Add vault server, add some generic consul acls and vault policies

2020-08-27 15:26:40 -04:00 · 2020-08-27 15:26:40 -04:00 · 0d9e708735
commit 0d9e708735
parent 52e5d17486
7 changed files with 151 additions and 0 deletions
--- a/ansible/roles/vault_server/files/vault.service
+++ b/ansible/roles/vault_server/files/vault.service
@ -0,0 +1,34 @@
+[Unit]
+Description="HashiCorp Vault - A tool for managing secrets"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault.d/vault.hcl
+
+[Service]
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+Capabilities=CAP_IPC_LOCK+ep
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitInterval=60
+StartLimitIntervalSec=60
+StartLimitBurst=3
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
--- a/ansible/roles/vault_server/handlers/main.yml
+++ b/ansible/roles/vault_server/handlers/main.yml
@ -0,0 +1,9 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_vault_debian
+  systemd:
+    name: vault
+    state: restarted
--- a/ansible/roles/vault_server/tasks/main.yml
+++ b/ansible/roles/vault_server/tasks/main.yml
@ -0,0 +1,64 @@
+---
+- name: ensure vault group
+  group:
+    name: vault
+    state: present
+    system: True
+
+- name: ensure vault user
+  user:
+    name: vault
+    state: present
+    group: vault
+    system: True
+
+- name: ensure vault config dir
+  file:
+    path: /etc/vault.d/
+    state: directory
+    owner: vault
+    group: vault
+    mode: 0755
+
+- name: check vault version
+  shell:
+    cmd: "vault --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_vault_version
+  check_mode: False
+
+- name: get vault
+  unarchive:
+    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_vault_version.stdout != vault_version
+
+- name: copy vault unit file
+  copy:
+    src: files/vault.service
+    dest: /etc/systemd/system/vault.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template vault config
+  template:
+    src: templates/vault.hcl.j2
+    dest: /etc/vault.d/vault.hcl
+    owner: vault
+    group: vault
+    mode: 0640
+  notify: restart_vault_debian
+
+- name: ensure vault is started and enabled
+  systemd:
+    name: vault
+    state: started
+    enabled: True
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@ -0,0 +1,12 @@
+ui = true
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_disable   = true
+#  tls_cert_file = "/path/to/fullchain.pem"
+#  tls_key_file  = "/path/to/privkey.pem"
+}
+storage "consul" {
+  address   = "localhost:8500"
+  path      = "vault/"
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
+}
--- a/consul/acls/node-policy.hcl
+++ b/consul/acls/node-policy.hcl
@ -0,0 +1,13 @@
+agent_prefix "" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "write"
+}
+service_prefix "" {
+  policy = "read"
+}
+session_prefix "" {
+  policy = "read"
+}
+
--- a/consul/acls/vault-policy.hcl
+++ b/consul/acls/vault-policy.hcl
@ -0,0 +1,16 @@
+key_prefix "vault/" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "write"
+}
+service "vault" {
+  policy = "write"
+}
+agent_prefix "" {
+  policy = "write"
+}
+session_prefix "" {
+  policy = "write"
+}
+
--- a/vault/policies/ansible.hcl
+++ b/vault/policies/ansible.hcl
@ -0,0 +1,3 @@
+path "kv/*" {
+  capabilities = ["list", "read"]
+}