diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 35eff3f..1424a27 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -6,10 +6,6 @@ admin_email_address: amarpreet@minhas.io # hashicorp defaults hashi_arch: amd64 -# consul -consul_version: 1.12.2 -consul_domain: masked.name - # vault vault_version: 1.10.4 vault_pki_policy: masked-dot-name diff --git a/ansible/group_vars/hardtack/main.yml b/ansible/group_vars/hardtack/main.yml index 49ffc87..7d4a714 100644 --- a/ansible/group_vars/hardtack/main.yml +++ b/ansible/group_vars/hardtack/main.yml @@ -1,5 +1,4 @@ --- hashi_arch: arm -consul_arch: arm64 k3s_role: 'client' k3s_server_hostname: hardtack1.minhas.io diff --git a/ansible/group_vars/teapot/main.yml b/ansible/group_vars/teapot/main.yml index 9657e39..acd420e 100644 --- a/ansible/group_vars/teapot/main.yml +++ b/ansible/group_vars/teapot/main.yml @@ -1,6 +1,5 @@ --- hashi_arch: arm -consul_arch: arm64 k3s_version: v1.24.8+k3s1 k3s_role: 'client' k3s_server_hostname: teapot01.minhas.io diff --git a/ansible/host_vars/fishbowl.minhas.io/main.yml b/ansible/host_vars/fishbowl.minhas.io/main.yml index 81f7c9d..2fc26d5 100644 --- a/ansible/host_vars/fishbowl.minhas.io/main.yml +++ b/ansible/host_vars/fishbowl.minhas.io/main.yml @@ -1,6 +1,5 @@ --- hashi_arch: arm -consul_arch: arm lnd_arch: armv7 bitcoind_disk: /dev/sda1 diff --git a/ansible/host_vars/redwingcherokee.minhas.io/main.yml b/ansible/host_vars/redwingcherokee.minhas.io/main.yml index 81f7c9d..2fc26d5 100644 --- a/ansible/host_vars/redwingcherokee.minhas.io/main.yml +++ b/ansible/host_vars/redwingcherokee.minhas.io/main.yml @@ -1,6 +1,5 @@ --- hashi_arch: arm -consul_arch: arm lnd_arch: armv7 bitcoind_disk: /dev/sda1 diff --git a/ansible/inventory.txt b/ansible/inventory.txt index c3be92b..7a91edf 100644 --- a/ansible/inventory.txt +++ b/ansible/inventory.txt @@ -6,11 +6,6 @@ sedan.minhas.io fishbowl.minhas.io teapot[01:06].minhas.io -[consul_server] -sedan.minhas.io -ranger.minhas.io -hardtack1.minhas.io - [hardtack] hardtack[1:7].minhas.io @@ -30,6 +25,7 @@ sedan.minhas.io [vault_server] ranger.minhas.io sedan.minhas.io +hardtack1.minhas.io [wekan] sedan.minhas.io diff --git a/ansible/playbooks/consul-client.yml b/ansible/playbooks/consul-client.yml deleted file mode 100644 index 9bddc2f..0000000 --- a/ansible/playbooks/consul-client.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: all - roles: - - { role: consul, - when: '"consul_server" not in group_names' - } -... diff --git a/ansible/playbooks/consul-server.yml b/ansible/playbooks/consul-server.yml deleted file mode 100644 index f7e6231..0000000 --- a/ansible/playbooks/consul-server.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- hosts: consul_server - serial: 1 - roles: - - role: consul_server -... diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index 2c5433d..02551bc 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -1,8 +1,6 @@ --- - import_playbook: common.yml -- import_playbook: consul-server.yml - import_playbook: vault-server.yml -- import_playbook: consul-client.yml - import_playbook: k3s.yml - import_playbook: docker-repo.yml - import_playbook: lnd.yml diff --git a/ansible/roles/common/tasks/Debian_pki.yml b/ansible/roles/common/tasks/Debian_pki.yml index 8ffce7b..e937a15 100644 --- a/ansible/roles/common/tasks/Debian_pki.yml +++ b/ansible/roles/common/tasks/Debian_pki.yml @@ -68,7 +68,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.masked.name ttl=43200m" args: executable: /bin/bash environment: diff --git a/ansible/roles/consul/defaults/main.yml b/ansible/roles/consul/defaults/main.yml deleted file mode 100644 index f5bc514..0000000 --- a/ansible/roles/consul/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -consul_config_path: /etc/consul.d -consul_arch: '{{ hashi_arch }}' -... diff --git a/ansible/roles/consul/files/consul-agent-ca.pem b/ansible/roles/consul/files/consul-agent-ca.pem deleted file mode 100644 index f22fc45..0000000 --- a/ansible/roles/consul/files/consul-agent-ca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL -MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv -MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV -BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg -NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3 -MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT -AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k -IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu -MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4 -MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD -lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z -NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB -/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD -VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI -zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv -DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb ------END CERTIFICATE----- diff --git a/ansible/roles/consul/files/consul.service b/ansible/roles/consul/files/consul.service deleted file mode 100644 index a22730d..0000000 --- a/ansible/roles/consul/files/consul.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Consul Service Discovery Agent -After=network-online.target - -[Service] -Type=simple -Restart=on-failure -User=consul -Group=consul -RestartSec=3 -StateDirectory=consul -ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/ -ExecReload=/bin/kill -HUP $MAINPID -KillSignal=SIGINT - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/consul/handlers/main.yml b/ansible/roles/consul/handlers/main.yml deleted file mode 100644 index 9dc65e7..0000000 --- a/ansible/roles/consul/handlers/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: daemon_reload - systemd: - daemon_reload: True - -- name: restart_consul_debian - systemd: - name: consul - state: restarted - -- name: restart_consul_fbsd - service: - name: consul - state: restarted - -- name: reload consul - service: - name: consul - state: reloaded diff --git a/ansible/roles/consul/tasks/Debian.yml b/ansible/roles/consul/tasks/Debian.yml deleted file mode 100644 index b20e878..0000000 --- a/ansible/roles/consul/tasks/Debian.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -- name: ensure consul group - group: - name: consul - state: present - system: True - -- name: ensure consul user - user: - name: consul - state: present - group: consul - system: True - -- name: ensure consul config dir - file: - path: /etc/consul.d/ - state: directory - owner: consul - group: consul - mode: 0755 - -- name: ensure consul config dir - file: - path: /etc/consul.d/certs/ - state: directory - owner: consul - group: consul - mode: 0744 - -- name: ensure consul agent ca cert - copy: - src: files/consul-agent-ca.pem - dest: /etc/consul.d/certs/consul-agent-ca.pem - owner: consul - group: consul - mode: 0644 - -- name: ensure consul data dir - file: - path: /opt/consul - state: directory - owner: consul - group: consul - mode: 0755 - -- name: check consul version - shell: - cmd: "consul --version | head -1 | cut -d'v' -f2" - args: - executable: /bin/bash - changed_when: False - register: installed_consul_version - check_mode: False - -- name: get consul - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_{{ consul_arch }}.zip" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_consul_version.stdout != consul_version - notify: reload consul - -- name: copy consul unit file - copy: - src: files/consul.service - dest: /etc/systemd/system/consul.service - mode: 0755 - owner: root - group: root - notify: daemon_reload - -- name: template consul config - template: - src: templates/consul.hcl.j2 - dest: /etc/consul.d/consul.hcl - owner: consul - group: consul - mode: 0750 - notify: restart_consul_debian - -- name: ensure consul is started and enabled - systemd: - name: consul - state: started - enabled: True -... diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml deleted file mode 100644 index c8d427f..0000000 --- a/ansible/roles/consul/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: "{{ ansible_os_family }}.yml" -... diff --git a/ansible/roles/consul/templates/consul.hcl.j2 b/ansible/roles/consul/templates/consul.hcl.j2 deleted file mode 100644 index aec55a5..0000000 --- a/ansible/roles/consul/templates/consul.hcl.j2 +++ /dev/null @@ -1,37 +0,0 @@ -datacenter = "{{ main_dc_name }}" -primary_datacenter = "{{ main_dc_name }}" -domain = "{{ consul_domain }}" -node_name = "{{ inventory_hostname_short }}" - -encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - -verify_incoming = false -verify_outgoing = true -verify_server_hostname = true -ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - -auto_encrypt { - tls = true -} - -bind_addr = "{{ ansible_default_ipv4.address }}" -start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"] - -data_dir = "/opt/consul" -log_level = "INFO" -raft_protocol = 3 - -addresses { - http = "0.0.0.0" -} - -enable_local_script_checks = true - -acl { - enabled = true - default_policy = "deny" - enable_token_persistence = true - tokens { - default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - } -} diff --git a/ansible/roles/consul_server/defaults/main.yml b/ansible/roles/consul_server/defaults/main.yml deleted file mode 100644 index f5f06b0..0000000 --- a/ansible/roles/consul_server/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -consul_config_path: /etc/consul.d -... diff --git a/ansible/roles/consul_server/files/consul-agent-ca.pem b/ansible/roles/consul_server/files/consul-agent-ca.pem deleted file mode 100644 index f22fc45..0000000 --- a/ansible/roles/consul_server/files/consul-agent-ca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL -MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv -MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV -BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg -NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3 -MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT -AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k -IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu -MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4 -MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD -lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z -NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB -/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD -VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI -zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv -DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb ------END CERTIFICATE----- diff --git a/ansible/roles/consul_server/files/consul-server.pem b/ansible/roles/consul_server/files/consul-server.pem deleted file mode 100644 index 1cc6ba4..0000000 --- a/ansible/roles/consul_server/files/consul-server.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICpzCCAkygAwIBAgIRAP+zqvMlaJNYzixVwgrrYrkwCgYIKoZIzj0EAwIwgbgx -CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj -bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw -FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB -IDY0MjA5Mzc1Njc5NjAzMjk2ODEwODAyOTg5NjU1MzY0ODkyNzc3MB4XDTIwMDgy -NzE3MjcxMVoXDTIxMDgyNzE3MjcxMVowITEfMB0GA1UEAxMWc2VydmVyLmNvbHVt -YmlhLmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ/z9e9ctu6x4GqX -Gmrc69JeusbmpEEkO35LIVngEc4fqF0eup2/txiQZhmyDuYKN8ObcLzQ9/6OJkRD -a47UTzCjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB -BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB85H1w+4sYpvxg7b5x -Yr8/psiaIxNGDioU4OXxAMUabTArBgNVHSMEJDAigCDuzlImOOC3LL9dQfBCTjeJ -dqkJdAggWo6K9N12/pEZpzAyBgNVHREEKzApghZzZXJ2ZXIuY29sdW1iaWEuY29u -c3Vsgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhALqDdmHhRnos -BTc5zpSdnv1NUU+DkGqG8bfisN9YYhf3AiEAoiaT7DBzgHv2Po37P/YZm2nMjMdd -W2dTCuysw+L3Syk= ------END CERTIFICATE----- diff --git a/ansible/roles/consul_server/files/consul.service b/ansible/roles/consul_server/files/consul.service deleted file mode 100644 index a22730d..0000000 --- a/ansible/roles/consul_server/files/consul.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Consul Service Discovery Agent -After=network-online.target - -[Service] -Type=simple -Restart=on-failure -User=consul -Group=consul -RestartSec=3 -StateDirectory=consul -ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/ -ExecReload=/bin/kill -HUP $MAINPID -KillSignal=SIGINT - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/consul_server/handlers/main.yml b/ansible/roles/consul_server/handlers/main.yml deleted file mode 100644 index b2523bf..0000000 --- a/ansible/roles/consul_server/handlers/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: daemon_reload - systemd: - daemon_reload: True - -- name: reload_consul_debian - systemd: - name: consul - state: reloaded - -- name: restart_consul_debian - systemd: - name: consul - state: restarted - -- name: restart_consul_fbsd - service: - name: consul - state: restarted -... diff --git a/ansible/roles/consul_server/tasks/Debian.yml b/ansible/roles/consul_server/tasks/Debian.yml deleted file mode 100644 index 623e7a0..0000000 --- a/ansible/roles/consul_server/tasks/Debian.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -- name: ensure consul group - group: - name: consul - state: present - system: True - -- name: ensure consul user - user: - name: consul - state: present - group: consul - system: True - -- name: ensure consul config dir - file: - path: /etc/consul.d/ - state: directory - owner: consul - group: consul - mode: 0755 - -- name: ensure consul certs dir - file: - path: /etc/consul.d/certs/ - state: directory - owner: consul - group: consul - mode: 0755 - -- name: check if server cert is expiring in the next 5 days - shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem" - args: - executable: /bin/bash - failed_when: False - check_mode: False - changed_when: False - register: exp - -- name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} alt_names=consul.service.{{ consul_domain }},consul.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" - args: - executable: /bin/bash - environment: - VAULT_ADDR: https://vault.service.masked.name:8200 - VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" - VAULT_FORMAT: json - register: cert_data - when: exp.rc != 0 - notify: reload_consul_debian - -- name: write cert data to server - copy: - content: "{{ item.content }}" - dest: "/etc/consul.d/certs/{{ item.path }}" - mode: '{{ item.mode }}' - owner: consul - group: consul - when: cert_data.changed - loop: - - { - content: "{{ (cert_data.stdout | from_json).data.certificate }}", - path: "consul-server.pem", - mode: "0755" - } - - { - content: "{{ (cert_data.stdout | from_json).data.private_key }}", - path: "consul-server.key", - mode: "0600" - } - -- name: ensure consul data dir - file: - path: /opt/consul - state: directory - owner: consul - group: consul - mode: 0755 - -- name: check consul version - shell: - cmd: "consul --version | head -1 | cut -d'v' -f2" - args: - executable: /bin/bash - changed_when: False - register: installed_consul_version - check_mode: False - -- name: get consul - unarchive: - src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_consul_version.stdout != consul_version - -- name: copy consul unit file - copy: - src: files/consul.service - dest: /etc/systemd/system/consul.service - mode: 0755 - owner: root - group: root - notify: daemon_reload - -- name: template consul config - template: - src: templates/consul.hcl.j2 - dest: /etc/consul.d/consul.hcl - owner: root - group: consul - mode: 0750 - notify: restart_consul_debian - -- name: ensure consul is started and enabled - systemd: - name: consul - state: started - enabled: True -... diff --git a/ansible/roles/consul_server/tasks/main.yml b/ansible/roles/consul_server/tasks/main.yml deleted file mode 100644 index c8d427f..0000000 --- a/ansible/roles/consul_server/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: "{{ ansible_os_family }}.yml" -... diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2 deleted file mode 100644 index 52e9ed1..0000000 --- a/ansible/roles/consul_server/templates/consul.hcl.j2 +++ /dev/null @@ -1,54 +0,0 @@ -datacenter = "{{ main_dc_name }}" -primary_datacenter = "{{ main_dc_name }}" -domain = "{{ consul_domain }}" -node_name = "{{ inventory_hostname_short }}" -server = true -bootstrap_expect = 3 -ui = true - -encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - -verify_outgoing = true -verify_server_hostname = true -verify_incoming_https = false -verify_incoming_rpc = true -ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" -cert_file = "{{ consul_config_path }}/certs/consul-server.pem" -key_file = "{{ consul_config_path }}/certs/consul-server.key" - -auto_encrypt { - allow_tls = true -} - -bind_addr = "{{ ansible_default_ipv4.address }}" -start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"] - -data_dir = "/opt/consul" -log_level = "INFO" -raft_protocol = 3 - -enable_local_script_checks = true - -addresses { - http = "127.0.0.1" - https = "0.0.0.0" - dns = "0.0.0.0" -} - -ports { - http = 8500 - https = 8501 -} - -performance { - raft_multiplier = 1 -} - -acl { - enabled = true - default_policy = "deny" - enable_token_persistence = true - tokens { - default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - } -} diff --git a/ansible/roles/docker-repo/handlers/main.yml b/ansible/roles/docker-repo/handlers/main.yml index ca1a927..b2a12a0 100644 --- a/ansible/roles/docker-repo/handlers/main.yml +++ b/ansible/roles/docker-repo/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: reload consul - service: - name: consul - state: reloaded - - name: restart docker docker_container: name: docker-repo diff --git a/ansible/roles/docker-repo/tasks/main.yml b/ansible/roles/docker-repo/tasks/main.yml index 478b220..b04bed9 100644 --- a/ansible/roles/docker-repo/tasks/main.yml +++ b/ansible/roles/docker-repo/tasks/main.yml @@ -27,7 +27,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker-repo.service.{{ consul_domain }} alt_names=docker-repo.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker-repo.service.masked.name ttl=43200m" args: executable: /bin/bash environment: @@ -82,13 +82,4 @@ - "{{ docker_repo_storage }}:/data" - "/etc/docker-repo/certs:/certs" restart_policy: always - -- name: ensure docker repo service config exists - copy: - src: files/docker-repo.hcl - dest: /etc/consul.d/docker-repo.hcl - mode: 0750 - owner: consul - group: consul - notify: reload consul ... diff --git a/ansible/roles/vault_server/tasks/main.yml b/ansible/roles/vault_server/tasks/main.yml index 2f4eee4..844c226 100644 --- a/ansible/roles/vault_server/tasks/main.yml +++ b/ansible/roles/vault_server/tasks/main.yml @@ -37,6 +37,14 @@ group: vault mode: 0755 +- name: ensure vault raft dir + file: + path: /opt/vault/ + state: directory + owner: vault + group: vault + mode: 0755 + - name: check if server cert is expiring in the next 5 days shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem" args: @@ -47,7 +55,7 @@ register: exp - name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" + shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.masked.name ip_sans={{ ansible_default_ipv4.address }} ttl=43200m" args: executable: /bin/bash environment: diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2 index 54203e1..f7ee675 100644 --- a/ansible/roles/vault_server/templates/vault.hcl.j2 +++ b/ansible/roles/vault_server/templates/vault.hcl.j2 @@ -1,22 +1,21 @@ ui = true +api_addr = "https://{{ ansible_default_ipv4.address }}:8200" +cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201" + listener "tcp" { - address = "127.0.0.1:8200" - tls_cert_file = "/etc/vault.d/certs/vault.pem" - tls_key_file = "/etc/vault.d/certs/vault.key" + address = "127.0.0.1:8200" + tls_cert_file = "/etc/vault.d/certs/vault.pem" + tls_key_file = "/etc/vault.d/certs/vault.key" } listener "tcp" { - address = "{{ ansible_default_ipv4.address }}:8200" - tls_cert_file = "/etc/vault.d/certs/vault.pem" - tls_key_file = "/etc/vault.d/certs/vault.key" + address = "{{ ansible_default_ipv4.address }}:8200" + tls_cert_file = "/etc/vault.d/certs/vault.pem" + tls_key_file = "/etc/vault.d/certs/vault.key" } -api_addr = "https://{{ ansible_default_ipv4.address }}:8200" -cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201" - -storage "consul" { - address = "localhost:8500" - path = "vault/" - token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" +storage "raft" { + path = "/opt/vault/" + node_id = "{{ inventory_hostname_short }}" } diff --git a/ansible/roles/wekan/handlers/main.yml b/ansible/roles/wekan/handlers/main.yml deleted file mode 100644 index fea9530..0000000 --- a/ansible/roles/wekan/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: reload consul - service: - name: consul - state: reloaded -... diff --git a/ansible/roles/wekan/tasks/main.yml b/ansible/roles/wekan/tasks/main.yml index 62b68e6..b2bcdef 100644 --- a/ansible/roles/wekan/tasks/main.yml +++ b/ansible/roles/wekan/tasks/main.yml @@ -3,13 +3,4 @@ snap: name: wekan state: present - -- name: add wekan consul service - copy: - src: files/wekan.hcl - dest: /etc/consul.d/wekan.hcl - mode: 0750 - owner: consul - group: consul - notify: reload consul ...