From b5d51f7e3f5f9665bf05c36d4b6cfbf12a5310c4 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Mon, 12 Oct 2020 22:39:23 -0400
Subject: [PATCH] Explicitly define ports for consul and vault

---
 .../roles/consul_server/templates/consul.hcl.j2 |  2 ++
 .../roles/nomad_client/templates/nomad.hcl.j2   |  9 +++++++++
 .../roles/nomad_server/templates/nomad.hcl.j2   |  9 +++++++++
 .../roles/vault_server/templates/vault.hcl.j2   | 17 ++++++++++++++---
 4 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2
index 11f1010..3a3640e 100644
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@@ -30,11 +30,13 @@ raft_protocol       = 3
 enable_local_script_checks = true
 
 addresses {
+  http  = "127.0.0.1"
   https = "0.0.0.0"
   dns   = "0.0.0.0"
 }
 
 ports {
+  http  = 8500
   https = 8501
 }
 
diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2
index a84671e..f64cabb 100644
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@@ -17,6 +17,15 @@ consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
 
+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 tls {
   http      = true
   rpc       = true
diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2
index 53984fa..be51577 100644
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@@ -6,6 +6,15 @@ server {
   bootstrap_expect = 1
 }
 
+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
 }
diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2
index 706a112..c6e1100 100644
--- a/ansible/roles/vault_server/templates/vault.hcl.j2
+++ b/ansible/roles/vault_server/templates/vault.hcl.j2
@@ -1,9 +1,20 @@
 ui = true
+
 listener "tcp" {
-  address       = "0.0.0.0:8200"
-  tls_cert_file = "/etc/vault.d/certs/vault.pem"
-  tls_key_file  = "/etc/vault.d/certs/vault.key"
+  address         = "127.0.0.1:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
 }
+
+listener "tcp" {
+  address         = "{{ ansible_default_ipv4.address }}:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
+}
+
+api_address     = "{{ ansible_default_ipv4.address }}:8200"
+cluster_address = "{{ ansible_default_ipv4.address }}:8201"
+
 storage "consul" {
   address   = "localhost:8500"
   path      = "vault/"