Update to 2023-07-05 19:00

roles/consul/tasks/cleanup.yml

@@ -4,5 +4,6 @@
   file: path={{ item }} state=absent
   loop:
     - "{{ consul_root_dir }}/archives"
-    - "{{ consul_root_dir }}/bin"
+    - /etc/systemd/system/consul-template-consul.service
+    - "{{ consul_root_dir }}/consul-template"
   tags: consul

roles/consul/tasks/conf.yml

@@ -1,24 +1,27 @@
 ---
 
 # Ensure certificates exists. This is needed so first consul service starts doesn't fail
-# when consul-template hasn't populated the cert yet
+# when vault-agent hasn't populated the cert yet
 - name: Generate self-signed certificate
   import_tasks: ../includes/create_selfsigned_cert.yml
   vars:
     cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
     cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
+    cert_key_user: "{{ consul_user }}"
     cert_key_group: "{{ consul_user }}"
-    cert_key_mode: 640
+    cert_key_mode: 660
+  when: consul_conf.tls.enabled
   tags: consul
 
 - name: Check if CA exists
   stat: path={{ consul_conf.tls.defaults.ca_file }}
   register: consul_ca_file
+  when: consul_conf.tls.enabled
   tags: consul
 
 - name: Copy cert as CA
   copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True
-  when: not consul_ca_file.stat.exists
+  when: consul_conf.tls.enabled and not consul_ca_file.stat.exists
   tags: consul
 
 - name: Deploy consul configuration
@@ -94,33 +97,38 @@
   loop: "{{ consul_backup_configs.stdout_lines }}"
   tags: consul
 
-- name: Deploy consul-template config
-  template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled
+- name: Deploy vault agent configuration
+  template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }}
+  notify: restart consul-vault-agent
+  when: consul_vault_agent.pki.enabled
   tags: consul
 
-- name: Deploy agent bundle template
-  template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled
+- name: Deploy agent cert bundle template
+  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
+  notify: restart consul-vault-agent
+  when: consul_vault_agent.pki.enabled
   tags: consul
 
-- name: Deploy consul-template cli bundle template
-  template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.pki.enabled and consul_conf.server
-  tags: consul
-
-- name: Deploy the consul-template agent token template
-  template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root
-  notify: restart consul-template-consul
-  when: consul_vault_secrets.tokens.enabled
+- when:
+    - consul_vault_agent.auth is defined
+    - consul_vault_agent.auth.approle is defined
+    - consul_vault_agent.auth.approle.role_id is defined
+    - consul_vault_agent.auth.approle.secret_id is defined
+  name: Setup AppRole auth
+  block:
+    - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640
+    - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640
   tags: consul
 
 - name: Set ACL on the TLS dir
   shell: |
     setfacl -R -b -k {{ consul_root_dir }}/tls
+    chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls
+    chmod 775 {{ consul_root_dir }}/tls
+    chmod 660 {{ consul_root_dir }}/tls/*
+    setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls
+    setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls
+    setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/*
     {% if consul_admin_groups | length > 0 %}
     setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
     setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls

roles/consul/tasks/directories.yml

@@ -28,9 +28,10 @@
       group: "{{ consul_user }}"
       mode: 750
     - dir: tls
+    - dir: vault
+      mode: 750
       owner: root
-      group: root
-      mode: 755
-    - dir: consul-template
-      mode: 755
+      group: "{{ consul_user }}"
+    - dir: vault/templates
+    - dir: bin
   tags: consul

roles/consul/tasks/facts.yml

@@ -8,3 +8,7 @@
     - set_fact: consul_current_version={{ consul_current_version.stdout }}
   tags: consul
 
+- name: Check if the consul-template service still exists
+  stat: path=/etc/systemd/system/consul-template
+  register: consul_ct_service
+  tags: consul

roles/consul/tasks/install.yml

@@ -6,15 +6,9 @@
   notify: restart consul
   tags: consul
 
-- name: Install consul-template unit
-  template: src=consul-template-consul.service.j2 dest=/etc/systemd/system/consul-template-consul.service
-  register: consul_template_tpl_unit
-  notify: restart consul-template-consul
-  tags: consul
-
-- name: Reload systemd
-  systemd: daemon_reload=True
-  when: consul_unit.changed or consul_template_tpl_unit.changed
+- name: Deploy consul service wrapper
+  template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755
+  notify: restart consul
   tags: consul
 
 - name: Install backup hooks
@@ -27,9 +21,8 @@
 - name: Create tmpfiles fragment
   copy:
     content: |
-      d /run/nomad 770 root {{ consul_user }}
+      d /run/consul 770 root {{ consul_user }}
     dest: /etc/tmpfiles.d/consul.conf
-  notify: systemd-tmpfiles
   register: consul_tmpfiles
   tags: consul
 
@@ -37,3 +30,15 @@
   command: systemd-tmpfiles --create
   when: consul_tmpfiles.changed
   tags: consul
+
+- name: Install vault agent unit file
+  template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service
+  register: consul_vault_agent_unit
+  notify: restart consul-vault-agent
+  tags: consul
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: consul_unit.changed or consul_vault_agent_unit.changed
+  tags: consul
+

roles/consul/tasks/services.yml

@@ -5,10 +5,18 @@
   register: consul_service_started
   tags: consul
 
-- name: Handle consul-template-consul service
+- name: Stop consul-template-consul service
   service:
     name: consul-template-consul
-    state: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}"
-    enabled: "{{ (consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled) | ternary(True, False) }}"
+    state: stopped
+    enabled: False
+  when: consul_ct_service.stat.exists
+  tags: consul
+
+- name: Handle consul-vault-agent service
+  service:
+    name: consul-vault-agent
+    state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}"
+    enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}"
   tags: consul