Fix up vault ssl, fix up vault cert since it needs a bundled cert

2020-10-13 21:42:39 -04:00 · 2020-10-13 21:42:39 -04:00 · 1559206ae4
commit 1559206ae4
parent b5d51f7e3f
8 changed files with 15 additions and 8 deletions
--- a/ansible/playbooks/vault-server.yml
+++ b/ansible/playbooks/vault-server.yml
@ -1,5 +1,6 @@
 ---
 - hosts: vault_server
+  serial: 1
  roles:
    - role: vault_server
 ...
--- a/ansible/roles/common/tasks/Debian_pki.yml
+++ b/ansible/roles/common/tasks/Debian_pki.yml
@ -72,7 +72,7 @@
  args:
    executable: /bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
--- a/ansible/roles/common/tasks/FreeBSD_pki.yml
+++ b/ansible/roles/common/tasks/FreeBSD_pki.yml
@ -82,7 +82,7 @@
  args:
    executable: /usr/local/bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
--- a/ansible/roles/consul_server/tasks/FreeBSD.yml
+++ b/ansible/roles/consul_server/tasks/FreeBSD.yml
@ -42,7 +42,7 @@
  args:
    executable: /usr/local/bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
--- a/ansible/roles/nexus/tasks/main.yml
+++ b/ansible/roles/nexus/tasks/main.yml
@ -18,7 +18,7 @@
  args:
    executable: /bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@ -107,7 +107,7 @@
  args:
    executable: /bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
--- a/ansible/roles/nomad_server/tasks/main.yml
+++ b/ansible/roles/nomad_server/tasks/main.yml
@ -87,7 +87,7 @@
  args:
    executable: /bin/bash
  environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
@ -114,6 +114,12 @@
        mode: "0600"
    }

+- name: append cacert to vault cert
+  blockinfile:
+    path: /etc/nomad.d/certs/nomad.pem
+    block: |
+      {{ vault_ca_cert_payload }}
+
 - name: ensure nomad is started and enabled
  systemd:
    name: nomad
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@ -12,8 +12,8 @@ listener "tcp" {
  tls_key_file    = "/etc/vault.d/certs/vault.key"
 }

-api_address     = "{{ ansible_default_ipv4.address }}:8200"
-cluster_address = "{{ ansible_default_ipv4.address }}:8201"
+api_addr          = "https://{{ ansible_default_ipv4.address }}:8200"
+cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"

 storage "consul" {
  address   = "localhost:8500"