Add vault server, add some generic consul acls and vault policies

This commit is contained in:
Amarpreet Minhas 2020-08-27 15:26:40 -04:00
parent 52e5d17486
commit 0d9e708735
7 changed files with 151 additions and 0 deletions

View file

@ -0,0 +1,34 @@
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,9 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: restart_vault_debian
systemd:
name: vault
state: restarted

View file

@ -0,0 +1,64 @@
---
- name: ensure vault group
group:
name: vault
state: present
system: True
- name: ensure vault user
user:
name: vault
state: present
group: vault
system: True
- name: ensure vault config dir
file:
path: /etc/vault.d/
state: directory
owner: vault
group: vault
mode: 0755
- name: check vault version
shell:
cmd: "vault --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_vault_version
check_mode: False
- name: get vault
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_vault_version.stdout != vault_version
- name: copy vault unit file
copy:
src: files/vault.service
dest: /etc/systemd/system/vault.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template vault config
template:
src: templates/vault.hcl.j2
dest: /etc/vault.d/vault.hcl
owner: vault
group: vault
mode: 0640
notify: restart_vault_debian
- name: ensure vault is started and enabled
systemd:
name: vault
state: started
enabled: True

View file

@ -0,0 +1,12 @@
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
# tls_cert_file = "/path/to/fullchain.pem"
# tls_key_file = "/path/to/privkey.pem"
}
storage "consul" {
address = "localhost:8500"
path = "vault/"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
}

View file

@ -0,0 +1,13 @@
agent_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
session_prefix "" {
policy = "read"
}

View file

@ -0,0 +1,16 @@
key_prefix "vault/" {
policy = "write"
}
node_prefix "" {
policy = "write"
}
service "vault" {
policy = "write"
}
agent_prefix "" {
policy = "write"
}
session_prefix "" {
policy = "write"
}

View file

@ -0,0 +1,3 @@
path "kv/*" {
capabilities = ["list", "read"]
}