ansible/group_vars/all/main.yml

@@ -56,7 +56,7 @@ vault_ca_cert_payload: |
   -----END CERTIFICATE-----
 
 # nomad
-nomad_version: 0.12.5
+nomad_version: 0.12.3
 nomad_podman_driver_version: 0.1.0
 
 # podman

ansible/playbooks/consul-server.yml

@@ -1,6 +1,5 @@
 ---
 - hosts: consul_server
-  serial: 1
   roles:
     - role: consul_server
 ...

ansible/playbooks/nomad-server.yml

@@ -1,6 +1,5 @@
 ---
 - hosts: nomad_server
-  serial: 1
   roles:
     - role: nomad_server
 ...

ansible/playbooks/vault-server.yml

@@ -1,6 +1,5 @@
 ---
 - hosts: vault_server
-  serial: 1
   roles:
     - role: vault_server
 ...

ansible/roles/common/tasks/Debian_pki.yml

@@ -72,7 +72,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/common/tasks/FreeBSD_pki.yml

@@ -82,7 +82,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/tasks/Debian.yml

@@ -20,7 +20,7 @@
     group: consul
     mode: 0755
 
-- name: ensure consul certs dir
+- name: ensure consul config dir
   file:
     path: /etc/consul.d/certs/
     state: directory
@@ -42,7 +42,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/tasks/FreeBSD.yml

@@ -42,7 +42,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/templates/consul.hcl.j2

@@ -30,13 +30,11 @@ raft_protocol       = 3
 enable_local_script_checks = true
 
 addresses {
-  http  = "127.0.0.1"
   https = "0.0.0.0"
   dns   = "0.0.0.0"
 }
 
 ports {
-  http  = 8500
   https = 8501
 }
 

ansible/roles/nexus/tasks/main.yml

@@ -18,7 +18,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/nomad_client/tasks/nomad.yml

@@ -107,7 +107,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -17,15 +17,6 @@ consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
 
-vault {
-  enabled           = true
-  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
-  address           = "https://vault.service.{{ consul_domain }}:8200"
-  create_from_role  = "nomad-cluster"
-  unwrap_token      = true
-}
-
 tls {
   http      = true
   rpc       = true

ansible/roles/nomad_server/tasks/main.yml

@@ -87,7 +87,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_ADDR: http://ivyking.minhas.io:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
@@ -114,12 +114,6 @@
         mode: "0600"
     }
 
-- name: append cacert to vault cert
-  blockinfile:
-    path: /etc/nomad.d/certs/nomad.pem
-    block: |
-      {{ vault_ca_cert_payload }}
-
 - name: ensure nomad is started and enabled
   systemd:
     name: nomad

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -6,15 +6,6 @@ server {
   bootstrap_expect = 1
 }
 
-vault {
-  enabled           = true
-  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
-  address           = "https://vault.service.{{ consul_domain }}:8200"
-  create_from_role  = "nomad-cluster"
-  unwrap_token      = true
-}
-
 consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
 }

ansible/roles/vault_server/handlers/main.yml

@@ -7,8 +7,3 @@
   systemd:
     name: vault
     state: restarted
-
-- name: reload_vault
-  systemd:
-    name: vault
-    state: reloaded

ansible/roles/vault_server/tasks/main.yml

@@ -29,55 +29,6 @@
     group: root
   notify: daemon_reload
 
-- name: ensure vault certs dir
-  file:
-    path: /etc/vault.d/certs/
-    state: directory
-    owner: vault
-    group: vault
-    mode: 0755
-
-- name: check if server cert is expiring in the next 5 days
-  shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem"
-  args:
-    executable: /bin/bash
-  failed_when: False
-  check_mode: False
-  changed_when: False
-  register: exp
-
-- name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
-  args:
-    executable: /bin/bash
-  environment:
-    VAULT_ADDR: http://vault.service.masked.name:8200
-    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
-    VAULT_FORMAT: json
-  register: cert_data
-  when: exp.rc != 0
-  notify: reload_vault
-
-- name: write cert data to server
-  copy:
-    content: "{{ item.content }}"
-    dest: "/etc/vault.d/certs/{{ item.path }}"
-    mode: '{{ item.mode }}'
-    owner: vault
-    group: vault
-  when: cert_data.changed
-  loop:
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-        path: "vault.pem",
-        mode: "0755"
-    }
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-        path: "vault.key",
-        mode: "0600"
-    }
-
 - name: template vault config
   template:
     src: templates/vault.hcl.j2

ansible/roles/vault_server/templates/vault.hcl.j2

@@ -1,20 +1,10 @@
 ui = true
-
 listener "tcp" {
-  address         = "127.0.0.1:8200"
-  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
-  tls_key_file    = "/etc/vault.d/certs/vault.key"
+  address       = "0.0.0.0:8200"
+  tls_disable   = true
+#  tls_cert_file = "/path/to/fullchain.pem"
+#  tls_key_file  = "/path/to/privkey.pem"
 }
-
-listener "tcp" {
-  address         = "{{ ansible_default_ipv4.address }}:8200"
-  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
-  tls_key_file    = "/etc/vault.d/certs/vault.key"
-}
-
-api_addr          = "https://{{ ansible_default_ipv4.address }}:8200"
-cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
-
 storage "consul" {
   address   = "localhost:8500"
   path      = "vault/"