From 1559206ae42c7fb83927efbef8c932d8573bc141 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Tue, 13 Oct 2020 21:42:39 -0400
Subject: [PATCH] Fix up vault ssl, fix up vault cert since it needs a bundled
 cert

---
 ansible/playbooks/vault-server.yml                | 1 +
 ansible/roles/common/tasks/Debian_pki.yml         | 2 +-
 ansible/roles/common/tasks/FreeBSD_pki.yml        | 2 +-
 ansible/roles/consul_server/tasks/FreeBSD.yml     | 2 +-
 ansible/roles/nexus/tasks/main.yml                | 2 +-
 ansible/roles/nomad_client/tasks/nomad.yml        | 2 +-
 ansible/roles/nomad_server/tasks/main.yml         | 8 +++++++-
 ansible/roles/vault_server/templates/vault.hcl.j2 | 4 ++--
 8 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/ansible/playbooks/vault-server.yml b/ansible/playbooks/vault-server.yml
index 187e3b3..effd71b 100644
--- a/ansible/playbooks/vault-server.yml
+++ b/ansible/playbooks/vault-server.yml
@@ -1,5 +1,6 @@
 ---
 - hosts: vault_server
+  serial: 1
   roles:
     - role: vault_server
 ...
diff --git a/ansible/roles/common/tasks/Debian_pki.yml b/ansible/roles/common/tasks/Debian_pki.yml
index f1c7cf6..293d2c8 100644
--- a/ansible/roles/common/tasks/Debian_pki.yml
+++ b/ansible/roles/common/tasks/Debian_pki.yml
@@ -72,7 +72,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
diff --git a/ansible/roles/common/tasks/FreeBSD_pki.yml b/ansible/roles/common/tasks/FreeBSD_pki.yml
index 4ffe7c0..508cd59 100644
--- a/ansible/roles/common/tasks/FreeBSD_pki.yml
+++ b/ansible/roles/common/tasks/FreeBSD_pki.yml
@@ -82,7 +82,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
diff --git a/ansible/roles/consul_server/tasks/FreeBSD.yml b/ansible/roles/consul_server/tasks/FreeBSD.yml
index a850327..33c3a5f 100644
--- a/ansible/roles/consul_server/tasks/FreeBSD.yml
+++ b/ansible/roles/consul_server/tasks/FreeBSD.yml
@@ -42,7 +42,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
diff --git a/ansible/roles/nexus/tasks/main.yml b/ansible/roles/nexus/tasks/main.yml
index c63e546..7fa8a13 100644
--- a/ansible/roles/nexus/tasks/main.yml
+++ b/ansible/roles/nexus/tasks/main.yml
@@ -18,7 +18,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
diff --git a/ansible/roles/nomad_client/tasks/nomad.yml b/ansible/roles/nomad_client/tasks/nomad.yml
index 0c8fc0c..a2bdc83 100644
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@@ -107,7 +107,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
diff --git a/ansible/roles/nomad_server/tasks/main.yml b/ansible/roles/nomad_server/tasks/main.yml
index 154e1cc..01e3a0c 100644
--- a/ansible/roles/nomad_server/tasks/main.yml
+++ b/ansible/roles/nomad_server/tasks/main.yml
@@ -87,7 +87,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
@@ -114,6 +114,12 @@
         mode: "0600"
     }
 
+- name: append cacert to vault cert
+  blockinfile:
+    path: /etc/nomad.d/certs/nomad.pem
+    block: |
+      {{ vault_ca_cert_payload }}
+
 - name: ensure nomad is started and enabled
   systemd:
     name: nomad
diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2
index c6e1100..cff4105 100644
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@@ -12,8 +12,8 @@ listener "tcp" {
   tls_key_file    = "/etc/vault.d/certs/vault.key"
 }
 
-api_address     = "{{ ansible_default_ipv4.address }}:8200"
-cluster_address = "{{ ansible_default_ipv4.address }}:8201"
+api_addr          = "https://{{ ansible_default_ipv4.address }}:8200"
+cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
 
 storage "consul" {
   address   = "localhost:8500"