1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
---
# file: roles/vault/defaults/main.yaml
# Inst - Prerequisites.
packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}"
packages_base:
- "curl"
- "unzip"
packages_by_distro:
ubuntu:
- []
packages_by_arch:
aarch64:
- []
x86_64:
- []
# Inst - Vault Map.
vault_version: "1.11.0"
vault_architecture_map:
amd64: "amd64"
x86_64: "amd64"
armv7l: "arm"
aarch64: "arm64"
32-bit: "386"
64-bit: "amd64"
vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
vault_os: "{{ ansible_system|lower }}"
vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}"
# Conf - Service.
vault_node_role: "server"
vault_restart_handler_state: "restarted"
vault_systemd_service_name: "vault"
# Inst - System paths.
vault_bin_dir: "/usr/local/bin"
vault_config_dir: "/etc/vault.d"
vault_data_dir: "/var/vault"
vault_inst_dir: "/opt"
vault_run_dir: "/var/run/vault"
vault_ssl_dir: "/etc/vault.d/ssl"
# Conf - User and group.
vault_group: "vault"
vault_group_state: "present"
vault_user: "vault"
vault_user_state: "present"
# Conf - Main
vault_group_name: "vault_instances"
vault_cluster_name: "yul1"
vault_datacenter: "yul1"
vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}"
vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}"
vault_port: 8200
vault_use_config_path: false
vault_main_config: "{{ vault_config_dir }}/vault_main.hcl"
vault_main_configuration_template: "vault_main_configuration.hcl.j2"
vault_listener_localhost_enable: false
vault_http_proxy: ""
vault_https_proxy: ""
vault_no_proxy: ""
# Conf - Listeners
vault_tcp_listeners:
- vault_address: "{{ vault_address }}"
vault_port: "{{ vault_port }}"
vault_cluster_address: "{{ vault_cluster_address }}"
vault_tls_disable: "{{ vault_tls_disable }}"
vault_tls_config_path: "{{ vault_tls_config_path }}"
vault_tls_cert_file: "{{ vault_tls_cert_file }}"
vault_tls_key_file: "{{ vault_tls_key_file }}"
vault_tls_ca_file: "{{ vault_tls_ca_file }}"
vault_tls_min_version: "{{ vault_tls_min_version }}"
vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}"
vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}"
vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}"
vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}"
vault_disable_mlock: true
# Conf - Backend
vault_backend_consul: "vault_backend_consul.j2"
vault_backend_file: "vault_backend_file.j2"
vault_backend_raft: "vault_backend_raft.j2"
vault_backend_etcd: "vault_backend_etcd.j2"
vault_backend_s3: "vault_backend_s3.j2"
vault_backend_dynamodb: "vault_backend_dynamodb.j2"
vault_backend_mysql: "vault_backend_mysql.j2"
vault_backend_gcs: "vault_backend_gcs.j2"
vault_cluster_disable: false
vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
vault_max_lease_ttl: "768h"
vault_default_lease_ttl: "768h"
vault_backend_tls_src_files: "{{ vault_tls_src_files }}"
vault_backend_tls_config_path: "{{ vault_tls_config_path }}"
vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}"
vault_backend_tls_key_file: "{{ vault_tls_key_file }}"
vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}"
vault_consul: "127.0.0.1:8500"
vault_consul_path: "vault"
vault_consul_service: "vault"
vault_consul_scheme: "http"
vault_backend: "consul"
# Conf - Service registration
vault_service_registration_consul_enable: true
vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2"
vault_service_registration_consul_check_timeout: "5s"
vault_service_registration_consul_address: "127.0.0.1:8500"
vault_service_registration_consul_service: "vault"
vault_service_registration_consul_service_tags: ""
vault_service_registration_consul_service_address:
vault_service_registration_consul_disable_registration: false
vault_service_registration_consul_scheme: "http"
vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}"
vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}"
vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}"
vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}"
vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}"
vault_service_registration_consul_tls_skip_verify: false
# Conf - Telemetry
vault_telemetry_enabled: true
vault_telemetry_disable_hostname: false
vault_prometheus_retention_time: 30s
# Conf - TLS
validate_certs_during_api_reachable_check: true
vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}"
vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}"
vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}"
vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}"
vault_tls_copy_keys: true
vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}"
vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}"
vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}"
vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}"
vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}"
vault_tls_cipher_suites: ""
vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
vault_tls_files_remote_src: false
vault_tls_require_and_verify_client_cert: false
vault_tls_disable_client_certs: false
|