Update to 2022-08-31 13:00

roles/vault/templates/dehydrated_hook.j2

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if vault_letsencrypt_cert is defined %}
+
+if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
+  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
+  chown root:vault {{ vault_root_dir }}/tls/vault.key
+  chown root:root {{ vault_root_dir }}/tls/vault.crt
+  chmod 640 {{ vault_root_dir }}/tls/vault.key
+  chmod 644 {{ vault_root_dir }}/tls/vault.crt
+  systemctl reload vault
+fi
+
+{% else %}
+
+# No Let's Encrypt cert configured, nothing to do
+exit 0
+
+{% endif %}

roles/vault/templates/vault.hcl.j2

@@ -0,0 +1,57 @@
+cluster_name = "{{ vault_conf.cluster_name }}"
+
+log_level = "{{ vault_conf.log_level }}"
+log_format = "{{ vault_conf.log_format }}"
+
+plugin_directory = "{{ vault_conf.plugin_directory }}"
+plugin_file_uid = {{ vault_conf.plugin_file_uid }}
+
+disable_mlock = {{ vault_conf.disable_mlock | ternary('true', 'false') }}
+
+{% for listener in vault_conf.listeners %}
+listener "tcp" {
+  address = "{{ listener.address }}"
+  cluster_address = "{{ listener.cluster_address }}"
+  tls_cert_file = "{{ listener.tls_cert_file }}"
+  tls_key_file = "{{ listener.tls_key_file }}"
+{% if listener.x_forwarded_for_authorized_addrs | length > 0 %}
+  x_forwarded_for_authorized_addrs = "{{ listener.x_forwarded_for_authorized_addrs | join(',') }}"
+  x_forwarded_for_reject_not_present = {{ listener.x_forwarded_for_reject_not_present | ternary('true', 'false') }}
+{% endif %}
+}
+{% endfor %}
+
+api_addr = "{{ vault_conf.api_addr }}"
+cluster_addr = "{{ vault_conf.cluster_addr }}"
+
+storage "raft" {
+  path = "{{ vault_conf.storage.raft.path }}"
+  node_id = "{{ vault_conf.storage.raft.node_id }}"
+  performance_multiplier = {{ vault_conf.storage.raft.performance_multiplier }}
+{% if vault_conf.storage.raft.retry_join | length > 0 %}
+{% for server in vault_conf.storage.raft.retry_join %}
+  retry_join {
+{% for key in server.keys() | list %}
+    {{ key }} = "{{ server[key] }}"
+{% endfor %}
+  }
+{% endfor %}
+{% endif %}
+}
+
+{% if vault_conf.service_registration is defined %}
+service_registration "consul" {
+{% for key in ['address', 'service', 'token', 'tls_ca_file', 'tls_cert_file', 'tls_key_file'] %}
+{% if vault_conf.service_registration[key] is defined %}
+  {{ key }} = "{{ vault_conf.service_registration[key] }}"
+{% endif %}
+{% endfor %}
+{% if vault_conf.service_registration.service_tags is defined %}
+  service_tags = [
+{% for tag in vault_conf.service_registration.service_tags %}
+    "{{ tag }}",
+{% endfor %}
+  ]
+{% endif %}
+}
+{% endif %}

roles/vault/templates/vault.service.j2

@@ -0,0 +1,34 @@
+[Unit]
+Description="HashiCorp Vault - A tool for managing secrets"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+Type=notify
+User={{ vault_user }}
+Group={{ vault_user }}
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
+NoNewPrivileges=yes
+ExecStart={{ vault_root_dir }}/bin/vault server -config={{ vault_root_dir }}/etc/
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
+