aboutsummaryrefslogtreecommitdiffstats
path: root/fdio.infra.ansible/roles/vault/tasks/main.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'fdio.infra.ansible/roles/vault/tasks/main.yaml')
-rw-r--r--fdio.infra.ansible/roles/vault/tasks/main.yaml133
1 files changed, 133 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/vault/tasks/main.yaml b/fdio.infra.ansible/roles/vault/tasks/main.yaml
new file mode 100644
index 0000000000..3fceadfb4a
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/tasks/main.yaml
@@ -0,0 +1,133 @@
+---
+# file: roles/vault/tasks/main.yaml
+
+- name: Inst - Update Package Cache (APT)
+ ansible.builtin.apt:
+ update_cache: true
+ cache_valid_time: 3600
+ when:
+ - ansible_distribution|lower == 'ubuntu'
+ tags:
+ - vault-inst-prerequisites
+
+- name: Inst - Prerequisites
+ ansible.builtin.package:
+ name: "{{ packages | flatten(levels=1) }}"
+ state: latest
+ tags:
+ - vault-inst-prerequisites
+
+- name: Conf - Add Vault Group
+ ansible.builtin.group:
+ name: "{{ vault_group }}"
+ state: "{{ vault_user_state }}"
+ tags:
+ - vault-conf-user
+
+- name: Conf - Add Vault user
+ ansible.builtin.user:
+ name: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ state: "{{ vault_group_state }}"
+ system: true
+ tags:
+ - vault-conf-user
+
+- name: Inst - Clean Vault
+ ansible.builtin.file:
+ path: "{{ vault_inst_dir }}/vault"
+ state: "absent"
+ tags:
+ - vault-inst-package
+
+- name: Inst - Download Vault
+ ansible.builtin.get_url:
+ url: "{{ vault_zip_url }}"
+ dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
+ tags:
+ - vault-inst-package
+
+- name: Inst - Unarchive Vault
+ ansible.builtin.unarchive:
+ src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
+ dest: "{{ vault_inst_dir }}/"
+ creates: "{{ vault_inst_dir }}/vault"
+ remote_src: true
+ tags:
+ - vault-inst-package
+
+- name: Inst - Vault
+ ansible.builtin.copy:
+ src: "{{ vault_inst_dir }}/vault"
+ dest: "{{ vault_bin_dir }}"
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ force: true
+ mode: 0755
+ remote_src: true
+ tags:
+ - vault-inst-package
+
+- name: Inst - Check Vault mlock capability
+ ansible.builtin.command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
+ changed_when: false # read-only task
+ ignore_errors: true
+ register: vault_mlock_capability
+ tags:
+ - vault-inst-package
+
+- name: Inst - Enable non root mlock capability
+ ansible.builtin.command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
+ when: vault_mlock_capability is failed
+ tags:
+ - vault-inst-package
+
+- name: Conf - Create directories
+ ansible.builtin.file:
+ dest: "{{ item }}"
+ state: directory
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ mode: 0750
+ with_items:
+ - "{{ vault_data_dir }}"
+ - "{{ vault_config_dir }}"
+ - "{{ vault_ssl_dir }}"
+ tags:
+ - vault-conf
+
+- name: Conf - Vault main configuration
+ ansible.builtin.template:
+ src: "{{ vault_main_configuration_template }}"
+ dest: "{{ vault_main_config }}"
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ mode: 0400
+ tags:
+ - vault-conf
+
+# - name: Conf - Copy Certificates And Keys
+# copy:
+# content: "{{ item.src }}"
+# dest: "{{ item.dest }}"
+# owner: "{{ vault_user }}"
+# group: "{{ vault_group }}"
+# mode: 0600
+# no_log: true
+# loop: "{{ vault_certificates | flatten(levels=1) }}"
+# tags:
+# - vault-conf
+
+- name: Conf - System.d Script
+ ansible.builtin.template:
+ src: "vault_systemd.service.j2"
+ dest: "/lib/systemd/system/vault.service"
+ owner: "root"
+ group: "root"
+ mode: 0644
+ notify:
+ - "Restart Vault"
+ tags:
+ - vault-conf
+
+- meta: flush_handlers