Update to 2023-07-03 15:00

roles/vault/tasks/cleanup.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ vault_root_dir }}/archives"
+  tags: vault

roles/vault/tasks/conf.yml

@@ -0,0 +1,45 @@
+---
+
+- name: Generate self-signed certificate
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ vault_root_dir }}/tls/vault.crt"
+    cert_key_path: "{{ vault_root_dir }}/tls/vault.key"
+    cert_key_group: "{{ vault_user }}"
+    cert_key_mode: 640
+  tags: vault
+
+- name: Deploy vault configuration
+  template:
+    src: vault.hcl.j2
+    dest: "{{ vault_root_dir }}/etc/vault.hcl"
+    owner: "{{ vault_user }}"
+    group: "{{ vault_user }}"
+    mode: 0400
+  notify: restart vault
+  tags: vault
+
+- name: Ensure correct permission on vault private key
+  file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
+  tags: vault
+
+- name: Setup logrotate
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
+  tags: vault
+
+- when: vault_secrets.nomad.enabled
+  block:
+
+    - name: Deploy the consul-template conf
+      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
+      notify: restart consul-template-vault
+
+    - name: Deploy Nomad certificate bundle template
+      template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
+      notify: restart consul-template-vault
+
+    - name: Deploy the update cert hook
+      template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
+      notify: restart consul-template-vault
+
+  tags: vault

roles/vault/tasks/directories.yml

@@ -0,0 +1,43 @@
+---
+
+- name: Create needed directories
+  file: path={{ vault_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} recurse={{ item.recurse | default(omit) }}
+  loop:
+    - dir: /
+      owner: root
+      group: root
+      mode: 755
+    - dir: backup
+      owner: root
+      group: root
+      mode: 700
+    - dir: log
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: u=rwX,g=-,o=-
+      recurse: True
+    - dir: meta
+      owner: root
+      group: root
+      mode: 700
+    - dir: plugins
+    - dir: tmp
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: u=rwX,g=-,o=-
+      recurse: True
+    - dir: data
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: u=rwX,g=-,o=-
+      recurse: True
+    - dir: etc
+      owner: "{{ vault_user }}"
+      group: "{{ vault_user }}"
+      mode: 700
+    - dir: tls
+      owner: root
+      group: "{{ vault_user }}"
+      mode: 750
+    - dir: consul-template
+  tags: vault

roles/vault/tasks/facts.yml

@@ -1,29 +1,6 @@
 ---
 
-# Load distribution specific variables
-- include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
-  tags: vault
-
-- set_fact:
-    vault_install_mode: 'none'
-  tags: vault
-
-- name: Detect if vault is installed
-  stat: path=/usr/local/bin/vault
-  register: vault_bin
-  tags: vault
-
-- when: not vault_bin.stat.exists
-  set_fact: vault_install_mode='install'
-  tags: vault
-
-- when: vault_bin.stat.exists
-  block:
+- block:
     - name: Detect installed version
       shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
       changed_when: False
@@ -32,7 +9,3 @@
         vault_current_version: "{{ vault_current_version.stdout }}"
   tags: vault
 
-- when: vault_bin.stat.exists and vault_current_version != vault_version
-  set_fact: vault_install_mode='upgrade'
-  tags: vault
-

roles/vault/tasks/install.yml

@@ -1,52 +1,31 @@
 ---
 
-- name: Install needed tools
-  package:
-    name: "{{ vault_packages }}"
+- name: Deploy systemd service unit
+  template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
+  register: vault_unit
+  notify: restart vault
   tags: vault
 
-# Migrate from the old vault role
-- name: Check if vualt is a link
-  stat: path=/usr/local/bin/vault
-  register: vault_link
+- name: Install consul-template unit
+  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
+  notify: restart consul-template-vault
+  register: vault_secrets_nomad_unit
   tags: vault
 
-- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
-  block:
-
-    - name: Remove vault link
-      file: path=/usr/local/bin/vault state=absent
-
-    - set_fact: vault_install_mode='upgrade'
-
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vault_unit.changed or vault_secrets_nomad_unit.changed
   tags: vault
 
-- when: vault_install_mode != 'none'
-  block:
-    - name: Download vault
-      get_url:
-        url: "{{ vault_archive_url }}"
-        dest: /tmp
-        checksum: sha256:{{ vault_archive_sha256 }}
-
-    - name: Extract the archive
-      unarchive:
-        src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
-        dest: /usr/local/bin
-        include: vault
-        remote_src: True
-        mode: 755
-
-    - name: Remove ZIP archive
-      file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
-
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
   tags: vault
 
-- name: Install bash completion support
+- name: Install profile script
   copy:
     content: |
-      complete -C /usr/local/bin/vault vault
-    dest: /etc/bash_completion.d/vault
-    mode: 0644
+      #!/bin/sh
+      export VAULT_ADDR={{ vault_conf.api_addr }}
+    dest: /etc/profile.d/vault.sh
+    mode: 0755
   tags: vault
-

roles/vault/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Handle vault ports in the firewall
+  iptables_raw:
+    name: vault_port_{{ item }}
+    state: "{{ (vault_services[item].src_ip | length > 0) | ternary('present', 'absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ vault_services[item].port }} -s {{ vault_services[item].src_ip | flatten | join(',') }} -j ACCEPT"
+  loop: "{{ vault_services.keys() | list }}"
+  tags: firewall,vault

roles/vault/tasks/main.yml

@@ -1,7 +1,27 @@
 ---
 
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
 - include_tasks: facts.yml
   tags: always
 
 - include_tasks: install.yml
   tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
+
+- include_tasks: services.yml
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
+

roles/vault/tasks/services.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Start and enable vault service
+  service: name=vault state=started enabled=True
+  register: vault_service_started
+  tags: vault
+
+- name: Handle consul-template-vault service
+  service:
+    name: consul-template-vault
+    state: "{{ vault_secrets.nomad.enabled | ternary('started', 'stopped') }}"
+    enabled: "{{ vault_secrets.nomad.enabled | ternary(True, False) }}"
+  tags: vault

roles/vault/tasks/user.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Create vault user
+  user:
+    name: "{{ vault_user }}"
+    home: "{{ vault_root_dir }}"
+    system: True
+    shell: /sbin/nologin
+  tags: vault