Update to 2023-07-03 15:00

2025-07-27 08:15:54 +02:00 · 2023-07-03 15:00:09 +02:00
parent 590e8b5d83
commit 91f9384361
44 changed files with 426 additions and 429 deletions
--- a/roles/vault/templates/consul-template-vault.service.j2
+++ b/roles/vault/templates/consul-template-vault.service.j2
@@ -0,0 +1,20 @@
+[Unit]
+Description="HashiCorp consul-template"
+Documentation=https://github.com/hashicorp/consul-template
+Requires=network-online.target
+After=network-online.target
+After=vault.service
+ConditionFileNotEmpty={{ vault_root_dir }}/consul-template/consul-template.hcl
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/consul-template -config={{ vault_root_dir }}/consul-template/consul-template.hcl
+SuccessExitStatus=12
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/vault/templates/consul-template.hcl.j2
+++ b/roles/vault/templates/consul-template.hcl.j2
@@ -0,0 +1,18 @@
+vault {
+  address      = "{{ vault_secrets.vault_address }}"
+  token        = "{{ vault_secrets.vault_token }}"
+  unwrap_token = false
+}
+
+{% if vault_secrets.nomad.enabled %}
+template {
+  source          = "{{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ vault_root_dir }}/tls/nomad_client_bundle.pem"
+  perms           = 0600
+  exec {
+    command = "{{ vault_root_dir }}/bin/update_nomad_cert {{ vault_secrets.nomad.token }} {{ vault_secrets.vault_token }}"
+  }
+}
+{% endif %}
--- a/roles/vault/templates/dehydrated_hook.j2
+++ b/roles/vault/templates/dehydrated_hook.j2
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if vault_letsencrypt_cert is defined %}
+
+if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
+  chown root:vault {{ vault_root_dir }}/tls/vault.key
+  chown root:root {{ vault_root_dir }}/tls/vault.crt
+  chmod 640 {{ vault_root_dir }}/tls/vault.key
+  chmod 644 {{ vault_root_dir }}/tls/vault.crt
+  systemctl reload vault
+fi
+
+{% else %}
+
+# No Let's Encrypt cert configured, nothing to do
+exit 0
+
+{% endif %}
--- a/roles/vault/templates/logrotate.conf.j2
+++ b/roles/vault/templates/logrotate.conf.j2
@@ -0,0 +1,8 @@
+{{ vault_root_dir }}/log/*.log {{ vault_root_dir }}/log/*.json {
+  daily
+  rotate 365
+  compress
+  missingok
+  copytruncate
+  su {{ vault_user }} {{ vault_user }}
+}
--- a/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
+++ b/roles/vault/templates/nomad_client_bundle.pem.tpl.j2
@@ -0,0 +1,8 @@
+[[ with pkiCert "{{ vault_secrets.nomad.pki.path }}/issue/{{ vault_secrets.nomad.pki.role }}" "ttl={{ vault_secrets.nomad.pki.ttl }}" "common_name={{ vault_secrets.nomad.pki.cn }}" ]]
+[[ .CA ]]
+[[ .Cert ]]
+[[ .Key ]]
+[[ .CA | writeToFile "{{ vault_root_dir }}/tls/nomad_ca.crt" "root" "root" "0644" ]]
+[[ .Cert | writeToFile "{{ vault_root_dir }}/tls/nomad_client.crt" "root" "root" "0644" ]]
+[[ .Key | writeToFile "{{ vault_root_dir }}/tls/nomad_client.key" "root" "root" "0600" ]]
+[[ end ]]
--- a/roles/vault/templates/update_nomad_cert.j2
+++ b/roles/vault/templates/update_nomad_cert.j2
@@ -0,0 +1,25 @@
+#!/bin/sh
+  
+set -eo pipefail
+
+NOMAD_TOKEN=$1
+VAULT_TOKEN=$2
+
+VAULT_ADDR={{ vault_conf.api_addr }}
+
+if [ "$(vault status -format=json | jq .is_self)" != "true" ]; then
+  echo "We're not the active vault, exiting"
+elif [ "$(vault status -format=json | jq .sealed)" != "false" ]; then
+  echo "Vault is sealed, exiting"
+elif [ "$(vault status -format=json | jq .initialized)" != "true" ]; then
+  echo "Vault is not initialized yet, exiting"
+else
+  echo Updating Vault certificate to access Nomad API
+  VAULT_TOKEN=$VAULT_TOKEN \
+    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
+      address="{{ vault_secrets.nomad.address }}" \
+      token="$NOMAD_TOKEN" \
+      ca_cert="$(cat {{ vault_root_dir }}/tls/nomad_ca.crt)" \
+      client_cert="$(cat {{ vault_root_dir }}/tls/nomad_client.crt)" \
+      client_key="$(cat {{ vault_root_dir }}/tls/nomad_client.key)"
+fi
--- a/roles/vault/templates/vault.hcl.j2
+++ b/roles/vault/templates/vault.hcl.j2
@@ -0,0 +1,73 @@
+cluster_name = "{{ vault_conf.cluster_name }}"
+
+log_level = "{{ vault_conf.log_level }}"
+log_format = "{{ vault_conf.log_format }}"
+
+plugin_directory = "{{ vault_conf.plugin_directory }}"
+plugin_file_uid = {{ vault_conf.plugin_file_uid }}
+
+disable_mlock = {{ vault_conf.disable_mlock | ternary('true', 'false') }}
+
+{% for listener in vault_conf.listeners %}
+listener "tcp" {
+  address = "{{ listener.address }}"
+  cluster_address = "{{ listener.cluster_address }}"
+  tls_cert_file = "{{ listener.tls_cert_file }}"
+  tls_key_file = "{{ listener.tls_key_file }}"
+{% if listener.x_forwarded_for_authorized_addrs | length > 0 %}
+  x_forwarded_for_authorized_addrs = "{{ listener.x_forwarded_for_authorized_addrs | join(',') }}"
+  x_forwarded_for_reject_not_present = {{ listener.x_forwarded_for_reject_not_present | ternary('true', 'false') }}
+{% endif %}
+{% if listener.telemetry.unauthenticated_metrics_access %}
+  telemetry {
+    unauthenticated_metrics_access = true
+  }
+{% endif %}
+}
+{% endfor %}
+
+api_addr = "{{ vault_conf.api_addr }}"
+cluster_addr = "{{ vault_conf.cluster_addr }}"
+
+storage "raft" {
+  path = "{{ vault_conf.storage.raft.path }}"
+  node_id = "{{ vault_conf.storage.raft.node_id }}"
+  performance_multiplier = {{ vault_conf.storage.raft.performance_multiplier }}
+{% if vault_conf.storage.raft.retry_join | length > 0 %}
+{% for server in vault_conf.storage.raft.retry_join %}
+{% if server.leader_api_addr is defined and server.leader_api_addr != vault_conf.api_addr %}
+  retry_join {
+{% for key in server.keys() | list %}
+    {{ key }} = "{{ server[key] }}"
+{% endfor %}
+  }
+{% else %}
+  # Skipping {{ server.leader_api_addr }} as it's ourself
+{% endif %}
+{% endfor %}
+{% endif %}
+}
+
+{% if vault_conf.service_registration is defined %}
+service_registration "consul" {
+{% for key in ['address', 'service', 'token', 'tls_ca_file', 'tls_cert_file', 'tls_key_file'] %}
+{% if vault_conf.service_registration[key] is defined %}
+  {{ key }} = "{{ vault_conf.service_registration[key] }}"
+{% endif %}
+{% endfor %}
+{% if vault_conf.service_registration.service_tags is defined %}
+  service_tags = "{{ vault_conf.service_registration.service_tags | join(',') }}"
+{% endif %}
+}
+{% endif %}
+
+ui = {{ vault_conf.ui | ternary('true', 'false') }}
+
+telemetry {
+{% for key in ['prometheus_retention_time'] %}
+  {{ key }} = "{{ vault_conf.telemetry[key] }}"
+{% endfor %}
+{% for key in ['disable_hostname', 'enable_hostname_label'] %}
+  {{ key }} = {{ vault_conf.telemetry[key] | ternary('true', 'false') }}
+{% endfor %}
+}
--- a/roles/vault/templates/vault.service.j2
+++ b/roles/vault/templates/vault.service.j2
@@ -0,0 +1,36 @@
+[Unit]
+Description="HashiCorp Vault - A tool for managing secrets"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+# Vault version {{ vault_current_version }}
+[Service]
+Type=notify
+User={{ vault_user }}
+Group={{ vault_user }}
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+StartLimitInterval=0
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
+