Update to 2023-07-03 15:00

roles/consul/defaults/main.yml

@@ -1,12 +1,5 @@
 ---
 
-# Version of consul to deploy
-consul_version: 1.16.0
-# URL from where the consul archive will be downloaded
-consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip
-# Expected sha256 of the archive
-consul_archive_sha256: c112d1b2ffcfa7d98cde5508bec3bce383ed3650290cc8be3cfe682b79bb13f1
-
 # user account under which consul will run (will be created if needed)
 consul_user: consul
 

roles/consul/meta/main.yml

@@ -1,4 +1,5 @@
 ---
 
 dependencies:
+  - role: consul_bin
   - role: consul_template

roles/consul/tasks/archive_post.yml

@@ -1,14 +0,0 @@
----
-
-- name: Compress previous version
-  command: tar cf {{ consul_root_dir }}/archives/{{ consul_current_version }}.tar.zst --use-compress-program=zstd ./
-  args:
-    chdir: "{{ consul_root_dir }}/archives/{{ consul_current_version }}"
-  environment:
-    ZSTD_CLEVEL: 10
-  tags: consul
-
-- name: Remove archive dir
-  file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=absent
-  tags: consul
-

roles/consul/tasks/archive_pre.yml

@@ -1,27 +0,0 @@
----
-
-- name: Create the archive dir
-  file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=directory
-  tags: consul
-
-- name: Snapshot consul data
-  command: "{{ consul_root_dir }}/bin/consul snapshot save {{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap"
-  args:
-    creates: "{{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap"
-  when:
-    - consul_conf.server
-    - not consul_conf.acl.enabled or consul_mgm_token is defined
-  environment:
-    CONSUL_TOKEN: "{{ consul_mgm_token | default('') }}"
-  tags: consul
-
-- name: Backup previous version
-  synchronize:
-    src: "{{ consul_root_dir }}/{{ item }}"
-    dest: "{{ consul_root_dir }}/archives/{{ consul_current_version }}/"
-    compress: False
-  delegate_to: "{{ inventory_hostname }}"
-  loop:
-    - bin
-  tags: consul
-

roles/consul/tasks/cleanup.yml

@@ -3,6 +3,6 @@
 - name: Remove tmp and obsolete files
   file: path={{ item }} state=absent
   loop:
-    - "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip"
-    - "{{ consul_root_dir }}/tmp/consul"
+    - "{{ consul_root_dir }}/archives"
+    - "{{ consul_root_dir }}/bin"
   tags: consul

roles/consul/tasks/directories.yml

@@ -7,10 +7,6 @@
       owner: root
       group: root
       mode: 755
-    - dir: archives
-      owner: root
-      group: root
-      mode: 700
     - dir: backup
       owner: root
       group: root
@@ -19,7 +15,6 @@
       owner: root
       group: root
       mode: 700
-    - dir: bin
     - dir: tmp
       owner: "{{ consul_user }}"
       group: "{{ consul_user }}"

roles/consul/tasks/facts.yml

@@ -1,19 +1,6 @@
 ---
 
-- set_fact: consul_install_mode='none'
-  tags: consul
-
-- name: Detect if consul is installed
-  stat: path=/usr/local/bin/consul
-  register: consul_bin
-  tags: consul
-
-- when: not consul_bin.stat.exists
-  set_fact: consul_install_mode='install'
-  tags: consul
-
-- when: consul_bin.stat.exists
-  block:
+- block:
     - name: Detect installed version
       shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/'
       changed_when: False
@@ -21,7 +8,3 @@
     - set_fact: consul_current_version={{ consul_current_version.stdout }}
   tags: consul
 
-- when: consul_bin.stat.exists and consul_current_version != consul_version
-  set_fact: consul_install_mode='upgrade'
-  tags: consul
-

roles/consul/tasks/install.yml

@@ -1,49 +1,5 @@
 ---
 
-- name: Install needed tools
-  package:
-    name:
-      - tar
-      - zstd
-      - unzip
-      - acl
-  tags: consul
-
-- when: consul_install_mode != 'none'
-  block:
-    - name: Download consul
-      get_url:
-        url: "{{ consul_archive_url }}"
-        dest: "{{ consul_root_dir }}/tmp"
-        checksum: sha256:{{ consul_archive_sha256 }}
-
-    - name: Extract the archive
-      unarchive:
-        src: "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip"
-        dest: "{{ consul_root_dir }}/tmp"
-        remote_src: True
-
-    - name: Install consul binary
-      copy:
-        src: "{{ consul_root_dir }}/tmp/consul"
-        dest: "{{ consul_root_dir }}/bin/consul"
-        remote_src: True
-        mode: 755
-      notify: restart consul
-
-    - name: Link in /usr/local/bin
-      file: src={{ consul_root_dir }}/bin/consul dest=/usr/local/bin/consul state=link force=True
-
-  tags: consul
-
-- name: Install bash completion support
-  copy:
-    content: |
-      complete -C {{ consul_root_dir }}/bin/consul consul
-    dest: /etc/bash_completion.d/consul
-    mode: 0644
-  tags: consul
-
 - name: Deploy systemd service unit
   template: src=consul.service.j2 dest=/etc/systemd/system/consul.service
   register: consul_unit
@@ -67,3 +23,17 @@
     - pre
     - post
   tags: consul
+
+- name: Create tmpfiles fragment
+  copy:
+    content: |
+      d /run/nomad 770 root {{ consul_user }}
+    dest: /etc/tmpfiles.d/consul.conf
+  notify: systemd-tmpfiles
+  register: consul_tmpfiles
+  tags: consul
+
+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: consul_tmpfiles.changed
+  tags: consul

roles/consul/tasks/main.yml

@@ -9,10 +9,6 @@
 - include_tasks: facts.yml
   tags: always
 
-- include_tasks: archive_pre.yml
-  when: consul_install_mode | default('none') == 'upgrade'
-  tags: always
-
 - include_tasks: install.yml
   tags: always
 
@@ -26,10 +22,6 @@
 - include_tasks: services.yml
   tags: always
 
-- include_tasks: archive_post.yml
-  when: consul_install_mode | default('none') == 'upgrade'
-  tags: always
-
 - include_tasks: cleanup.yml
   tags: always
 

roles/consul/templates/consul.service.j2

@@ -5,12 +5,13 @@ Requires=network-online.target
 After=network-online.target
 ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl
 
+# Consul version {{ consul_current_version }}
 [Service]
 Type=notify
 EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env
 User={{ consul_user }}
 Group={{ consul_user }}
-ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
+ExecStart=/usr/local/bin/consul agent -config-dir={{ consul_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
 SuccessExitStatus=1
 Restart=on-failure

roles/consul_bin/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+
+# Version of consul to deploy
+consul_version: 1.16.0
+# URL from where the consul archive will be downloaded
+consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip
+# Expected sha256 of the archive
+consul_archive_sha256: c112d1b2ffcfa7d98cde5508bec3bce383ed3650290cc8be3cfe682b79bb13f1

roles/consul_bin/tasks/facts.yml

@@ -0,0 +1,36 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: consul
+
+- set_fact: consul_install_mode='none'
+  tags: consul
+
+- name: Detect if consul is installed
+  stat: path=/usr/local/bin/consul
+  register: consul_bin
+  tags: consul
+
+- when: not consul_bin.stat.exists
+  set_fact: consul_install_mode='install'
+  tags: consul
+
+- when: consul_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/'
+      changed_when: False
+      register: consul_current_version
+    - set_fact: consul_current_version={{ consul_current_version.stdout }}
+  tags: consul
+
+- when: consul_bin.stat.exists and consul_current_version != consul_version
+  set_fact: consul_install_mode='upgrade'
+  tags: consul
+

roles/consul_bin/tasks/install.yml

@@ -0,0 +1,46 @@
+---
+
+- name: Install needed tools
+  package:
+    name: "{{ consul_packages }}"
+  tags: consul
+
+# Migrate from the old vault role
+- name: Check if consul is a link
+  stat: path=/usr/local/bin/vault
+  register: consul_link
+  tags: vault
+
+- when: consul_link.stat.islnk is defined and consul_link.stat.islnk
+  block:
+    - name: Remove consul link
+      file: path=/usr/local/bin/consul state=absent
+    - set_fact: consul_install_mode='upgrade'
+  tags: vault
+
+- when: consul_install_mode != 'none'
+  block:
+    - name: Download consul
+      get_url:
+        url: "{{ consul_archive_url }}"
+        dest: /tmp
+        checksum: sha256:{{ consul_archive_sha256 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: "/tmp/consul_{{ consul_version }}_linux_amd64.zip"
+        dest: /usr/local/bin
+        include: consul
+        mode: 755
+        remote_src: True
+
+  tags: consul
+
+- name: Install bash completion support
+  copy:
+    content: |
+      complete -C {{ consul_root_dir }}/bin/consul consul
+    dest: /etc/bash_completion.d/consul
+    mode: 0644
+  tags: consul
+

roles/consul_bin/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always

roles/consul_bin/vars/RedHat.yml

@@ -0,0 +1,7 @@
+---
+
+consul_packages:
+  - tar
+  - zstd
+  - unzip
+  - acl

roles/vault/defaults/main.yml

@@ -1,7 +1,159 @@
-# Version of Vault to install
-vault_version: 1.14.0
-# URL of the archive
-vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
-# Expected sha256 of the archive
-vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
+---
 
+# Root dir where Nomad will be installed
+vault_root_dir: /opt/vault
+
+# user under which vault will run.
+vault_user: vault
+
+# Setting vault_letsencrypt_cert will automate cert configuration
+# using Let's Encrypt. The server need to have the letsencrypt role assigned
+# Note that you probably want to use dns-01 challenges in this case so you won't have to
+# expose your vault server on the public internet
+# vault_letsencrypt_cert: "{{ inventory_hostname }}"
+
+# A token having backup (raft snapshot) permission. If set, ansible will
+# take a snapshot of the data before upgrading vault
+# vault_bkp_token: XXXXX
+
+# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
+vault_base_services:
+  api:
+    port: 8200
+    src_ip: []
+  cluster:
+    port: 8201
+    src_ip: [] # You should set this to the IP / CIDR of your other servers
+
+# Exemple
+# vault_extra_services:
+#   cluster:
+#     src_ip:
+#       - 10.127.0.10
+#       - 10.145.99.60
+vault_extra_services: {}
+vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
+
+# Configuration of the service (which will be converted to JSON)
+# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
+vault_base_conf:
+  # Name of the Vault cluster
+  cluster_name: Vault Cluster
+
+  # Log settings
+  log_level: INFO
+  log_format: standard
+
+  # Plugin settings
+  plugin_directory: "{{ vault_root_dir }}/plugins"
+  # This means vault will expect plugins to be owned by root
+  plugin_file_uid: 0
+
+  # Is the UI enabled ?
+  ui: True
+
+  # TCP listeners
+  listeners:
+    # Address/port on which vault will bind for API requests
+    - address: 0.0.0.0:{{ vault_services.api.port }}
+      # Address/port on which vault will bind for inter-node communications
+      cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
+
+      # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
+      # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
+      # Only change if you want to manually control the certificate to use
+      tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
+      tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
+
+      # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
+      x_forwarded_for_authorized_addrs: []
+      # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
+      # Default is False which means you can reach vault both directly or through your reverse proxy
+      x_forwarded_for_reject_not_present: False
+
+      telemetry:
+        # Allow unauthenticated access to /v1/sys/metrics
+        unauthenticated_metrics_access: True
+
+  # URL of the API to advertise
+  api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
+  # URL of the inter-node communication endpoint to advertise
+  cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
+
+  # When using integrated raft storage, mlock should be disabled
+  disable_mlock: True
+
+  storage:
+    # Integrated raf storage
+    raft:
+      path: "{{ vault_root_dir }}/data"
+      node_id: "{{ inventory_hostname }}"
+      performance_multiplier: 1
+      # retry_join:
+      #   - leader_api_addr: https://vault-1.example.org:8200
+      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
+      #   - leader_api_addr: https://vault-2.example.org:8200
+      #   - leader_api_addr: https://vault-3.example.org:8200
+      retry_join: []
+
+  # Service registration on consul
+  #service_registration:
+  #  address: http://localhost:8500
+  #  service: vault
+  #  token: XXXXX
+  #  service_tags:
+  #    - "traefik.enable=true"
+  #    - "traefik.http.routers.http.entrypoints=https"
+  #    - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
+  #  tls_ca_file: /opt/vault/tls/consul_ca.crt
+  #  tls_cert_file: /opt/vault/tls/consul_cert.crt
+  #  tls_key_file: /opt/vault/tls/consul_key.crt
+
+  telemetry:
+    prometheus_retention_time: 1h
+    disable_hostname: True
+    enable_hostname_label: True
+
+# You can add additional paramters in vault_extra_conf (or vault_host_conf)
+# they will be merged into the vault_base_conf before rendering
+# Example
+# vault_extra_conf:
+#   cluster_name: Vault Production
+#   storage:
+#     raft:
+#       retry_join:
+#         leader_api_addr: https://vault1.example.org:8201
+vault_extra_conf: {}
+vault_host_conf: {}
+# Merge all the conf
+vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
+
+# This can be used to spawn a consul-template service which will obtain and renew client cert
+# to reach Nomad API, so the Nomad secret can be used securely
+vault_base_secrets:
+  # The vault API to query. Default is our own API
+  vault_address: "{{ vault_conf.api_addr }}"
+  # The vault token to use
+  vault_token: XXXXXXX
+  nomad:
+    enabled: False
+    # The Nomad API address
+    address: https://nomad.service.consul:4646
+    # The Nomad management token vault will use to issue tokens for users
+    token: XXXXXXX
+    pki:
+      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
+      path: /pki/nomad
+      # The role used to issue the certificate
+      role: nomad-user
+      # The TTL of the certificate issued for vault
+      ttl: 72h
+      # The common name of the certificate
+      cn: vault
+    secret:
+      # The path where the Nomad secret engine is mounted
+      # Note: the secret must be already mounted
+      path: nomad
+vault_extra_secrets: {}
+vault_host_secrets: {}
+vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"

roles/vault/meta/main.yml

@@ -2,5 +2,5 @@
 
 dependencies:
   - role: mkdir
-  - role: vault
+  - role: vault_bin
   - role: consul_template

roles/vault/tasks/directories.yml

@@ -20,7 +20,6 @@
       owner: root
       group: root
       mode: 700
-    - dir: bin
     - dir: plugins
     - dir: tmp
       owner: "{{ vault_user }}"

roles/vault/tasks/facts.yml

@@ -1,29 +1,6 @@
 ---
 
-# Load distribution specific variables
-- include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
-  tags: vault
-
-- set_fact:
-    vault_install_mode: 'none'
-  tags: vault
-
-- name: Detect if vault is installed
-  stat: path=/usr/local/bin/vault
-  register: vault_bin
-  tags: vault
-
-- when: not vault_bin.stat.exists
-  set_fact: vault_install_mode='install'
-  tags: vault
-
-- when: vault_bin.stat.exists
-  block:
+- block:
     - name: Detect installed version
       shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
       changed_when: False
@@ -32,7 +9,3 @@
         vault_current_version: "{{ vault_current_version.stdout }}"
   tags: vault
 
-- when: vault_bin.stat.exists and vault_current_version != vault_version
-  set_fact: vault_install_mode='upgrade'
-  tags: vault
-

roles/vault/tasks/install.yml

@@ -1,52 +1,31 @@
 ---
 
-- name: Install needed tools
-  package:
-    name: "{{ vault_packages }}"
+- name: Deploy systemd service unit
+  template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
+  register: vault_unit
+  notify: restart vault
   tags: vault
 
-# Migrate from the old vault role
-- name: Check if vualt is a link
-  stat: path=/usr/local/bin/vault
-  register: vault_link
+- name: Install consul-template unit
+  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
+  notify: restart consul-template-vault
+  register: vault_secrets_nomad_unit
   tags: vault
 
-- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
-  block:
-
-    - name: Remove vault link
-      file: path=/usr/local/bin/vault state=absent
-
-    - set_fact: vault_install_mode='upgrade'
-
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vault_unit.changed or vault_secrets_nomad_unit.changed
   tags: vault
 
-- when: vault_install_mode != 'none'
-  block:
-    - name: Download vault
-      get_url:
-        url: "{{ vault_archive_url }}"
-        dest: /tmp
-        checksum: sha256:{{ vault_archive_sha256 }}
-
-    - name: Extract the archive
-      unarchive:
-        src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
-        dest: /usr/local/bin
-        include: vault
-        remote_src: True
-        mode: 755
-
-    - name: Remove ZIP archive
-      file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
-
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
   tags: vault
 
-- name: Install bash completion support
+- name: Install profile script
   copy:
     content: |
-      complete -C /usr/local/bin/vault vault
-    dest: /etc/bash_completion.d/vault
-    mode: 0644
+      #!/bin/sh
+      export VAULT_ADDR={{ vault_conf.api_addr }}
+    dest: /etc/profile.d/vault.sh
+    mode: 0755
   tags: vault
-

roles/vault/tasks/main.yml

@@ -1,7 +1,27 @@
 ---
 
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
 - include_tasks: facts.yml
   tags: always
 
 - include_tasks: install.yml
   tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
+
+- include_tasks: services.yml
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
+

roles/vault_bin/defaults/main.yml

@@ -0,0 +1,7 @@
+# Version of Vault to install
+vault_version: 1.14.0
+# URL of the archive
+vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
+# Expected sha256 of the archive
+vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
+

roles/vault_bin/tasks/facts.yml

@@ -0,0 +1,38 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: vault
+
+- set_fact:
+    vault_install_mode: 'none'
+  tags: vault
+
+- name: Detect if vault is installed
+  stat: path=/usr/local/bin/vault
+  register: vault_bin
+  tags: vault
+
+- when: not vault_bin.stat.exists
+  set_fact: vault_install_mode='install'
+  tags: vault
+
+- when: vault_bin.stat.exists
+  block:
+    - name: Detect installed version
+      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: vault_current_version
+    - set_fact:
+        vault_current_version: "{{ vault_current_version.stdout }}"
+  tags: vault
+
+- when: vault_bin.stat.exists and vault_current_version != vault_version
+  set_fact: vault_install_mode='upgrade'
+  tags: vault
+

roles/vault_bin/tasks/install.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Install needed tools
+  package:
+    name: "{{ vault_packages }}"
+  tags: vault
+
+# Migrate from the old vault role
+- name: Check if vault is a link
+  stat: path=/usr/local/bin/vault
+  register: vault_link
+  tags: vault
+
+- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
+  block:
+
+    - name: Remove vault link
+      file: path=/usr/local/bin/vault state=absent
+
+    - set_fact: vault_install_mode='upgrade'
+
+  tags: vault
+
+- when: vault_install_mode != 'none'
+  block:
+    - name: Download vault
+      get_url:
+        url: "{{ vault_archive_url }}"
+        dest: /tmp
+        checksum: sha256:{{ vault_archive_sha256 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
+        dest: /usr/local/bin
+        include: vault
+        remote_src: True
+        mode: 755
+
+    - name: Remove ZIP archive
+      file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
+
+  tags: vault
+
+- name: Install bash completion support
+  copy:
+    content: |
+      complete -C /usr/local/bin/vault vault
+    dest: /etc/bash_completion.d/vault
+    mode: 0644
+  tags: vault
+

roles/vault_bin/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always

roles/vault_server/defaults/main.yml

@@ -1,159 +0,0 @@
----
-
-# Root dir where Nomad will be installed
-vault_root_dir: /opt/vault
-
-# user under which vault will run.
-vault_user: vault
-
-# Setting vault_letsencrypt_cert will automate cert configuration
-# using Let's Encrypt. The server need to have the letsencrypt role assigned
-# Note that you probably want to use dns-01 challenges in this case so you won't have to
-# expose your vault server on the public internet
-# vault_letsencrypt_cert: "{{ inventory_hostname }}"
-
-# A token having backup (raft snapshot) permission. If set, ansible will
-# take a snapshot of the data before upgrading vault
-# vault_bkp_token: XXXXX
-
-# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
-vault_base_services:
-  api:
-    port: 8200
-    src_ip: []
-  cluster:
-    port: 8201
-    src_ip: [] # You should set this to the IP / CIDR of your other servers
-
-# Exemple
-# vault_extra_services:
-#   cluster:
-#     src_ip:
-#       - 10.127.0.10
-#       - 10.145.99.60
-vault_extra_services: {}
-vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
-
-# Configuration of the service (which will be converted to JSON)
-# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
-vault_base_conf:
-  # Name of the Vault cluster
-  cluster_name: Vault Cluster
-
-  # Log settings
-  log_level: INFO
-  log_format: standard
-
-  # Plugin settings
-  plugin_directory: "{{ vault_root_dir }}/plugins"
-  # This means vault will expect plugins to be owned by root
-  plugin_file_uid: 0
-
-  # Is the UI enabled ?
-  ui: True
-
-  # TCP listeners
-  listeners:
-    # Address/port on which vault will bind for API requests
-    - address: 0.0.0.0:{{ vault_services.api.port }}
-      # Address/port on which vault will bind for inter-node communications
-      cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
-
-      # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
-      # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
-      # Only change if you want to manually control the certificate to use
-      tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
-      tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
-
-      # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
-      x_forwarded_for_authorized_addrs: []
-      # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
-      # Default is False which means you can reach vault both directly or through your reverse proxy
-      x_forwarded_for_reject_not_present: False
-
-      telemetry:
-        # Allow unauthenticated access to /v1/sys/metrics
-        unauthenticated_metrics_access: True
-
-  # URL of the API to advertise
-  api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
-  # URL of the inter-node communication endpoint to advertise
-  cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
-
-  # When using integrated raft storage, mlock should be disabled
-  disable_mlock: True
-
-  storage:
-    # Integrated raf storage
-    raft:
-      path: "{{ vault_root_dir }}/data"
-      node_id: "{{ inventory_hostname }}"
-      performance_multiplier: 1
-      # retry_join:
-      #   - leader_api_addr: https://vault-1.example.org:8200
-      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
-      #   - leader_api_addr: https://vault-2.example.org:8200
-      #   - leader_api_addr: https://vault-3.example.org:8200
-      retry_join: []
-
-  # Service registration on consul
-  #service_registration:
-  #  address: http://localhost:8500
-  #  service: vault
-  #  token: XXXXX
-  #  service_tags:
-  #    - "traefik.enable=true"
-  #    - "traefik.http.routers.http.entrypoints=https"
-  #    - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
-  #  tls_ca_file: /opt/vault/tls/consul_ca.crt
-  #  tls_cert_file: /opt/vault/tls/consul_cert.crt
-  #  tls_key_file: /opt/vault/tls/consul_key.crt
-
-  telemetry:
-    prometheus_retention_time: 1h
-    disable_hostname: True
-    enable_hostname_label: True
-
-# You can add additional paramters in vault_extra_conf (or vault_host_conf)
-# they will be merged into the vault_base_conf before rendering
-# Example
-# vault_extra_conf:
-#   cluster_name: Vault Production
-#   storage:
-#     raft:
-#       retry_join:
-#         leader_api_addr: https://vault1.example.org:8201
-vault_extra_conf: {}
-vault_host_conf: {}
-# Merge all the conf
-vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
-
-# This can be used to spawn a consul-template service which will obtain and renew client cert
-# to reach Nomad API, so the Nomad secret can be used securely
-vault_base_secrets:
-  # The vault API to query. Default is our own API
-  vault_address: "{{ vault_conf.api_addr }}"
-  # The vault token to use
-  vault_token: XXXXXXX
-  nomad:
-    enabled: False
-    # The Nomad API address
-    address: https://nomad.service.consul:4646
-    # The Nomad management token vault will use to issue tokens for users
-    token: XXXXXXX
-    pki:
-      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
-      path: /pki/nomad
-      # The role used to issue the certificate
-      role: nomad-user
-      # The TTL of the certificate issued for vault
-      ttl: 72h
-      # The common name of the certificate
-      cn: vault
-    secret:
-      # The path where the Nomad secret engine is mounted
-      # Note: the secret must be already mounted
-      path: nomad
-vault_extra_secrets: {}
-vault_host_secrets: {}
-vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"

roles/vault_server/tasks/facts.yml

@@ -1,11 +0,0 @@
----
-
-- block:
-    - name: Detect installed version
-      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
-      changed_when: False
-      register: vault_current_version
-    - set_fact:
-        vault_current_version: "{{ vault_current_version.stdout }}"
-  tags: vault
-

roles/vault_server/tasks/install.yml

@@ -1,31 +0,0 @@
----
-
-- name: Deploy systemd service unit
-  template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
-  register: vault_unit
-  notify: restart vault
-  tags: vault
-
-- name: Install consul-template unit
-  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
-  notify: restart consul-template-vault
-  register: vault_secrets_nomad_unit
-  tags: vault
-
-- name: Reload systemd
-  systemd: daemon_reload=True
-  when: vault_unit.changed or vault_secrets_nomad_unit.changed
-  tags: vault
-
-- name: Install dehydrated hook
-  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
-  tags: vault
-
-- name: Install profile script
-  copy:
-    content: |
-      #!/bin/sh
-      export VAULT_ADDR={{ vault_conf.api_addr }}
-    dest: /etc/profile.d/vault.sh
-    mode: 0755
-  tags: vault

roles/vault_server/tasks/main.yml

@@ -1,27 +0,0 @@
----
-
-- include_tasks: user.yml
-  tags: always
-
-- include_tasks: directories.yml
-  tags: always
-
-- include_tasks: facts.yml
-  tags: always
-
-- include_tasks: install.yml
-  tags: always
-
-- include_tasks: conf.yml
-  tags: always
-
-- include_tasks: iptables.yml
-  when: iptables_manage | default(True)
-  tags: always
-
-- include_tasks: services.yml
-  tags: always
-
-- include_tasks: cleanup.yml
-  tags: always
-