Fix up vault ssl, fix up vault cert since it needs a bundled cert

ansible/group_vars/all/main.yml

@@ -56,7 +56,7 @@ vault_ca_cert_payload: |
   -----END CERTIFICATE-----
 
 # nomad
-nomad_version: 0.12.3
+nomad_version: 0.12.5
 nomad_podman_driver_version: 0.1.0
 
 # podman

ansible/playbooks/consul-server.yml

@@ -1,5 +1,6 @@
 ---
 - hosts: consul_server
+  serial: 1
   roles:
     - role: consul_server
 ...

ansible/playbooks/nomad-server.yml

@@ -1,5 +1,6 @@
 ---
 - hosts: nomad_server
+  serial: 1
   roles:
     - role: nomad_server
 ...

ansible/playbooks/vault-server.yml

@@ -1,5 +1,6 @@
 ---
 - hosts: vault_server
+  serial: 1
   roles:
     - role: vault_server
 ...

ansible/roles/common/tasks/Debian_pki.yml

@@ -72,7 +72,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/common/tasks/FreeBSD_pki.yml

@@ -82,7 +82,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/tasks/Debian.yml

@@ -20,7 +20,7 @@
     group: consul
     mode: 0755
 
-- name: ensure consul config dir
+- name: ensure consul certs dir
   file:
     path: /etc/consul.d/certs/
     state: directory
@@ -42,7 +42,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/tasks/FreeBSD.yml

@@ -42,7 +42,7 @@
   args:
     executable: /usr/local/bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/consul_server/templates/consul.hcl.j2

@@ -30,11 +30,13 @@ raft_protocol       = 3
 enable_local_script_checks = true
 
 addresses {
+  http  = "127.0.0.1"
   https = "0.0.0.0"
   dns   = "0.0.0.0"
 }
 
 ports {
+  http  = 8500
   https = 8501
 }
 

ansible/roles/nexus/tasks/main.yml

@@ -18,7 +18,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/nomad_client/tasks/nomad.yml

@@ -107,7 +107,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -17,6 +17,15 @@ consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
 
+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 tls {
   http      = true
   rpc       = true

ansible/roles/nomad_server/tasks/main.yml

@@ -87,7 +87,7 @@
   args:
     executable: /bin/bash
   environment:
-    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_ADDR: http://vault.service.masked.name:8200
     VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
     VAULT_FORMAT: json
   register: cert_data
@@ -114,6 +114,12 @@
         mode: "0600"
     }
 
+- name: append cacert to vault cert
+  blockinfile:
+    path: /etc/nomad.d/certs/nomad.pem
+    block: |
+      {{ vault_ca_cert_payload }}
+
 - name: ensure nomad is started and enabled
   systemd:
     name: nomad

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -6,6 +6,15 @@ server {
   bootstrap_expect = 1
 }
 
+vault {
+  enabled           = true
+  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
+  address           = "https://vault.service.{{ consul_domain }}:8200"
+  create_from_role  = "nomad-cluster"
+  unwrap_token      = true
+}
+
 consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
 }

ansible/roles/vault_server/handlers/main.yml

@@ -7,3 +7,8 @@
   systemd:
     name: vault
     state: restarted
+
+- name: reload_vault
+  systemd:
+    name: vault
+    state: reloaded

ansible/roles/vault_server/tasks/main.yml

@@ -29,6 +29,55 @@
     group: root
   notify: daemon_reload
 
+- name: ensure vault certs dir
+  file:
+    path: /etc/vault.d/certs/
+    state: directory
+    owner: vault
+    group: vault
+    mode: 0755
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.{{ consul_domain }} alt_names=vault.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://vault.service.masked.name:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+  notify: reload_vault
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/vault.d/certs/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: vault
+    group: vault
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "vault.pem",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "vault.key",
+        mode: "0600"
+    }
+
 - name: template vault config
   template:
     src: templates/vault.hcl.j2

ansible/roles/vault_server/templates/vault.hcl.j2

@@ -1,10 +1,20 @@
 ui = true
+
 listener "tcp" {
-  address       = "0.0.0.0:8200"
-  tls_disable   = true
-#  tls_cert_file = "/path/to/fullchain.pem"
-#  tls_key_file  = "/path/to/privkey.pem"
+  address         = "127.0.0.1:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
 }
+
+listener "tcp" {
+  address         = "{{ ansible_default_ipv4.address }}:8200"
+  tls_cert_file   = "/etc/vault.d/certs/vault.pem"
+  tls_key_file    = "/etc/vault.d/certs/vault.key"
+}
+
+api_addr          = "https://{{ ansible_default_ipv4.address }}:8200"
+cluster_addr      = "https://{{ ansible_default_ipv4.address }}:8201"
+
 storage "consul" {
   address   = "localhost:8500"
   path      = "vault/"