Fix reload for consul, add nexus service to consul, fix cert location so update-ca-certificates can actually pick it up

2020-09-20 21:42:35 -04:00 · 2020-09-20 21:42:35 -04:00 · ce0b27f5d0
commit ce0b27f5d0
parent 70b6576e96
11 changed files with 43 additions and 2 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -9,7 +9,7 @@ consul_domain: masked.name
 # vault
 vault_version: 1.5.2
 vault_pki_policy: masked-dot-name
-vault_ca_cert_name: MaskedName_Root_CA.pem
+vault_ca_cert_name: MaskedName_Root_CA.crt
 vault_ca_cert_payload: |
  -----BEGIN CERTIFICATE-----
  MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
--- a/ansible/roles/common/tasks/Debian.yml
+++ b/ansible/roles/common/tasks/Debian.yml
@ -19,6 +19,7 @@
      - htop
      - inxi
      - ncdu
      - netcat
      - ntp
      - rxvt-unicode-256color
      - screen
--- a/ansible/roles/consul/files/consul.service
+++ b/ansible/roles/consul/files/consul.service
@ -10,6 +10,8 @@ Group=consul
 RestartSec=3
 StateDirectory=consul
 ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 [Install]
 WantedBy=multi-user.target
--- a/ansible/roles/consul/handlers/main.yml
+++ b/ansible/roles/consul/handlers/main.yml
@ -12,3 +12,8 @@
  service:
    name: consul
    state: restarted
 - name: reload consul
  service:
    name: consul
    state: reloaded
--- a/ansible/roles/consul/tasks/Debian.yml
+++ b/ansible/roles/consul/tasks/Debian.yml
@ -62,6 +62,7 @@
    group: root
    remote_src: True
  when: installed_consul_version.stdout != consul_version
  notify: reload consul
 - name: copy consul unit file
  copy:
@ -78,7 +79,7 @@
    dest: /etc/consul.d/consul.hcl
    owner: root
    group: root
-    mode: 0755
+    mode: 0750
  notify: restart_consul_debian
 - name: ensure consul is started and enabled
--- a/ansible/roles/consul/templates/consul.hcl.j2
+++ b/ansible/roles/consul/templates/consul.hcl.j2
@ -25,6 +25,8 @@ addresses {
 http = "0.0.0.0"
 }
 enable_local_script_checks = true
 acl {
  enabled = true
  default_policy = "deny"
--- a/ansible/roles/consul_server/files/consul.service
+++ b/ansible/roles/consul_server/files/consul.service
@ -10,6 +10,8 @@ Group=consul
 RestartSec=3
 StateDirectory=consul
 ExecStart=/usr/local/bin/consul agent -config-dir /etc/consul.d/
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 [Install]
 WantedBy=multi-user.target
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@ -26,6 +26,8 @@ data_dir            = "/opt/consul"
 log_level           = "INFO"
 raft_protocol       = 3
 enable_local_script_checks = true
 addresses {
 http = "0.0.0.0"
 dns  = "0.0.0.0"
--- a/ansible/roles/nexus/files/nexus.hcl
+++ b/ansible/roles/nexus/files/nexus.hcl
@ -0,0 +1,12 @@
 services {
  id = "nexus"
  name = "nexus"
  port = 8081
  checks = [
    {
      args = ["nc", "-z", "-v", "localhost", "8081"]
      interval = "5s"
      timeout = "20s"
    }
  ]
 }
--- a/ansible/roles/nexus/handlers/main.yml
+++ b/ansible/roles/nexus/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: reload consul
  service:
    name: consul
    state: reloaded
--- a/ansible/roles/nexus/tasks/main.yml
+++ b/ansible/roles/nexus/tasks/main.yml
@ -116,4 +116,13 @@
      - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
      - /etc/nexus:/certs
    restart_policy: always
 - name: ensure nexus consul service config exists
  copy:
    src: files/nexus.hcl
    dest: /etc/consul.d/nexus.hcl
    mode: 0750
    owner: consul
    group: consul
  notify: reload consul
 ...