Update to 2023-07-08 16:00

2025-07-27 08:15:54 +02:00 · 2023-07-08 16:00:11 +02:00
parent f16dd6e98d
commit d87c1bdc89
60 changed files with 708 additions and 439 deletions
--- a/roles/consul/tasks/cleanup.yml
+++ b/roles/consul/tasks/cleanup.yml
@@ -6,4 +6,6 @@
    - "{{ consul_root_dir }}/archives"
    - /etc/systemd/system/consul-template-consul.service
    - "{{ consul_root_dir }}/consul-template"
+    - "{{ consul_root_dir }}/vault"
+    - "{{ consul_root_dir }}/bin"
  tags: consul
--- a/roles/consul/tasks/conf.yml
+++ b/roles/consul/tasks/conf.yml
@@ -7,9 +7,7 @@
  vars:
    cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
    cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
-    cert_key_user: "{{ consul_user }}"
-    cert_key_group: "{{ consul_user }}"
-    cert_key_mode: 660
+    cert_key_mode: omit
  when: consul_conf.tls.enabled
  tags: consul

@@ -97,38 +95,15 @@
  loop: "{{ consul_backup_configs.stdout_lines }}"
  tags: consul

- name: Deploy vault agent configuration
-  template: src=vault/agent.hcl.j2 dest={{ consul_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ consul_user }}
-  notify: restart consul-vault-agent
-  when: consul_vault_agent.pki.enabled
-  tags: consul
-
- name: Deploy agent cert bundle template
-  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-vault-agent
-  when: consul_vault_agent.pki.enabled
-  tags: consul
-
- when:
-    - consul_vault_agent.auth is defined
-    - consul_vault_agent.auth.approle is defined
-    - consul_vault_agent.auth.approle.role_id is defined
-    - consul_vault_agent.auth.approle.secret_id is defined
-  name: Setup AppRole auth
-  block:
-    - copy: content={{ consul_vault_agent.auth.approle.role_id }} dest={{ consul_root_dir }}/vault/role_id owner=root group={{ consul_user }} mode=640
-    - copy: content={{ consul_vault_agent.auth.approle.secret_id }} dest={{ consul_root_dir }}/vault/secret_id owner=root group={{ consul_user }} mode=640
-  tags: consul
-
 - name: Set ACL on the TLS dir
  shell: |
    setfacl -R -b -k {{ consul_root_dir }}/tls
-    chown -R {{ consul_user }}:{{ consul_user }} {{ consul_root_dir }}/tls
-    chmod 775 {{ consul_root_dir }}/tls
-    chmod 660 {{ consul_root_dir }}/tls/*
-    setfacl -m u:{{ consul_user }}:rwx {{ consul_root_dir }}/tls
-    setfacl -m d:u:{{ consul_user }}:rw {{ consul_root_dir }}/tls
-    setfacl -m u:{{ consul_user }}:rw {{ consul_root_dir }}/tls/*
+    chown -R :{{ consul_user }} {{ consul_root_dir }}/tls
+    chmod 770 {{ consul_root_dir }}/tls
+    chmod 640 {{ consul_root_dir }}/tls/*
+    setfacl -m u:{{ consul_user }}:rx {{ consul_root_dir }}/tls
+    setfacl -m d:u:{{ consul_user }}:r {{ consul_root_dir }}/tls
+    setfacl -m u:{{ consul_user }}:r {{ consul_root_dir }}/tls/*
    {% if consul_admin_groups | length > 0 %}
    setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
    setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
--- a/roles/consul/tasks/directories.yml
+++ b/roles/consul/tasks/directories.yml
@@ -28,10 +28,4 @@
      group: "{{ consul_user }}"
      mode: 750
    - dir: tls
-    - dir: vault
-      mode: 750
-      owner: root
-      group: "{{ consul_user }}"
-    - dir: vault/templates
-    - dir: bin
  tags: consul
--- a/roles/consul/tasks/facts.yml
+++ b/roles/consul/tasks/facts.yml
@@ -9,6 +9,6 @@
  tags: consul

 - name: Check if the consul-template service still exists
-  stat: path=/etc/systemd/system/consul-template
+  stat: path=/etc/systemd/system/consul-template-consul
  register: consul_ct_service
  tags: consul
--- a/roles/consul/tasks/install.yml
+++ b/roles/consul/tasks/install.yml
@@ -6,11 +6,6 @@
  notify: restart consul
  tags: consul

- name: Deploy consul service wrapper
-  template: src=consul.sh.j2 dest={{ consul_root_dir }}/bin/consul mode=755
-  notify: restart consul
-  tags: consul
-
 - name: Install backup hooks
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755
  loop:
@@ -31,14 +26,8 @@
  when: consul_tmpfiles.changed
  tags: consul

- name: Install vault agent unit file
-  template: src=vault/agent.service.j2 dest=/etc/systemd/system/consul-vault-agent.service
-  register: consul_vault_agent_unit
-  notify: restart consul-vault-agent
-  tags: consul
-
 - name: Reload systemd
  systemd: daemon_reload=True
-  when: consul_unit.changed or consul_vault_agent_unit.changed
+  when: consul_unit.changed
  tags: consul

--- a/roles/consul/tasks/services.yml
+++ b/roles/consul/tasks/services.yml
@@ -13,10 +13,3 @@
  when: consul_ct_service.stat.exists
  tags: consul

- name: Handle consul-vault-agent service
-  service:
-    name: consul-vault-agent
-    state: "{{ (consul_vault_agent.pki.enabled) | ternary('started', 'stopped') }}"
-    enabled: "{{ (consul_vault_agent.pki.enabled) | ternary(True, False) }}"
-  tags: consul
-