Update to 2023-07-08 16:00

roles/vault_agent/tasks/conf.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Deploy main configuration
+  template: src=vault-agent.hcl.j2 dest={{ vault_agent_root_dir }}/etc/vault-agent.hcl mode=0600
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Deploy Nomad and Consul configuration
+  template: src={{ item }}/{{ item }}.hcl.j2 dest={{ vault_agent_root_dir }}/etc/{{ item }}.hcl
+  loop:
+    - nomad
+    - consul
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Setup AppRole auth
+  block:
+    - copy: content={{ vault_agent_approle_role_id }} dest={{ vault_agent_root_dir }}/auth/role_id owner=root group=root mode=600
+    - copy: content={{ vault_agent_approle_secret_id }} dest={{ vault_agent_root_dir }}/auth/secret_id owner=root group=root mode=600
+    - file: path={{ vault_agent_root_dir }}/auth/token state=absent
+  when:
+    - vault_agent_auth == 'approle'
+  tags: nomad
+
+- name: Setup Token auth
+  block:
+    - copy: content={{ vault_agent_token }} dest={{ vault_agent_root_dir }}/auth/token owner=root group=root mode=640
+    - file: path={{ vault_agent_root_dir }}/auth/role_id state=absent
+    - file: path={{ vault_agent_root_dir }}/auth/secret_id state=absent
+  when:
+    - vault_agent_auth == 'token'
+  tags: nomad
+

roles/vault_agent/tasks/directories.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Create needed directories
+  file: path={{ vault_agent_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /
+      owner: root
+      group: root
+      mode: 755
+    - dir: etc
+      mode: 700
+    - dir: auth
+      mode: 700
+    - dir: bin
+    - dir: templates/nomad
+    - dir: templates/consul
+  tags: vault,consul,nomad
+

roles/vault_agent/tasks/install.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Install systemd unit
+  template: src=vault-agent.service.j2 dest=/etc/systemd/system/vault-agent.service
+  register: vault_agent_unit
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Install Nomad templates
+  template: src=nomad/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/nomad/{{ item }}
+  loop:
+    - vault.env.tpl
+    - agent_bundle.pem.tpl
+    - cli_bundle.pem.tpl
+    - consul_bundle.pem.tpl
+    - consul.env.tpl
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Install Consul templates
+  template: src=consul/{{ item }}.j2 dest={{ vault_agent_root_dir }}/templates/consul/{{ item }}
+  loop:
+    - agent_bundle.pem.tpl
+  notify: restart vault-agent
+  tags: vault,consul,nomad
+
+- name: Create tmpfile fragment
+  copy:
+    content: |
+      d /run/vault_agent 770 root root
+    dest: /etc/tmpfiles.d/vault-agent.conf
+  register: vault_tmpfiles
+  tags: vault,consul,nomad
+
+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: vault_tmpfiles.changed
+  tags: vault,consul,nomad
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vault_agent_unit.changed
+  tags: vault,consul,nomad
+
+- name: Install Nomad API access updater
+  template: src=nomad/update_nomad_cert.sh.j2 dest={{ vault_agent_root_dir }}/bin/update_nomad_cert.sh mode=755
+  tags: vault,consul,nomad

roles/vault_agent/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: services.yml
+  tags: always

roles/vault_agent/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable vault-agent
+  service: name=vault-agent state=started enabled=True
+  tags: vault,nomad,consul