From 91f93843618d7ed30f2f5115b0dc0256c95ceaaa Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Mon, 3 Jul 2023 15:00:09 +0200 Subject: [PATCH] Update to 2023-07-03 15:00 --- roles/consul/defaults/main.yml | 7 - roles/consul/meta/main.yml | 1 + roles/consul/tasks/archive_post.yml | 14 -- roles/consul/tasks/archive_pre.yml | 27 --- roles/consul/tasks/cleanup.yml | 4 +- roles/consul/tasks/directories.yml | 5 - roles/consul/tasks/facts.yml | 19 +- roles/consul/tasks/install.yml | 58 ++----- roles/consul/tasks/main.yml | 8 - roles/consul/templates/consul.service.j2 | 3 +- roles/consul_bin/defaults/main.yml | 8 + roles/consul_bin/tasks/facts.yml | 36 ++++ roles/consul_bin/tasks/install.yml | 46 +++++ roles/consul_bin/tasks/main.yml | 7 + roles/consul_bin/vars/RedHat.yml | 7 + roles/vault/defaults/main.yml | 164 +++++++++++++++++- .../{vault_server => vault}/handlers/main.yml | 0 roles/{vault_server => vault}/meta/main.yml | 2 +- .../{vault_server => vault}/tasks/cleanup.yml | 0 roles/{vault_server => vault}/tasks/conf.yml | 0 .../tasks/directories.yml | 1 - roles/vault/tasks/facts.yml | 29 +--- roles/vault/tasks/install.yml | 57 ++---- .../tasks/iptables.yml | 0 roles/vault/tasks/main.yml | 20 +++ .../tasks/services.yml | 0 roles/{vault_server => vault}/tasks/user.yml | 0 .../consul-template-vault.service.j2 | 0 .../templates/consul-template.hcl.j2 | 0 .../templates/dehydrated_hook.j2 | 0 .../templates/logrotate.conf.j2 | 0 .../templates/nomad_client_bundle.pem.tpl.j2 | 0 .../templates/update_nomad_cert.j2 | 0 .../templates/vault.hcl.j2 | 0 .../templates/vault.service.j2 | 0 roles/vault_bin/defaults/main.yml | 7 + roles/vault_bin/tasks/facts.yml | 38 ++++ roles/vault_bin/tasks/install.yml | 52 ++++++ roles/vault_bin/tasks/main.yml | 7 + roles/{vault => vault_bin}/vars/RedHat.yml | 0 roles/vault_server/defaults/main.yml | 159 ----------------- roles/vault_server/tasks/facts.yml | 11 -- roles/vault_server/tasks/install.yml | 31 ---- roles/vault_server/tasks/main.yml | 27 --- 44 files changed, 426 insertions(+), 429 deletions(-) delete mode 100644 roles/consul/tasks/archive_post.yml delete mode 100644 roles/consul/tasks/archive_pre.yml create mode 100644 roles/consul_bin/defaults/main.yml create mode 100644 roles/consul_bin/tasks/facts.yml create mode 100644 roles/consul_bin/tasks/install.yml create mode 100644 roles/consul_bin/tasks/main.yml create mode 100644 roles/consul_bin/vars/RedHat.yml rename roles/{vault_server => vault}/handlers/main.yml (100%) rename roles/{vault_server => vault}/meta/main.yml (75%) rename roles/{vault_server => vault}/tasks/cleanup.yml (100%) rename roles/{vault_server => vault}/tasks/conf.yml (100%) rename roles/{vault_server => vault}/tasks/directories.yml (98%) rename roles/{vault_server => vault}/tasks/iptables.yml (100%) rename roles/{vault_server => vault}/tasks/services.yml (100%) rename roles/{vault_server => vault}/tasks/user.yml (100%) rename roles/{vault_server => vault}/templates/consul-template-vault.service.j2 (100%) rename roles/{vault_server => vault}/templates/consul-template.hcl.j2 (100%) rename roles/{vault_server => vault}/templates/dehydrated_hook.j2 (100%) rename roles/{vault_server => vault}/templates/logrotate.conf.j2 (100%) rename roles/{vault_server => vault}/templates/nomad_client_bundle.pem.tpl.j2 (100%) rename roles/{vault_server => vault}/templates/update_nomad_cert.j2 (100%) rename roles/{vault_server => vault}/templates/vault.hcl.j2 (100%) rename roles/{vault_server => vault}/templates/vault.service.j2 (100%) create mode 100644 roles/vault_bin/defaults/main.yml create mode 100644 roles/vault_bin/tasks/facts.yml create mode 100644 roles/vault_bin/tasks/install.yml create mode 100644 roles/vault_bin/tasks/main.yml rename roles/{vault => vault_bin}/vars/RedHat.yml (100%) delete mode 100644 roles/vault_server/defaults/main.yml delete mode 100644 roles/vault_server/tasks/facts.yml delete mode 100644 roles/vault_server/tasks/install.yml delete mode 100644 roles/vault_server/tasks/main.yml diff --git a/roles/consul/defaults/main.yml b/roles/consul/defaults/main.yml index c3dd781..ec3b57c 100644 --- a/roles/consul/defaults/main.yml +++ b/roles/consul/defaults/main.yml @@ -1,12 +1,5 @@ --- -# Version of consul to deploy -consul_version: 1.16.0 -# URL from where the consul archive will be downloaded -consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip -# Expected sha256 of the archive -consul_archive_sha256: c112d1b2ffcfa7d98cde5508bec3bce383ed3650290cc8be3cfe682b79bb13f1 - # user account under which consul will run (will be created if needed) consul_user: consul diff --git a/roles/consul/meta/main.yml b/roles/consul/meta/main.yml index 754933e..37d4959 100644 --- a/roles/consul/meta/main.yml +++ b/roles/consul/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: + - role: consul_bin - role: consul_template diff --git a/roles/consul/tasks/archive_post.yml b/roles/consul/tasks/archive_post.yml deleted file mode 100644 index 42b85e9..0000000 --- a/roles/consul/tasks/archive_post.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: Compress previous version - command: tar cf {{ consul_root_dir }}/archives/{{ consul_current_version }}.tar.zst --use-compress-program=zstd ./ - args: - chdir: "{{ consul_root_dir }}/archives/{{ consul_current_version }}" - environment: - ZSTD_CLEVEL: 10 - tags: consul - -- name: Remove archive dir - file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=absent - tags: consul - diff --git a/roles/consul/tasks/archive_pre.yml b/roles/consul/tasks/archive_pre.yml deleted file mode 100644 index efe4e18..0000000 --- a/roles/consul/tasks/archive_pre.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Create the archive dir - file: path={{ consul_root_dir }}/archives/{{ consul_current_version }} state=directory - tags: consul - -- name: Snapshot consul data - command: "{{ consul_root_dir }}/bin/consul snapshot save {{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap" - args: - creates: "{{ consul_root_dir }}/archives/{{ consul_current_version }}/consul.snap" - when: - - consul_conf.server - - not consul_conf.acl.enabled or consul_mgm_token is defined - environment: - CONSUL_TOKEN: "{{ consul_mgm_token | default('') }}" - tags: consul - -- name: Backup previous version - synchronize: - src: "{{ consul_root_dir }}/{{ item }}" - dest: "{{ consul_root_dir }}/archives/{{ consul_current_version }}/" - compress: False - delegate_to: "{{ inventory_hostname }}" - loop: - - bin - tags: consul - diff --git a/roles/consul/tasks/cleanup.yml b/roles/consul/tasks/cleanup.yml index 6bcfd42..57f5c3e 100644 --- a/roles/consul/tasks/cleanup.yml +++ b/roles/consul/tasks/cleanup.yml @@ -3,6 +3,6 @@ - name: Remove tmp and obsolete files file: path={{ item }} state=absent loop: - - "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip" - - "{{ consul_root_dir }}/tmp/consul" + - "{{ consul_root_dir }}/archives" + - "{{ consul_root_dir }}/bin" tags: consul diff --git a/roles/consul/tasks/directories.yml b/roles/consul/tasks/directories.yml index f715f7c..188a133 100644 --- a/roles/consul/tasks/directories.yml +++ b/roles/consul/tasks/directories.yml @@ -7,10 +7,6 @@ owner: root group: root mode: 755 - - dir: archives - owner: root - group: root - mode: 700 - dir: backup owner: root group: root @@ -19,7 +15,6 @@ owner: root group: root mode: 700 - - dir: bin - dir: tmp owner: "{{ consul_user }}" group: "{{ consul_user }}" diff --git a/roles/consul/tasks/facts.yml b/roles/consul/tasks/facts.yml index aac97bf..f28920a 100644 --- a/roles/consul/tasks/facts.yml +++ b/roles/consul/tasks/facts.yml @@ -1,19 +1,6 @@ --- -- set_fact: consul_install_mode='none' - tags: consul - -- name: Detect if consul is installed - stat: path=/usr/local/bin/consul - register: consul_bin - tags: consul - -- when: not consul_bin.stat.exists - set_fact: consul_install_mode='install' - tags: consul - -- when: consul_bin.stat.exists - block: +- block: - name: Detect installed version shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/' changed_when: False @@ -21,7 +8,3 @@ - set_fact: consul_current_version={{ consul_current_version.stdout }} tags: consul -- when: consul_bin.stat.exists and consul_current_version != consul_version - set_fact: consul_install_mode='upgrade' - tags: consul - diff --git a/roles/consul/tasks/install.yml b/roles/consul/tasks/install.yml index 509c545..402f080 100644 --- a/roles/consul/tasks/install.yml +++ b/roles/consul/tasks/install.yml @@ -1,49 +1,5 @@ --- -- name: Install needed tools - package: - name: - - tar - - zstd - - unzip - - acl - tags: consul - -- when: consul_install_mode != 'none' - block: - - name: Download consul - get_url: - url: "{{ consul_archive_url }}" - dest: "{{ consul_root_dir }}/tmp" - checksum: sha256:{{ consul_archive_sha256 }} - - - name: Extract the archive - unarchive: - src: "{{ consul_root_dir }}/tmp/consul_{{ consul_version }}_linux_amd64.zip" - dest: "{{ consul_root_dir }}/tmp" - remote_src: True - - - name: Install consul binary - copy: - src: "{{ consul_root_dir }}/tmp/consul" - dest: "{{ consul_root_dir }}/bin/consul" - remote_src: True - mode: 755 - notify: restart consul - - - name: Link in /usr/local/bin - file: src={{ consul_root_dir }}/bin/consul dest=/usr/local/bin/consul state=link force=True - - tags: consul - -- name: Install bash completion support - copy: - content: | - complete -C {{ consul_root_dir }}/bin/consul consul - dest: /etc/bash_completion.d/consul - mode: 0644 - tags: consul - - name: Deploy systemd service unit template: src=consul.service.j2 dest=/etc/systemd/system/consul.service register: consul_unit @@ -67,3 +23,17 @@ - pre - post tags: consul + +- name: Create tmpfiles fragment + copy: + content: | + d /run/nomad 770 root {{ consul_user }} + dest: /etc/tmpfiles.d/consul.conf + notify: systemd-tmpfiles + register: consul_tmpfiles + tags: consul + +- name: Create tmpfiles + command: systemd-tmpfiles --create + when: consul_tmpfiles.changed + tags: consul diff --git a/roles/consul/tasks/main.yml b/roles/consul/tasks/main.yml index 8963d5c..ca166ab 100644 --- a/roles/consul/tasks/main.yml +++ b/roles/consul/tasks/main.yml @@ -9,10 +9,6 @@ - include_tasks: facts.yml tags: always -- include_tasks: archive_pre.yml - when: consul_install_mode | default('none') == 'upgrade' - tags: always - - include_tasks: install.yml tags: always @@ -26,10 +22,6 @@ - include_tasks: services.yml tags: always -- include_tasks: archive_post.yml - when: consul_install_mode | default('none') == 'upgrade' - tags: always - - include_tasks: cleanup.yml tags: always diff --git a/roles/consul/templates/consul.service.j2 b/roles/consul/templates/consul.service.j2 index 79ac42f..d9447ce 100644 --- a/roles/consul/templates/consul.service.j2 +++ b/roles/consul/templates/consul.service.j2 @@ -5,12 +5,13 @@ Requires=network-online.target After=network-online.target ConditionFileNotEmpty={{ consul_root_dir }}/etc/consul.hcl +# Consul version {{ consul_current_version }} [Service] Type=notify EnvironmentFile=-{{ consul_root_dir }}/etc/consul.env User={{ consul_user }} Group={{ consul_user }} -ExecStart={{ consul_root_dir }}/bin/consul agent -config-dir={{ consul_root_dir }}/etc/ +ExecStart=/usr/local/bin/consul agent -config-dir={{ consul_root_dir }}/etc/ ExecReload=/bin/kill --signal HUP $MAINPID SuccessExitStatus=1 Restart=on-failure diff --git a/roles/consul_bin/defaults/main.yml b/roles/consul_bin/defaults/main.yml new file mode 100644 index 0000000..4de7b2a --- /dev/null +++ b/roles/consul_bin/defaults/main.yml @@ -0,0 +1,8 @@ +--- + +# Version of consul to deploy +consul_version: 1.16.0 +# URL from where the consul archive will be downloaded +consul_archive_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip +# Expected sha256 of the archive +consul_archive_sha256: c112d1b2ffcfa7d98cde5508bec3bce383ed3650290cc8be3cfe682b79bb13f1 diff --git a/roles/consul_bin/tasks/facts.yml b/roles/consul_bin/tasks/facts.yml new file mode 100644 index 0000000..6f41f80 --- /dev/null +++ b/roles/consul_bin/tasks/facts.yml @@ -0,0 +1,36 @@ +--- + +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: consul + +- set_fact: consul_install_mode='none' + tags: consul + +- name: Detect if consul is installed + stat: path=/usr/local/bin/consul + register: consul_bin + tags: consul + +- when: not consul_bin.stat.exists + set_fact: consul_install_mode='install' + tags: consul + +- when: consul_bin.stat.exists + block: + - name: Detect installed version + shell: /usr/local/bin/consul version | head -1 | perl -pe 's/Consul v(\d+(\.\d+)*)/$1/' + changed_when: False + register: consul_current_version + - set_fact: consul_current_version={{ consul_current_version.stdout }} + tags: consul + +- when: consul_bin.stat.exists and consul_current_version != consul_version + set_fact: consul_install_mode='upgrade' + tags: consul + diff --git a/roles/consul_bin/tasks/install.yml b/roles/consul_bin/tasks/install.yml new file mode 100644 index 0000000..6fb35e5 --- /dev/null +++ b/roles/consul_bin/tasks/install.yml @@ -0,0 +1,46 @@ +--- + +- name: Install needed tools + package: + name: "{{ consul_packages }}" + tags: consul + +# Migrate from the old vault role +- name: Check if consul is a link + stat: path=/usr/local/bin/vault + register: consul_link + tags: vault + +- when: consul_link.stat.islnk is defined and consul_link.stat.islnk + block: + - name: Remove consul link + file: path=/usr/local/bin/consul state=absent + - set_fact: consul_install_mode='upgrade' + tags: vault + +- when: consul_install_mode != 'none' + block: + - name: Download consul + get_url: + url: "{{ consul_archive_url }}" + dest: /tmp + checksum: sha256:{{ consul_archive_sha256 }} + + - name: Extract the archive + unarchive: + src: "/tmp/consul_{{ consul_version }}_linux_amd64.zip" + dest: /usr/local/bin + include: consul + mode: 755 + remote_src: True + + tags: consul + +- name: Install bash completion support + copy: + content: | + complete -C {{ consul_root_dir }}/bin/consul consul + dest: /etc/bash_completion.d/consul + mode: 0644 + tags: consul + diff --git a/roles/consul_bin/tasks/main.yml b/roles/consul_bin/tasks/main.yml new file mode 100644 index 0000000..3e2dceb --- /dev/null +++ b/roles/consul_bin/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: facts.yml + tags: always + +- include_tasks: install.yml + tags: always diff --git a/roles/consul_bin/vars/RedHat.yml b/roles/consul_bin/vars/RedHat.yml new file mode 100644 index 0000000..be782f5 --- /dev/null +++ b/roles/consul_bin/vars/RedHat.yml @@ -0,0 +1,7 @@ +--- + +consul_packages: + - tar + - zstd + - unzip + - acl diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index 6def85a..f65f117 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -1,7 +1,159 @@ -# Version of Vault to install -vault_version: 1.14.0 -# URL of the archive -vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip -# Expected sha256 of the archive -vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50 +--- +# Root dir where Nomad will be installed +vault_root_dir: /opt/vault + +# user under which vault will run. +vault_user: vault + +# Setting vault_letsencrypt_cert will automate cert configuration +# using Let's Encrypt. The server need to have the letsencrypt role assigned +# Note that you probably want to use dns-01 challenges in this case so you won't have to +# expose your vault server on the public internet +# vault_letsencrypt_cert: "{{ inventory_hostname }}" + +# A token having backup (raft snapshot) permission. If set, ansible will +# take a snapshot of the data before upgrading vault +# vault_bkp_token: XXXXX + +# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall +vault_base_services: + api: + port: 8200 + src_ip: [] + cluster: + port: 8201 + src_ip: [] # You should set this to the IP / CIDR of your other servers + +# Exemple +# vault_extra_services: +# cluster: +# src_ip: +# - 10.127.0.10 +# - 10.145.99.60 +vault_extra_services: {} +vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}" + +# Configuration of the service (which will be converted to JSON) +# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily +vault_base_conf: + # Name of the Vault cluster + cluster_name: Vault Cluster + + # Log settings + log_level: INFO + log_format: standard + + # Plugin settings + plugin_directory: "{{ vault_root_dir }}/plugins" + # This means vault will expect plugins to be owned by root + plugin_file_uid: 0 + + # Is the UI enabled ? + ui: True + + # TCP listeners + listeners: + # Address/port on which vault will bind for API requests + - address: 0.0.0.0:{{ vault_services.api.port }} + # Address/port on which vault will bind for inter-node communications + cluster_address: 0.0.0.0:{{ vault_services.cluster.port }} + + # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated + # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here + # Only change if you want to manually control the certificate to use + tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt" + tls_key_file: "{{ vault_root_dir }}/tls/vault.key" + + # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR + x_forwarded_for_authorized_addrs: [] + # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected + # Default is False which means you can reach vault both directly or through your reverse proxy + x_forwarded_for_reject_not_present: False + + telemetry: + # Allow unauthenticated access to /v1/sys/metrics + unauthenticated_metrics_access: True + + # URL of the API to advertise + api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }} + # URL of the inter-node communication endpoint to advertise + cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }} + + # When using integrated raft storage, mlock should be disabled + disable_mlock: True + + storage: + # Integrated raf storage + raft: + path: "{{ vault_root_dir }}/data" + node_id: "{{ inventory_hostname }}" + performance_multiplier: 1 + # retry_join: + # - leader_api_addr: https://vault-1.example.org:8200 + # leader_ca_cert: /opt/vault/tls/ca-vault-1.crt + # - leader_api_addr: https://vault-2.example.org:8200 + # - leader_api_addr: https://vault-3.example.org:8200 + retry_join: [] + + # Service registration on consul + #service_registration: + # address: http://localhost:8500 + # service: vault + # token: XXXXX + # service_tags: + # - "traefik.enable=true" + # - "traefik.http.routers.http.entrypoints=https" + # - "traefik.http.routers.http.rule=Host(`vault.example.org`)" + # tls_ca_file: /opt/vault/tls/consul_ca.crt + # tls_cert_file: /opt/vault/tls/consul_cert.crt + # tls_key_file: /opt/vault/tls/consul_key.crt + + telemetry: + prometheus_retention_time: 1h + disable_hostname: True + enable_hostname_label: True + +# You can add additional paramters in vault_extra_conf (or vault_host_conf) +# they will be merged into the vault_base_conf before rendering +# Example +# vault_extra_conf: +# cluster_name: Vault Production +# storage: +# raft: +# retry_join: +# leader_api_addr: https://vault1.example.org:8201 +vault_extra_conf: {} +vault_host_conf: {} +# Merge all the conf +vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}" + +# This can be used to spawn a consul-template service which will obtain and renew client cert +# to reach Nomad API, so the Nomad secret can be used securely +vault_base_secrets: + # The vault API to query. Default is our own API + vault_address: "{{ vault_conf.api_addr }}" + # The vault token to use + vault_token: XXXXXXX + nomad: + enabled: False + # The Nomad API address + address: https://nomad.service.consul:4646 + # The Nomad management token vault will use to issue tokens for users + token: XXXXXXX + pki: + # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured + path: /pki/nomad + # The role used to issue the certificate + role: nomad-user + # The TTL of the certificate issued for vault + ttl: 72h + # The common name of the certificate + cn: vault + secret: + # The path where the Nomad secret engine is mounted + # Note: the secret must be already mounted + path: nomad +vault_extra_secrets: {} +vault_host_secrets: {} +vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}" diff --git a/roles/vault_server/handlers/main.yml b/roles/vault/handlers/main.yml similarity index 100% rename from roles/vault_server/handlers/main.yml rename to roles/vault/handlers/main.yml diff --git a/roles/vault_server/meta/main.yml b/roles/vault/meta/main.yml similarity index 75% rename from roles/vault_server/meta/main.yml rename to roles/vault/meta/main.yml index 3417d2e..0d1e888 100644 --- a/roles/vault_server/meta/main.yml +++ b/roles/vault/meta/main.yml @@ -2,5 +2,5 @@ dependencies: - role: mkdir - - role: vault + - role: vault_bin - role: consul_template diff --git a/roles/vault_server/tasks/cleanup.yml b/roles/vault/tasks/cleanup.yml similarity index 100% rename from roles/vault_server/tasks/cleanup.yml rename to roles/vault/tasks/cleanup.yml diff --git a/roles/vault_server/tasks/conf.yml b/roles/vault/tasks/conf.yml similarity index 100% rename from roles/vault_server/tasks/conf.yml rename to roles/vault/tasks/conf.yml diff --git a/roles/vault_server/tasks/directories.yml b/roles/vault/tasks/directories.yml similarity index 98% rename from roles/vault_server/tasks/directories.yml rename to roles/vault/tasks/directories.yml index 197e4e4..854ab3a 100644 --- a/roles/vault_server/tasks/directories.yml +++ b/roles/vault/tasks/directories.yml @@ -20,7 +20,6 @@ owner: root group: root mode: 700 - - dir: bin - dir: plugins - dir: tmp owner: "{{ vault_user }}" diff --git a/roles/vault/tasks/facts.yml b/roles/vault/tasks/facts.yml index 9096ab2..419b3de 100644 --- a/roles/vault/tasks/facts.yml +++ b/roles/vault/tasks/facts.yml @@ -1,29 +1,6 @@ --- -# Load distribution specific variables -- include_vars: "{{ item }}" - with_first_found: - - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" - - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" - - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" - tags: vault - -- set_fact: - vault_install_mode: 'none' - tags: vault - -- name: Detect if vault is installed - stat: path=/usr/local/bin/vault - register: vault_bin - tags: vault - -- when: not vault_bin.stat.exists - set_fact: vault_install_mode='install' - tags: vault - -- when: vault_bin.stat.exists - block: +- block: - name: Detect installed version shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/' changed_when: False @@ -32,7 +9,3 @@ vault_current_version: "{{ vault_current_version.stdout }}" tags: vault -- when: vault_bin.stat.exists and vault_current_version != vault_version - set_fact: vault_install_mode='upgrade' - tags: vault - diff --git a/roles/vault/tasks/install.yml b/roles/vault/tasks/install.yml index e5c38ff..07a2158 100644 --- a/roles/vault/tasks/install.yml +++ b/roles/vault/tasks/install.yml @@ -1,52 +1,31 @@ --- -- name: Install needed tools - package: - name: "{{ vault_packages }}" +- name: Deploy systemd service unit + template: src=vault.service.j2 dest=/etc/systemd/system/vault.service + register: vault_unit + notify: restart vault tags: vault -# Migrate from the old vault role -- name: Check if vualt is a link - stat: path=/usr/local/bin/vault - register: vault_link +- name: Install consul-template unit + template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service + notify: restart consul-template-vault + register: vault_secrets_nomad_unit tags: vault -- when: vault_link.stat.islnk is defined and vault_link.stat.islnk - block: - - - name: Remove vault link - file: path=/usr/local/bin/vault state=absent - - - set_fact: vault_install_mode='upgrade' - +- name: Reload systemd + systemd: daemon_reload=True + when: vault_unit.changed or vault_secrets_nomad_unit.changed tags: vault -- when: vault_install_mode != 'none' - block: - - name: Download vault - get_url: - url: "{{ vault_archive_url }}" - dest: /tmp - checksum: sha256:{{ vault_archive_sha256 }} - - - name: Extract the archive - unarchive: - src: /tmp/vault_{{ vault_version }}_linux_amd64.zip - dest: /usr/local/bin - include: vault - remote_src: True - mode: 755 - - - name: Remove ZIP archive - file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent - +- name: Install dehydrated hook + template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755 tags: vault -- name: Install bash completion support +- name: Install profile script copy: content: | - complete -C /usr/local/bin/vault vault - dest: /etc/bash_completion.d/vault - mode: 0644 + #!/bin/sh + export VAULT_ADDR={{ vault_conf.api_addr }} + dest: /etc/profile.d/vault.sh + mode: 0755 tags: vault - diff --git a/roles/vault_server/tasks/iptables.yml b/roles/vault/tasks/iptables.yml similarity index 100% rename from roles/vault_server/tasks/iptables.yml rename to roles/vault/tasks/iptables.yml diff --git a/roles/vault/tasks/main.yml b/roles/vault/tasks/main.yml index 3e2dceb..ca166ab 100644 --- a/roles/vault/tasks/main.yml +++ b/roles/vault/tasks/main.yml @@ -1,7 +1,27 @@ --- +- include_tasks: user.yml + tags: always + +- include_tasks: directories.yml + tags: always + - include_tasks: facts.yml tags: always - include_tasks: install.yml tags: always + +- include_tasks: conf.yml + tags: always + +- include_tasks: iptables.yml + when: iptables_manage | default(True) + tags: always + +- include_tasks: services.yml + tags: always + +- include_tasks: cleanup.yml + tags: always + diff --git a/roles/vault_server/tasks/services.yml b/roles/vault/tasks/services.yml similarity index 100% rename from roles/vault_server/tasks/services.yml rename to roles/vault/tasks/services.yml diff --git a/roles/vault_server/tasks/user.yml b/roles/vault/tasks/user.yml similarity index 100% rename from roles/vault_server/tasks/user.yml rename to roles/vault/tasks/user.yml diff --git a/roles/vault_server/templates/consul-template-vault.service.j2 b/roles/vault/templates/consul-template-vault.service.j2 similarity index 100% rename from roles/vault_server/templates/consul-template-vault.service.j2 rename to roles/vault/templates/consul-template-vault.service.j2 diff --git a/roles/vault_server/templates/consul-template.hcl.j2 b/roles/vault/templates/consul-template.hcl.j2 similarity index 100% rename from roles/vault_server/templates/consul-template.hcl.j2 rename to roles/vault/templates/consul-template.hcl.j2 diff --git a/roles/vault_server/templates/dehydrated_hook.j2 b/roles/vault/templates/dehydrated_hook.j2 similarity index 100% rename from roles/vault_server/templates/dehydrated_hook.j2 rename to roles/vault/templates/dehydrated_hook.j2 diff --git a/roles/vault_server/templates/logrotate.conf.j2 b/roles/vault/templates/logrotate.conf.j2 similarity index 100% rename from roles/vault_server/templates/logrotate.conf.j2 rename to roles/vault/templates/logrotate.conf.j2 diff --git a/roles/vault_server/templates/nomad_client_bundle.pem.tpl.j2 b/roles/vault/templates/nomad_client_bundle.pem.tpl.j2 similarity index 100% rename from roles/vault_server/templates/nomad_client_bundle.pem.tpl.j2 rename to roles/vault/templates/nomad_client_bundle.pem.tpl.j2 diff --git a/roles/vault_server/templates/update_nomad_cert.j2 b/roles/vault/templates/update_nomad_cert.j2 similarity index 100% rename from roles/vault_server/templates/update_nomad_cert.j2 rename to roles/vault/templates/update_nomad_cert.j2 diff --git a/roles/vault_server/templates/vault.hcl.j2 b/roles/vault/templates/vault.hcl.j2 similarity index 100% rename from roles/vault_server/templates/vault.hcl.j2 rename to roles/vault/templates/vault.hcl.j2 diff --git a/roles/vault_server/templates/vault.service.j2 b/roles/vault/templates/vault.service.j2 similarity index 100% rename from roles/vault_server/templates/vault.service.j2 rename to roles/vault/templates/vault.service.j2 diff --git a/roles/vault_bin/defaults/main.yml b/roles/vault_bin/defaults/main.yml new file mode 100644 index 0000000..6def85a --- /dev/null +++ b/roles/vault_bin/defaults/main.yml @@ -0,0 +1,7 @@ +# Version of Vault to install +vault_version: 1.14.0 +# URL of the archive +vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip +# Expected sha256 of the archive +vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50 + diff --git a/roles/vault_bin/tasks/facts.yml b/roles/vault_bin/tasks/facts.yml new file mode 100644 index 0000000..9096ab2 --- /dev/null +++ b/roles/vault_bin/tasks/facts.yml @@ -0,0 +1,38 @@ +--- + +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: vault + +- set_fact: + vault_install_mode: 'none' + tags: vault + +- name: Detect if vault is installed + stat: path=/usr/local/bin/vault + register: vault_bin + tags: vault + +- when: not vault_bin.stat.exists + set_fact: vault_install_mode='install' + tags: vault + +- when: vault_bin.stat.exists + block: + - name: Detect installed version + shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/' + changed_when: False + register: vault_current_version + - set_fact: + vault_current_version: "{{ vault_current_version.stdout }}" + tags: vault + +- when: vault_bin.stat.exists and vault_current_version != vault_version + set_fact: vault_install_mode='upgrade' + tags: vault + diff --git a/roles/vault_bin/tasks/install.yml b/roles/vault_bin/tasks/install.yml new file mode 100644 index 0000000..ae06fa0 --- /dev/null +++ b/roles/vault_bin/tasks/install.yml @@ -0,0 +1,52 @@ +--- + +- name: Install needed tools + package: + name: "{{ vault_packages }}" + tags: vault + +# Migrate from the old vault role +- name: Check if vault is a link + stat: path=/usr/local/bin/vault + register: vault_link + tags: vault + +- when: vault_link.stat.islnk is defined and vault_link.stat.islnk + block: + + - name: Remove vault link + file: path=/usr/local/bin/vault state=absent + + - set_fact: vault_install_mode='upgrade' + + tags: vault + +- when: vault_install_mode != 'none' + block: + - name: Download vault + get_url: + url: "{{ vault_archive_url }}" + dest: /tmp + checksum: sha256:{{ vault_archive_sha256 }} + + - name: Extract the archive + unarchive: + src: /tmp/vault_{{ vault_version }}_linux_amd64.zip + dest: /usr/local/bin + include: vault + remote_src: True + mode: 755 + + - name: Remove ZIP archive + file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent + + tags: vault + +- name: Install bash completion support + copy: + content: | + complete -C /usr/local/bin/vault vault + dest: /etc/bash_completion.d/vault + mode: 0644 + tags: vault + diff --git a/roles/vault_bin/tasks/main.yml b/roles/vault_bin/tasks/main.yml new file mode 100644 index 0000000..3e2dceb --- /dev/null +++ b/roles/vault_bin/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: facts.yml + tags: always + +- include_tasks: install.yml + tags: always diff --git a/roles/vault/vars/RedHat.yml b/roles/vault_bin/vars/RedHat.yml similarity index 100% rename from roles/vault/vars/RedHat.yml rename to roles/vault_bin/vars/RedHat.yml diff --git a/roles/vault_server/defaults/main.yml b/roles/vault_server/defaults/main.yml deleted file mode 100644 index f65f117..0000000 --- a/roles/vault_server/defaults/main.yml +++ /dev/null @@ -1,159 +0,0 @@ ---- - -# Root dir where Nomad will be installed -vault_root_dir: /opt/vault - -# user under which vault will run. -vault_user: vault - -# Setting vault_letsencrypt_cert will automate cert configuration -# using Let's Encrypt. The server need to have the letsencrypt role assigned -# Note that you probably want to use dns-01 challenges in this case so you won't have to -# expose your vault server on the public internet -# vault_letsencrypt_cert: "{{ inventory_hostname }}" - -# A token having backup (raft snapshot) permission. If set, ansible will -# take a snapshot of the data before upgrading vault -# vault_bkp_token: XXXXX - -# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall -vault_base_services: - api: - port: 8200 - src_ip: [] - cluster: - port: 8201 - src_ip: [] # You should set this to the IP / CIDR of your other servers - -# Exemple -# vault_extra_services: -# cluster: -# src_ip: -# - 10.127.0.10 -# - 10.145.99.60 -vault_extra_services: {} -vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}" - -# Configuration of the service (which will be converted to JSON) -# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily -vault_base_conf: - # Name of the Vault cluster - cluster_name: Vault Cluster - - # Log settings - log_level: INFO - log_format: standard - - # Plugin settings - plugin_directory: "{{ vault_root_dir }}/plugins" - # This means vault will expect plugins to be owned by root - plugin_file_uid: 0 - - # Is the UI enabled ? - ui: True - - # TCP listeners - listeners: - # Address/port on which vault will bind for API requests - - address: 0.0.0.0:{{ vault_services.api.port }} - # Address/port on which vault will bind for inter-node communications - cluster_address: 0.0.0.0:{{ vault_services.cluster.port }} - - # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated - # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here - # Only change if you want to manually control the certificate to use - tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt" - tls_key_file: "{{ vault_root_dir }}/tls/vault.key" - - # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR - x_forwarded_for_authorized_addrs: [] - # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected - # Default is False which means you can reach vault both directly or through your reverse proxy - x_forwarded_for_reject_not_present: False - - telemetry: - # Allow unauthenticated access to /v1/sys/metrics - unauthenticated_metrics_access: True - - # URL of the API to advertise - api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }} - # URL of the inter-node communication endpoint to advertise - cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }} - - # When using integrated raft storage, mlock should be disabled - disable_mlock: True - - storage: - # Integrated raf storage - raft: - path: "{{ vault_root_dir }}/data" - node_id: "{{ inventory_hostname }}" - performance_multiplier: 1 - # retry_join: - # - leader_api_addr: https://vault-1.example.org:8200 - # leader_ca_cert: /opt/vault/tls/ca-vault-1.crt - # - leader_api_addr: https://vault-2.example.org:8200 - # - leader_api_addr: https://vault-3.example.org:8200 - retry_join: [] - - # Service registration on consul - #service_registration: - # address: http://localhost:8500 - # service: vault - # token: XXXXX - # service_tags: - # - "traefik.enable=true" - # - "traefik.http.routers.http.entrypoints=https" - # - "traefik.http.routers.http.rule=Host(`vault.example.org`)" - # tls_ca_file: /opt/vault/tls/consul_ca.crt - # tls_cert_file: /opt/vault/tls/consul_cert.crt - # tls_key_file: /opt/vault/tls/consul_key.crt - - telemetry: - prometheus_retention_time: 1h - disable_hostname: True - enable_hostname_label: True - -# You can add additional paramters in vault_extra_conf (or vault_host_conf) -# they will be merged into the vault_base_conf before rendering -# Example -# vault_extra_conf: -# cluster_name: Vault Production -# storage: -# raft: -# retry_join: -# leader_api_addr: https://vault1.example.org:8201 -vault_extra_conf: {} -vault_host_conf: {} -# Merge all the conf -vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}" - -# This can be used to spawn a consul-template service which will obtain and renew client cert -# to reach Nomad API, so the Nomad secret can be used securely -vault_base_secrets: - # The vault API to query. Default is our own API - vault_address: "{{ vault_conf.api_addr }}" - # The vault token to use - vault_token: XXXXXXX - nomad: - enabled: False - # The Nomad API address - address: https://nomad.service.consul:4646 - # The Nomad management token vault will use to issue tokens for users - token: XXXXXXX - pki: - # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured - path: /pki/nomad - # The role used to issue the certificate - role: nomad-user - # The TTL of the certificate issued for vault - ttl: 72h - # The common name of the certificate - cn: vault - secret: - # The path where the Nomad secret engine is mounted - # Note: the secret must be already mounted - path: nomad -vault_extra_secrets: {} -vault_host_secrets: {} -vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}" diff --git a/roles/vault_server/tasks/facts.yml b/roles/vault_server/tasks/facts.yml deleted file mode 100644 index 419b3de..0000000 --- a/roles/vault_server/tasks/facts.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- block: - - name: Detect installed version - shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/' - changed_when: False - register: vault_current_version - - set_fact: - vault_current_version: "{{ vault_current_version.stdout }}" - tags: vault - diff --git a/roles/vault_server/tasks/install.yml b/roles/vault_server/tasks/install.yml deleted file mode 100644 index 07a2158..0000000 --- a/roles/vault_server/tasks/install.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Deploy systemd service unit - template: src=vault.service.j2 dest=/etc/systemd/system/vault.service - register: vault_unit - notify: restart vault - tags: vault - -- name: Install consul-template unit - template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service - notify: restart consul-template-vault - register: vault_secrets_nomad_unit - tags: vault - -- name: Reload systemd - systemd: daemon_reload=True - when: vault_unit.changed or vault_secrets_nomad_unit.changed - tags: vault - -- name: Install dehydrated hook - template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755 - tags: vault - -- name: Install profile script - copy: - content: | - #!/bin/sh - export VAULT_ADDR={{ vault_conf.api_addr }} - dest: /etc/profile.d/vault.sh - mode: 0755 - tags: vault diff --git a/roles/vault_server/tasks/main.yml b/roles/vault_server/tasks/main.yml deleted file mode 100644 index ca166ab..0000000 --- a/roles/vault_server/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- include_tasks: user.yml - tags: always - -- include_tasks: directories.yml - tags: always - -- include_tasks: facts.yml - tags: always - -- include_tasks: install.yml - tags: always - -- include_tasks: conf.yml - tags: always - -- include_tasks: iptables.yml - when: iptables_manage | default(True) - tags: always - -- include_tasks: services.yml - tags: always - -- include_tasks: cleanup.yml - tags: always -