Add consul clients, DRY up consul_dc

ansible/group_vars/all/main.yml

@@ -1,5 +1,6 @@
 ---
 # consul
+consul_dc: columbia
 consul_version: 1.8.3
 
 # vault

ansible/host_vars/fatman.minhas.io/main.yml

@@ -1,4 +1,3 @@
 ---
-consul_dc: columbia
 consul_config_path: /usr/local/etc/consul.d
 ...

ansible/host_vars/ivyking.minhas.io/main.yml

@@ -1,3 +0,0 @@
----
-consul_dc: columbia
-...

ansible/host_vars/sedan.minhas.io/main.yml

@@ -1,3 +0,0 @@
----
-consul_dc: columbia
-...

ansible/inventory.txt

@@ -1,3 +1,9 @@
+[all]
+fatman.minhas.io
+ivyking.minhas.io
+ranger.minhas.io
+sedan.minhas.io
+
 [consul_server]
 fatman.minhas.io
 ivyking.minhas.io

ansible/playbooks/consul-client.yml

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  roles:
+    - { role: consul,
+         when: '"consul_server" not in group_names'
+      }
+...

ansible/playbooks/site.yml

@@ -5,4 +5,5 @@
 
 - import_playbook: consul-server.yml
 - import_playbook: vault-server.yml
+- import_playbook: consul-client.yml
 ...

ansible/roles/consul/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+consul_config_path: /etc/consul.d
+...

ansible/roles/consul/files/consul-agent-ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL
+MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
+MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
+BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
+NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3
+MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
+AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
+IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
+MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4
+MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD
+lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z
+NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
+/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD
+VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI
+zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv
+DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb
+-----END CERTIFICATE-----

ansible/roles/consul/files/consul.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Consul Service Discovery Agent
+After=network-online.target
+
+[Service]
+Type=simple
+Restart=on-failure
+User=consul
+Group=consul
+RestartSec=3
+StateDirectory=consul
+ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/consul/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_consul_debian
+  systemd:
+    name: consul
+    state: restarted
+
+- name: restart_consul_fbsd
+  service:
+    name: consul
+    state: restarted

ansible/roles/consul/tasks/Debian.yml

@@ -0,0 +1,88 @@
+---
+- name: ensure consul group
+  group:
+    name: consul
+    state: present
+    system: True
+
+- name: ensure consul user
+  user:
+    name: consul
+    state: present
+    group: consul
+    system: True
+
+- name: ensure consul config dir
+  file:
+    path: /etc/consul.d/
+    state: directory
+    owner: consul
+    group: consul
+    mode: 0755
+
+- name: ensure consul config dir
+  file:
+    path: /etc/consul.d/certs/
+    state: directory
+    owner: consul
+    group: consul
+    mode: 0744
+
+- name: ensure consul agent ca cert
+  copy:
+    src: files/consul-agent-ca.pem
+    dest: /etc/consul.d/certs/consul-agent-ca.pem
+    owner: consul
+    group: consul
+    mode: 0644
+
+- name: ensure consul data dir
+  file:
+    path: /opt/consul
+    state: directory
+    owner: consul
+    group: consul
+    mode: 0755
+
+- name: check consul version
+  shell:
+    cmd: "consul --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_consul_version
+  check_mode: False
+
+- name: get consul
+  unarchive:
+    src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_consul_version.stdout != consul_version
+
+- name: copy consul unit file
+  copy:
+    src: files/consul.service
+    dest: /etc/systemd/system/consul.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template consul config
+  template:
+    src: templates/consul.hcl.j2
+    dest: /etc/consul.d/consul.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_consul_debian
+
+- name: ensure consul is started and enabled
+  systemd:
+    name: consul
+    state: started
+    enabled: True

ansible/roles/consul/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include: "{{ ansible_os_family }}.yml"
+...

ansible/roles/consul/templates/consul-client.key.j2

@@ -0,0 +1 @@
+{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-client-key'] }}

ansible/roles/consul/templates/consul.hcl.j2

@@ -0,0 +1,33 @@
+datacenter          = "{{ consul_dc }}"
+domain              = "consul"
+
+encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
+
+verify_incoming         = false
+verify_outgoing         = true
+verify_server_hostname  = true
+ca_file                 = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
+
+auto_encrypt {
+  tls   = true
+}
+
+bind_addr           = "{{ ansible_default_ipv4.address }}"
+start_join          = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
+
+data_dir            = "/opt/consul"
+log_level           = "INFO"
+raft_protocol       = 3
+
+addresses {
+ http = "0.0.0.0"
+}
+
+acl {
+  enabled = true
+  default_policy = "deny"
+  enable_token_persistence = true
+  tokens {
+    agent   = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
+  }
+}