Asara/infra
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: Asara:bb9a945a83c4c6d2f189351bdda2a7ffb7a199e8
Branches Tags
Asara:master
...
compare: Asara:9c0b211db2d262cf59cd18b5e4c0d7331245a51f
Branches Tags
Asara:master

2 commits
bb9a945a83 ... 9c0b211db2

Author SHA1 Message Date
Asara
9c0b211db2 Add ca_cert to hashi_vault lookups 2022-11-01 16:02:59 -04:00
Asara
6225653c56 Bump lnd, add ca_cert to letsencrypt for haproxy 2022-11-01 16:02:29 -04:00
10 changed files with 18 additions and 19 deletions
Show stats Expand all files Collapse all files

2
ansible/group_vars/all/main.yml
View file

@ -64,7 +64,7 @@ nomad_version: 1.3.1
nomad_podman_driver_version: 0.3.0
# lnd
lnd_version: 0.15.0-beta
lnd_version: 0.15.4-beta
# lego
lego_version: 4.7.0

2
ansible/group_vars/haproxy/main.yml
View file

@ -1,4 +1,4 @@
---
lego_email_address: amarpreet@minhas.io
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data')['account_id'] }}"
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}"
...

3
ansible/roles/common/tasks/Debian.yml
View file

@ -20,12 +20,11 @@
- git
- htop
- inxi
- kitty-terminfo
- make
- ncdu
- netcat-traditional
- netcat-openbsd
- ntp
- rxvt-unicode
- screen
- strace
- sysstat

4
ansible/roles/consul/templates/consul.hcl.j2
View file

@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}"
domain = "{{ consul_domain }}"
node_name = "{{ inventory_hostname_short }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
verify_incoming = false
verify_outgoing = true
@ -32,6 +32,6 @@ acl {
default_policy = "deny"
enable_token_persistence = true
tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
}
}

4
ansible/roles/consul_server/templates/consul.hcl.j2
View file

@ -6,7 +6,7 @@ server = true
bootstrap_expect = 3
ui = true
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}"
verify_outgoing = true
verify_server_hostname = true
@ -49,6 +49,6 @@ acl {
default_policy = "deny"
enable_token_persistence = true
tokens {
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['server-acl-token'] }}"
default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}"
}
}

2
ansible/roles/lego/templates/amarpreet@minhas.io.key.j2
View file

@ -1 +1 @@
{{ lookup('hashi_vault', 'secret=kv/data/acme:data')['private_key'] }}
{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }}

10
ansible/roles/lego/templates/defaults
View file

@ -1,5 +1,5 @@
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_user'] }}
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data')['api_key'] }}
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['access_key'] }}
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['secret_key'] }}
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data')['hosted_zone_id'] }}
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }}
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }}
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }}
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }}
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }}

4
ansible/roles/nomad_client/templates/nomad.hcl.j2
View file

@ -14,13 +14,13 @@ client {
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}"
}
vault {
enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster"
unwrap_token = true

4
ansible/roles/nomad_server/templates/nomad.hcl.j2
View file

@ -9,14 +9,14 @@ server {
vault {
enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['vault-token'] }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}"
address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster"
unwrap_token = true
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}"
}
tls {

2
ansible/roles/vault_server/templates/vault.hcl.j2
View file

@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201"
storage "consul" {
address = "localhost:8500"
path = "vault/"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data')['consul-acl'] }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}"
}