1865e72b1302e2bae0a357b30fd747b770b622198e155c2bdf776cfbffca38b7 +gitea_bin_sha256: bf68e8e39c70dc54a7876527d463b517f8af51a2d2924511cd047f479cd8aefd # Handle updates. If set to false, ansible will only install # Gitea and then won't touch an existing installation gitea_manage_upgrade: True