add vault role

roles/vault/defaults/main.yaml

@@ -0,0 +1,41 @@
+---
+vault_package_name: vault
+vault_package_state: present
+vault_service_name: vault
+vault_service_state: started
+vault_service_enabled: true
+vault_etc_path: /etc/vault.d
+vault_config_path: "{{ vault_etc_path }}/vault.hcl"
+vault_config_template: vault.hcl.j2
+vault_user: vault
+vault_group: vault
+vault_config_owner: "{{ vault_user }}"
+vault_config_group: "{{ vault_group }}"
+vault_config_mode: 0644
+vault_data_dir: /opt/vault
+vault_bind_addr: 0.0.0.0
+vault_server: false
+vault_bootstrap_expect: 1
+vault_ui_config_enabled: true
+vault_client_addr: 0.0.0.0
+
+vault_agent_enabled: false
+
+ #vault_disable_mlock: true
+#vault_api_addr: http://[::]:8200
+#vault_cluster_addr: https://[::]:8200
+#vault_ui: true
+
+vault_listener:
+ - tls_disable: true
+
+#vault_storage:
+#  consul:
+#    address: "127.0.0.1:8500"
+#    path: "vault"
+
+vault_storage:
+  consul:
+
+vault_seal_transit:
+  address:

roles/vault/handlers/main.yaml

@@ -0,0 +1,12 @@
+---
+- name: reload vault
+  service:
+    name: "{{ vault_service_name }}"
+    state: reloaded
+  when: vault_service_enabled
+
+- name: restart vault
+  service:
+    name: "{{ vault_service_name }}"
+    state: restarted
+  when: vault_service_enabled

roles/vault/tasks/RedHat.yaml

@@ -0,0 +1,18 @@
+---
+- name: install Hashicorp yum repo
+  yum_repository:
+    name: hashicorp
+    description: Hashicorp Stable - $basearch
+    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
+    enabled: 1
+    gpgcheck: 1
+    gpgkey: https://rpm.releases.hashicorp.com/gpg
+
+- name: install Hashicorp (test) yum repo
+  yum_repository:
+    name: hashicorp-test
+    description: Hashicorp Test - $basearch
+    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/test
+    enabled: 0
+    gpgcheck: 1
+    gpgkey: https://rpm.releases.hashicorp.com/gpg

roles/vault/tasks/main.yaml

@@ -0,0 +1,46 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- name: install
+  package:
+    name: "{{ vault_package_name | default('vault') }}"
+    state: "{{ vault_package_state | default('present') }}"
+
+- name: configure
+  template:
+    src: "{{ vault_config_template }}"
+    dest: "{{ vault_config_path }}"
+    owner: "{{ vault_config_owner }}"
+    group: "{{ vault_config_group }}"
+    mode: "{{ vault_config_mode }}"
+  notify: restart vault
+  when: not vault_agent_enabled
+
+- name: service
+  service:
+    name: "{{ vault_service_name | default('vault') }}"
+    state: "{{ vault_service_state | default('started') }}"
+    enabled: "{{ vault_service_enabled | default(true) }}"
+  when: not vault_agent_enabled

roles/vault/templates/vault.hcl.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+{% if vault_agent_enabled %}
+{% else %}
+disable_mlock = {{ (vault_disable_mlock | default(true)) | bool | lower }}
+api_addr = "{{ vault_api_addr | default('http://' + ansible_default_ipv4.address + ':8200') }}"
+cluster_addr = "{{ vault_cluster_addr | default('https://' + ansible_default_ipv4.address + ':8201') }}"
+ui = {{ (vault_ui | default(true)) | bool | lower }}
+
+{% if vault_storage.consul is defined %}
+storage "consul" {
+  address = "{{ vault_storage.consul.address | default('127.0.0.1:8500') }}"
+  path = "{{ vault_storage.consul.path | default('vault/') }}"
+}
+{% endif %}
+
+{% for l in vault_listener %}
+listener "{{ l.proto | default('tcp') }}" {
+  address = "{{ l.address | default('[::]:8200') }}"
+  tls_disable = {{ (l.tls_disable | default(false)) | bool | lower }}
+}
+{% endfor %}
+
+#seal "transit" {
+#  address = "http://127.0.0.1:8200"
+#  disable_renewal = "false"
+#  key_name = "autounseal"
+#  mount_path = "transit/"
+#  tls_skip_verify = "true"
+#}
+{% endif %}