Add vault server, add some generic consul acls and vault policies
This commit is contained in:
parent
52e5d17486
commit
0d9e708735
7 changed files with 151 additions and 0 deletions
34
ansible/roles/vault_server/files/vault.service
Normal file
34
ansible/roles/vault_server/files/vault.service
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
[Unit]
|
||||||
|
Description="HashiCorp Vault - A tool for managing secrets"
|
||||||
|
Documentation=https://www.vaultproject.io/docs/
|
||||||
|
Requires=network-online.target
|
||||||
|
After=network-online.target
|
||||||
|
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=vault
|
||||||
|
Group=vault
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=read-only
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
SecureBits=keep-caps
|
||||||
|
AmbientCapabilities=CAP_IPC_LOCK
|
||||||
|
Capabilities=CAP_IPC_LOCK+ep
|
||||||
|
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
|
||||||
|
ExecReload=/bin/kill --signal HUP $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=30
|
||||||
|
StartLimitInterval=60
|
||||||
|
StartLimitIntervalSec=60
|
||||||
|
StartLimitBurst=3
|
||||||
|
LimitNOFILE=65536
|
||||||
|
LimitMEMLOCK=infinity
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
9
ansible/roles/vault_server/handlers/main.yml
Normal file
9
ansible/roles/vault_server/handlers/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: daemon_reload
|
||||||
|
systemd:
|
||||||
|
daemon_reload: True
|
||||||
|
|
||||||
|
- name: restart_vault_debian
|
||||||
|
systemd:
|
||||||
|
name: vault
|
||||||
|
state: restarted
|
64
ansible/roles/vault_server/tasks/main.yml
Normal file
64
ansible/roles/vault_server/tasks/main.yml
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
---
|
||||||
|
- name: ensure vault group
|
||||||
|
group:
|
||||||
|
name: vault
|
||||||
|
state: present
|
||||||
|
system: True
|
||||||
|
|
||||||
|
- name: ensure vault user
|
||||||
|
user:
|
||||||
|
name: vault
|
||||||
|
state: present
|
||||||
|
group: vault
|
||||||
|
system: True
|
||||||
|
|
||||||
|
- name: ensure vault config dir
|
||||||
|
file:
|
||||||
|
path: /etc/vault.d/
|
||||||
|
state: directory
|
||||||
|
owner: vault
|
||||||
|
group: vault
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: check vault version
|
||||||
|
shell:
|
||||||
|
cmd: "vault --version | head -1 | cut -d'v' -f2"
|
||||||
|
args:
|
||||||
|
executable: /bin/bash
|
||||||
|
changed_when: False
|
||||||
|
register: installed_vault_version
|
||||||
|
check_mode: False
|
||||||
|
|
||||||
|
- name: get vault
|
||||||
|
unarchive:
|
||||||
|
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
|
||||||
|
dest: /usr/local/bin/
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
remote_src: True
|
||||||
|
when: installed_vault_version.stdout != vault_version
|
||||||
|
|
||||||
|
- name: copy vault unit file
|
||||||
|
copy:
|
||||||
|
src: files/vault.service
|
||||||
|
dest: /etc/systemd/system/vault.service
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: daemon_reload
|
||||||
|
|
||||||
|
- name: template vault config
|
||||||
|
template:
|
||||||
|
src: templates/vault.hcl.j2
|
||||||
|
dest: /etc/vault.d/vault.hcl
|
||||||
|
owner: vault
|
||||||
|
group: vault
|
||||||
|
mode: 0640
|
||||||
|
notify: restart_vault_debian
|
||||||
|
|
||||||
|
- name: ensure vault is started and enabled
|
||||||
|
systemd:
|
||||||
|
name: vault
|
||||||
|
state: started
|
||||||
|
enabled: True
|
12
ansible/roles/vault_server/templates/vault.hcl.j2
Normal file
12
ansible/roles/vault_server/templates/vault.hcl.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
ui = true
|
||||||
|
listener "tcp" {
|
||||||
|
address = "0.0.0.0:8200"
|
||||||
|
tls_disable = true
|
||||||
|
# tls_cert_file = "/path/to/fullchain.pem"
|
||||||
|
# tls_key_file = "/path/to/privkey.pem"
|
||||||
|
}
|
||||||
|
storage "consul" {
|
||||||
|
address = "localhost:8500"
|
||||||
|
path = "vault/"
|
||||||
|
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
|
||||||
|
}
|
13
consul/acls/node-policy.hcl
Normal file
13
consul/acls/node-policy.hcl
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
16
consul/acls/vault-policy.hcl
Normal file
16
consul/acls/vault-policy.hcl
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
key_prefix "vault/" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
service "vault" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
3
vault/policies/ansible.hcl
Normal file
3
vault/policies/ansible.hcl
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
path "kv/*" {
|
||||||
|
capabilities = ["list", "read"]
|
||||||
|
}
|
Loading…
Reference in a new issue