diff --git a/ansible/roles/vault_server/files/vault.service b/ansible/roles/vault_server/files/vault.service new file mode 100644 index 0000000..bde4f86 --- /dev/null +++ b/ansible/roles/vault_server/files/vault.service @@ -0,0 +1,34 @@ +[Unit] +Description="HashiCorp Vault - A tool for managing secrets" +Documentation=https://www.vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/vault.d/vault.hcl + +[Service] +User=vault +Group=vault +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +Capabilities=CAP_IPC_LOCK+ep +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes +ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=60 +StartLimitIntervalSec=60 +StartLimitBurst=3 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/vault_server/handlers/main.yml b/ansible/roles/vault_server/handlers/main.yml new file mode 100644 index 0000000..0fd2b41 --- /dev/null +++ b/ansible/roles/vault_server/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: daemon_reload + systemd: + daemon_reload: True + +- name: restart_vault_debian + systemd: + name: vault + state: restarted diff --git a/ansible/roles/vault_server/tasks/main.yml b/ansible/roles/vault_server/tasks/main.yml new file mode 100644 index 0000000..7fd1b7c --- /dev/null +++ b/ansible/roles/vault_server/tasks/main.yml @@ -0,0 +1,64 @@ +--- +- name: ensure vault group + group: + name: vault + state: present + system: True + +- name: ensure vault user + user: + name: vault + state: present + group: vault + system: True + +- name: ensure vault config dir + file: + path: /etc/vault.d/ + state: directory + owner: vault + group: vault + mode: 0755 + +- name: check vault version + shell: + cmd: "vault --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_vault_version + check_mode: False + +- name: get vault + unarchive: + src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: installed_vault_version.stdout != vault_version + +- name: copy vault unit file + copy: + src: files/vault.service + dest: /etc/systemd/system/vault.service + mode: 0755 + owner: root + group: root + notify: daemon_reload + +- name: template vault config + template: + src: templates/vault.hcl.j2 + dest: /etc/vault.d/vault.hcl + owner: vault + group: vault + mode: 0640 + notify: restart_vault_debian + +- name: ensure vault is started and enabled + systemd: + name: vault + state: started + enabled: True diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2 new file mode 100644 index 0000000..3d89bca --- /dev/null +++ b/ansible/roles/vault_server/templates/vault.hcl.j2 @@ -0,0 +1,12 @@ +ui = true +listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = true +# tls_cert_file = "/path/to/fullchain.pem" +# tls_key_file = "/path/to/privkey.pem" +} +storage "consul" { + address = "localhost:8500" + path = "vault/" + token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}" +} diff --git a/consul/acls/node-policy.hcl b/consul/acls/node-policy.hcl new file mode 100644 index 0000000..79047f6 --- /dev/null +++ b/consul/acls/node-policy.hcl @@ -0,0 +1,13 @@ +agent_prefix "" { + policy = "write" +} +node_prefix "" { + policy = "write" +} +service_prefix "" { + policy = "read" +} +session_prefix "" { + policy = "read" +} + diff --git a/consul/acls/vault-policy.hcl b/consul/acls/vault-policy.hcl new file mode 100644 index 0000000..07454bc --- /dev/null +++ b/consul/acls/vault-policy.hcl @@ -0,0 +1,16 @@ +key_prefix "vault/" { + policy = "write" +} +node_prefix "" { + policy = "write" +} +service "vault" { + policy = "write" +} +agent_prefix "" { + policy = "write" +} +session_prefix "" { + policy = "write" +} + diff --git a/vault/policies/ansible.hcl b/vault/policies/ansible.hcl new file mode 100644 index 0000000..f505543 --- /dev/null +++ b/vault/policies/ansible.hcl @@ -0,0 +1,3 @@ +path "kv/*" { + capabilities = ["list", "read"] +}