add vault role

2022-08-30 07:51:35 -05:00 · 2022-08-30 07:51:35 -05:00 · 2b6b7aca79
commit 2b6b7aca79
parent 4c64613a90
6 changed files with 148 additions and 0 deletions
--- a/roles/vault/defaults/main.yaml
+++ b/roles/vault/defaults/main.yaml
@ -0,0 +1,41 @@
 ---
 vault_package_name: vault
 vault_package_state: present
 vault_service_name: vault
 vault_service_state: started
 vault_service_enabled: true
 vault_etc_path: /etc/vault.d
 vault_config_path: "{{ vault_etc_path }}/vault.hcl"
 vault_config_template: vault.hcl.j2
 vault_user: vault
 vault_group: vault
 vault_config_owner: "{{ vault_user }}"
 vault_config_group: "{{ vault_group }}"
 vault_config_mode: 0644
 vault_data_dir: /opt/vault
 vault_bind_addr: 0.0.0.0
 vault_server: false
 vault_bootstrap_expect: 1
 vault_ui_config_enabled: true
 vault_client_addr: 0.0.0.0
 vault_agent_enabled: false
 #vault_disable_mlock: true
 #vault_api_addr: http://[::]:8200
 #vault_cluster_addr: https://[::]:8200
 #vault_ui: true
 vault_listener:
 - tls_disable: true
 #vault_storage:
 #  consul:
 #    address: "127.0.0.1:8500"
 #    path: "vault"
 vault_storage:
  consul:
 vault_seal_transit:
  address:
--- a/roles/vault/handlers/main.yaml
+++ b/roles/vault/handlers/main.yaml
@ -0,0 +1,12 @@
 ---
 - name: reload vault
  service:
    name: "{{ vault_service_name }}"
    state: reloaded
  when: vault_service_enabled
 - name: restart vault
  service:
    name: "{{ vault_service_name }}"
    state: restarted
  when: vault_service_enabled
--- a/roles/vault/tasks/RedHat.yaml
+++ b/roles/vault/tasks/RedHat.yaml
@ -0,0 +1,18 @@
 ---
 - name: install Hashicorp yum repo
  yum_repository:
    name: hashicorp
    description: Hashicorp Stable - $basearch
    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
    enabled: 1
    gpgcheck: 1
    gpgkey: https://rpm.releases.hashicorp.com/gpg
 - name: install Hashicorp (test) yum repo
  yum_repository:
    name: hashicorp-test
    description: Hashicorp Test - $basearch
    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/test
    enabled: 0
    gpgcheck: 1
    gpgkey: https://rpm.releases.hashicorp.com/gpg
--- a/roles/vault/tasks/main.yaml
+++ b/roles/vault/tasks/main.yaml
@ -0,0 +1,46 @@
 ---
 - name: gather os specific variables
  include_vars: "{{ lookup('first_found', possible_files) }}"
  vars:
    possible_files:
      files:
        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
        - "{{ ansible_distribution }}.yaml"
        - "{{ ansible_os_family }}.yaml"
        - "default.yaml"
      paths:
        - vars
 - name: include os specific tasks
  include_tasks: "{{ lookup('first_found', possible_files) }}"
  vars:
    possible_files:
      files:
        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
        - "{{ ansible_distribution }}.yaml"
        - "{{ ansible_os_family }}.yaml"
        - "default.yaml"
      paths:
        - tasks
 - name: install
  package:
    name: "{{ vault_package_name | default('vault') }}"
    state: "{{ vault_package_state | default('present') }}"
 - name: configure
  template:
    src: "{{ vault_config_template }}"
    dest: "{{ vault_config_path }}"
    owner: "{{ vault_config_owner }}"
    group: "{{ vault_config_group }}"
    mode: "{{ vault_config_mode }}"
  notify: restart vault
  when: not vault_agent_enabled
 - name: service
  service:
    name: "{{ vault_service_name | default('vault') }}"
    state: "{{ vault_service_state | default('started') }}"
    enabled: "{{ vault_service_enabled | default(true) }}"
  when: not vault_agent_enabled
--- a/roles/vault/templates/vault.hcl.j2
+++ b/roles/vault/templates/vault.hcl.j2
@ -0,0 +1,31 @@
 # {{ ansible_managed }}
 {% if vault_agent_enabled %}
 {% else %}
 disable_mlock = {{ (vault_disable_mlock | default(true)) | bool | lower }}
 api_addr = "{{ vault_api_addr | default('http://' + ansible_default_ipv4.address + ':8200') }}"
 cluster_addr = "{{ vault_cluster_addr | default('https://' + ansible_default_ipv4.address + ':8201') }}"
 ui = {{ (vault_ui | default(true)) | bool | lower }}
 {% if vault_storage.consul is defined %}
 storage "consul" {
  address = "{{ vault_storage.consul.address | default('127.0.0.1:8500') }}"
  path = "{{ vault_storage.consul.path | default('vault/') }}"
 }
 {% endif %}
 {% for l in vault_listener %}
 listener "{{ l.proto | default('tcp') }}" {
  address = "{{ l.address | default('[::]:8200') }}"
  tls_disable = {{ (l.tls_disable | default(false)) | bool | lower }}
 }
 {% endfor %}
 #seal "transit" {
 #  address = "http://127.0.0.1:8200"
 #  disable_renewal = "false"
 #  key_name = "autounseal"
 #  mount_path = "transit/"
 #  tls_skip_verify = "true"
 #}
 {% endif %}
--- a/roles/vault/vars/default.yaml
+++ b/roles/vault/vars/default.yaml