Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Migrate to raft vault backend, rm consul

Browse source
This commit is contained in:
Amarpreet Minhas 2023-01-07 22:47:30 -05:00
parent ea0f5ddf3a
commit 2228e66b7d
31 changed files with 24 additions and 515 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ansible/group_vars/all/main.yml
View file

@ -6,10 +6,6 @@ admin_email_address: amarpreet@minhas.io
# hashicorp defaults # hashicorp defaults
hashi_arch: amd64 hashi_arch: amd64
# consul
consul_version: 1.12.2
consul_domain: masked.name
# vault # vault
vault_version: 1.10.4 vault_version: 1.10.4
vault_pki_policy: masked-dot-name vault_pki_policy: masked-dot-name

1
ansible/group_vars/hardtack/main.yml
View file

@ -1,5 +1,4 @@
--- ---
hashi_arch: arm hashi_arch: arm
consul_arch: arm64
k3s_role: 'client' k3s_role: 'client'
k3s_server_hostname: hardtack1.minhas.io k3s_server_hostname: hardtack1.minhas.io

1
ansible/group_vars/teapot/main.yml
View file

@ -1,6 +1,5 @@
--- ---
hashi_arch: arm hashi_arch: arm
consul_arch: arm64
k3s_version: v1.24.8+k3s1 k3s_version: v1.24.8+k3s1
k3s_role: 'client' k3s_role: 'client'
k3s_server_hostname: teapot01.minhas.io k3s_server_hostname: teapot01.minhas.io

1
ansible/host_vars/fishbowl.minhas.io/main.yml
View file

@ -1,6 +1,5 @@
--- ---
hashi_arch: arm hashi_arch: arm
consul_arch: arm
lnd_arch: armv7 lnd_arch: armv7
bitcoind_disk: /dev/sda1 bitcoind_disk: /dev/sda1

1
ansible/host_vars/redwingcherokee.minhas.io/main.yml
View file

@ -1,6 +1,5 @@
--- ---
hashi_arch: arm hashi_arch: arm
consul_arch: arm
lnd_arch: armv7 lnd_arch: armv7
bitcoind_disk: /dev/sda1 bitcoind_disk: /dev/sda1

6
ansible/inventory.txt
View file

@ -6,11 +6,6 @@ sedan.minhas.io
fishbowl.minhas.io fishbowl.minhas.io
teapot[01:06].minhas.io teapot[01:06].minhas.io
[consul_server]
sedan.minhas.io
ranger.minhas.io
hardtack1.minhas.io
[hardtack] [hardtack]
hardtack[1:7].minhas.io hardtack[1:7].minhas.io
@ -30,6 +25,7 @@ sedan.minhas.io
[vault_server] [vault_server]
ranger.minhas.io ranger.minhas.io
sedan.minhas.io sedan.minhas.io
hardtack1.minhas.io
[wekan] [wekan]
sedan.minhas.io sedan.minhas.io

7
ansible/playbooks/consul-client.yml
View file

@ -1,7 +0,0 @@
---
- hosts: all
roles:
- { role: consul,
when: '"consul_server" not in group_names'
}
...

6
ansible/playbooks/consul-server.yml
View file

@ -1,6 +0,0 @@
---
- hosts: consul_server
serial: 1
roles:
- role: consul_server
...

2
ansible/playbooks/site.yml
View file

@ -1,8 +1,6 @@
--- ---
- import_playbook: common.yml - import_playbook: common.yml
- import_playbook: consul-server.yml
- import_playbook: vault-server.yml - import_playbook: vault-server.yml
- import_playbook: consul-client.yml
- import_playbook: k3s.yml - import_playbook: k3s.yml
- import_playbook: docker-repo.yml - import_playbook: docker-repo.yml
- import_playbook: lnd.yml - import_playbook: lnd.yml

2
ansible/roles/common/tasks/Debian_pki.yml
View file

@ -68,7 +68,7 @@
register: exp register: exp
- name: get cert - name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.masked.name ttl=43200m"
args: args:
executable: /bin/bash executable: /bin/bash
environment: environment:

4
ansible/roles/consul/defaults/main.yml
View file

@ -1,4 +0,0 @@
---
consul_config_path: /etc/consul.d
consul_arch: '{{ hashi_arch }}'
...

18
ansible/roles/consul/files/consul-agent-ca.pem
View file

@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3
MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4
MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD
lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z
NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD
VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI
zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv
DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb
-----END CERTIFICATE-----

17
ansible/roles/consul/files/consul.service
View file

@ -1,17 +0,0 @@
[Unit]
Description=Consul Service Discovery Agent
After=network-online.target
[Service]
Type=simple
Restart=on-failure
User=consul
Group=consul
RestartSec=3
StateDirectory=consul
ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

19
ansible/roles/consul/handlers/main.yml
View file

@ -1,19 +0,0 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: restart_consul_debian
systemd:
name: consul
state: restarted
- name: restart_consul_fbsd
service:
name: consul
state: restarted
- name: reload consul
service:
name: consul
state: reloaded

90
ansible/roles/consul/tasks/Debian.yml
View file

@ -1,90 +0,0 @@
---
- name: ensure consul group
group:
name: consul
state: present
system: True
- name: ensure consul user
user:
name: consul
state: present
group: consul
system: True
- name: ensure consul config dir
file:
path: /etc/consul.d/
state: directory
owner: consul
group: consul
mode: 0755
- name: ensure consul config dir
file:
path: /etc/consul.d/certs/
state: directory
owner: consul
group: consul
mode: 0744
- name: ensure consul agent ca cert
copy:
src: files/consul-agent-ca.pem
dest: /etc/consul.d/certs/consul-agent-ca.pem
owner: consul
group: consul
mode: 0644
- name: ensure consul data dir
file:
path: /opt/consul
state: directory
owner: consul
group: consul
mode: 0755
- name: check consul version
shell:
cmd: "consul --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_consul_version
check_mode: False
- name: get consul
unarchive:
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_{{ consul_arch }}.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_consul_version.stdout != consul_version
notify: reload consul
- name: copy consul unit file
copy:
src: files/consul.service
dest: /etc/systemd/system/consul.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template consul config
template:
src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl
owner: consul
group: consul
mode: 0750
notify: restart_consul_debian
- name: ensure consul is started and enabled
systemd:
name: consul
state: started
enabled: True
...

3
ansible/roles/consul/tasks/main.yml
View file

@ -1,3 +0,0 @@
---
- include_tasks: "{{ ansible_os_family }}.yml"
...

37
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -1,37 +0,0 @@
datacenter = "{{ main_dc_name }}"
primary_datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
node_name = "{{ inventory_hostname_short }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
verify_incoming = false
verify_outgoing = true
verify_server_hostname = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
auto_encrypt {
tls = true
}
bind_addr = "{{ ansible_default_ipv4.address }}"
start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
data_dir = "/opt/consul"
log_level = "INFO"
raft_protocol = 3
addresses {
http = "0.0.0.0"
}
enable_local_script_checks = true
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
}
}

3
ansible/roles/consul_server/defaults/main.yml
View file

@ -1,3 +0,0 @@
---
consul_config_path: /etc/consul.d
...

18
ansible/roles/consul_server/files/consul-agent-ca.pem
View file

@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIC6jCCApGgAwIBAgIQME5Go459u5LlhDqirL54aTAKBggqhkjOPQQDAjCBuDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRowGAYDVQQJExExMDEgU2Vjb25kIFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAV
BgNVBAoTDkhhc2hpQ29ycCBJbmMuMT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0Eg
NjQyMDkzNzU2Nzk2MDMyOTY4MTA4MDI5ODk2NTUzNjQ4OTI3NzcwHhcNMjAwODI3
MTYxOTE4WhcNMjUwODI2MTYxOTE4WjCBuDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRowGAYDVQQJExExMDEgU2Vjb25k
IFN0cmVldDEOMAwGA1UEERMFOTQxMDUxFzAVBgNVBAoTDkhhc2hpQ29ycCBJbmMu
MT8wPQYDVQQDEzZDb25zdWwgQWdlbnQgQ0EgNjQyMDkzNzU2Nzk2MDMyOTY4MTA4
MDI5ODk2NTUzNjQ4OTI3NzcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUDPnD
lfeWaTrJHZ9JzovcEXTGh2VKOaq4a1GceAqYNg1Jj2A6+6Je9Nm5+tvVn939ZS0z
NQGjuL3vdxJN96sYo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zApBgNVHQ4EIgQg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwKwYD
VR0jBCQwIoAg7s5SJjjgtyy/XUHwQk43iXapCXQIIFqOivTddv6RGacwCgYIKoZI
zj0EAwIDRwAwRAIgGj3Z1yyMTcdsZiFu89Si0E9ueX2CAAztWabhbvzMOl4CIHIv
DhH1LG5/DHuJCQA4MAKLiDzt1/XQoS1FJiguyorb
-----END CERTIFICATE-----

17
ansible/roles/consul_server/files/consul-server.pem
View file

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICpzCCAkygAwIBAgIRAP+zqvMlaJNYzixVwgrrYrkwCgYIKoZIzj0EAwIwgbgx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjE/MD0GA1UEAxM2Q29uc3VsIEFnZW50IENB
IDY0MjA5Mzc1Njc5NjAzMjk2ODEwODAyOTg5NjU1MzY0ODkyNzc3MB4XDTIwMDgy
NzE3MjcxMVoXDTIxMDgyNzE3MjcxMVowITEfMB0GA1UEAxMWc2VydmVyLmNvbHVt
YmlhLmNvbnN1bDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ/z9e9ctu6x4GqX
Gmrc69JeusbmpEEkO35LIVngEc4fqF0eup2/txiQZhmyDuYKN8ObcLzQ9/6OJkRD
a47UTzCjgcwwgckwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCB85H1w+4sYpvxg7b5x
Yr8/psiaIxNGDioU4OXxAMUabTArBgNVHSMEJDAigCDuzlImOOC3LL9dQfBCTjeJ
dqkJdAggWo6K9N12/pEZpzAyBgNVHREEKzApghZzZXJ2ZXIuY29sdW1iaWEuY29u
c3Vsgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhALqDdmHhRnos
BTc5zpSdnv1NUU+DkGqG8bfisN9YYhf3AiEAoiaT7DBzgHv2Po37P/YZm2nMjMdd
W2dTCuysw+L3Syk=
-----END CERTIFICATE-----

17
ansible/roles/consul_server/files/consul.service
View file

@ -1,17 +0,0 @@
[Unit]
Description=Consul Service Discovery Agent
After=network-online.target
[Service]
Type=simple
Restart=on-failure
User=consul
Group=consul
RestartSec=3
StateDirectory=consul
ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

20
ansible/roles/consul_server/handlers/main.yml
View file

@ -1,20 +0,0 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: reload_consul_debian
systemd:
name: consul
state: reloaded
- name: restart_consul_debian
systemd:
name: consul
state: restarted
- name: restart_consul_fbsd
service:
name: consul
state: restarted
...

122
ansible/roles/consul_server/tasks/Debian.yml
View file

@ -1,122 +0,0 @@
---
- name: ensure consul group
group:
name: consul
state: present
system: True
- name: ensure consul user
user:
name: consul
state: present
group: consul
system: True
- name: ensure consul config dir
file:
path: /etc/consul.d/
state: directory
owner: consul
group: consul
mode: 0755
- name: ensure consul certs dir
file:
path: /etc/consul.d/certs/
state: directory
owner: consul
group: consul
mode: 0755
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} alt_names=consul.service.{{ consul_domain }},consul.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: https://vault.service.masked.name:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
notify: reload_consul_debian
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/consul.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: consul
group: consul
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "consul-server.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "consul-server.key",
mode: "0600"
}
- name: ensure consul data dir
file:
path: /opt/consul
state: directory
owner: consul
group: consul
mode: 0755
- name: check consul version
shell:
cmd: "consul --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_consul_version
check_mode: False
- name: get consul
unarchive:
src: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_consul_version.stdout != consul_version
- name: copy consul unit file
copy:
src: files/consul.service
dest: /etc/systemd/system/consul.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template consul config
template:
src: templates/consul.hcl.j2
dest: /etc/consul.d/consul.hcl
owner: root
group: consul
mode: 0750
notify: restart_consul_debian
- name: ensure consul is started and enabled
systemd:
name: consul
state: started
enabled: True
...

3
ansible/roles/consul_server/tasks/main.yml
View file

@ -1,3 +0,0 @@
---
- include_tasks: "{{ ansible_os_family }}.yml"
...

54
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -1,54 +0,0 @@
datacenter = "{{ main_dc_name }}"
primary_datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
node_name = "{{ inventory_hostname_short }}"
server = true
bootstrap_expect = 3
ui = true
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
verify_outgoing = true
verify_server_hostname = true
verify_incoming_https = false
verify_incoming_rpc = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "{{ consul_config_path }}/certs/consul-server.pem"
key_file = "{{ consul_config_path }}/certs/consul-server.key"
auto_encrypt {
allow_tls = true
}
bind_addr = "{{ ansible_default_ipv4.address }}"
start_join = ["{{ groups['consul_server'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | join('","') }}"]
data_dir = "/opt/consul"
log_level = "INFO"
raft_protocol = 3
enable_local_script_checks = true
addresses {
http = "127.0.0.1"
https = "0.0.0.0"
dns = "0.0.0.0"
}
ports {
http = 8500
https = 8501
}
performance {
raft_multiplier = 1
}
acl {
enabled = true
default_policy = "deny"
enable_token_persistence = true
tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
}
}

5
ansible/roles/docker-repo/handlers/main.yml
View file

@ -1,9 +1,4 @@
--- ---
- name: reload consul
service:
name: consul
state: reloaded
- name: restart docker - name: restart docker
docker_container: docker_container:
name: docker-repo name: docker-repo

11
ansible/roles/docker-repo/tasks/main.yml
View file

@ -27,7 +27,7 @@
register: exp register: exp
- name: get cert - name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker-repo.service.{{ consul_domain }} alt_names=docker-repo.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker-repo.service.masked.name ttl=43200m"
args: args:
executable: /bin/bash executable: /bin/bash
environment: environment:
@ -82,13 +82,4 @@
- "{{ docker_repo_storage }}:/data" - "{{ docker_repo_storage }}:/data"
- "/etc/docker-repo/certs:/certs" - "/etc/docker-repo/certs:/certs"
restart_policy: always restart_policy: always
- name: ensure docker repo service config exists
copy:
src: files/docker-repo.hcl
dest: /etc/consul.d/docker-repo.hcl
mode: 0750
owner: consul
group: consul
notify: reload consul
... ...

10
ansible/roles/vault_server/tasks/main.yml
View file

@ -37,6 +37,14 @@
group: vault group: vault
mode: 0755 mode: 0755
- name: ensure vault raft dir
file:
path: /opt/vault/
state: directory
owner: vault
group: vault
mode: 0755
- name: check if server cert is expiring in the next 5 days - name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem" shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem"
args: args:
@ -47,7 +55,7 @@
register: exp register: exp
- name: get cert - name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m" shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.masked.name ip_sans={{ ansible_default_ipv4.address }} ttl=43200m"
args: args:
executable: /bin/bash executable: /bin/bash
environment: environment:

25
ansible/roles/vault_server/templates/vault.hcl.j2
View file

@ -1,22 +1,21 @@
ui = true ui = true
api_addr = "https://{{ ansible_default_ipv4.address }}:8200"
cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
listener "tcp" { listener "tcp" {
address = "127.0.0.1:8200" address = "127.0.0.1:8200"
tls_cert_file = "/etc/vault.d/certs/vault.pem" tls_cert_file = "/etc/vault.d/certs/vault.pem"
tls_key_file = "/etc/vault.d/certs/vault.key" tls_key_file = "/etc/vault.d/certs/vault.key"
} }
listener "tcp" { listener "tcp" {
address = "{{ ansible_default_ipv4.address }}:8200" address = "{{ ansible_default_ipv4.address }}:8200"
tls_cert_file = "/etc/vault.d/certs/vault.pem" tls_cert_file = "/etc/vault.d/certs/vault.pem"
tls_key_file = "/etc/vault.d/certs/vault.key" tls_key_file = "/etc/vault.d/certs/vault.key"
} }
api_addr = "https://{{ ansible_default_ipv4.address }}:8200" storage "raft" {
cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201" path = "/opt/vault/"
node_id = "{{ inventory_hostname_short }}"
storage "consul" {
address = "localhost:8500"
path = "vault/"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
} }

6
ansible/roles/wekan/handlers/main.yml
View file

@ -1,6 +0,0 @@
---
- name: reload consul
service:
name: consul
state: reloaded
...

9
ansible/roles/wekan/tasks/main.yml
View file

@ -3,13 +3,4 @@
snap: snap:
name: wekan name: wekan
state: present state: present
- name: add wekan consul service
copy:
src: files/wekan.hcl
dest: /etc/consul.d/wekan.hcl
mode: 0750
owner: consul
group: consul
notify: reload consul
... ...