fdio.infra.ansible/roles/vault/tasks/main.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

---
# file: roles/vault/tasks/main.yaml

- name: Inst - Update Package Cache (APT)
  apt:
    update_cache: true
    cache_valid_time: 3600
  when:
    - ansible_distribution|lower == 'ubuntu'
  tags:
    - vault-inst-prerequisites

- name: Inst - Prerequisites
  package:
    name: "{{ packages | flatten(levels=1) }}"
    state: latest
  tags:
    - vault-inst-prerequisites

- name: Conf - Add Vault Group
  group:
    name: "{{ vault_group }}"
    state: "{{ vault_user_state }}"
  tags:
    - vault-conf-user

- name: Conf - Add Vault user
  user:
    name: "{{ vault_user }}"
    group: "{{ vault_group }}"
    state: "{{ vault_group_state }}"
    system: true
  tags:
    - vault-conf-user

- name: Inst - Clean Vault
  file:
    path: "{{ vault_inst_dir }}/vault"
    state: "absent"
  tags:
    - vault-inst-package

- name: Inst - Download Vault
  get_url:
    url: "{{ vault_zip_url }}"
    dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
  tags:
    - vault-inst-package

- name: Inst - Unarchive Vault
  unarchive:
    src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
    dest: "{{ vault_inst_dir }}/"
    creates: "{{ vault_inst_dir }}/vault"
    remote_src: true
  tags:
    - vault-inst-package

- name: Inst - Vault
  copy:
    src: "{{ vault_inst_dir }}/vault"
    dest: "{{ vault_bin_dir }}"
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    force: true
    mode: 0755
    remote_src: true
  tags:
    - vault-inst-package

- name: Inst - Check Vault mlock capability
  command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  changed_when: false  # read-only task
  ignore_errors: true
  register: vault_mlock_capability
  tags:
    - vault-inst-package

- name: Inst - Enable non root mlock capability
  command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  when: vault_mlock_capability is failed
  tags:
    - vault-inst-package

- name: Conf - Create directories
  file:
    dest: "{{ item }}"
    state: directory
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    mode: 0750
  with_items:
    - "{{ vault_data_dir }}"
    - "{{ vault_config_dir }}"
    - "{{ vault_ssl_dir }}"
  tags:
    - vault-conf

- name: Conf - Vault main configuration
  template:
    src: "{{ vault_main_configuration_template }}"
    dest: "{{ vault_main_config }}"
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    mode: 0400
  tags:
    - vault-conf

#- name: Conf - Copy Certificates And Keys
#  copy:
#    content: "{{ item.src }}"
#    dest: "{{ item.dest }}"
#    owner: "{{ vault_user }}"
#    group: "{{ vault_group }}"
#    mode: 0600
#  no_log: true
#  loop: "{{ vault_certificates | flatten(levels=1) }}"
#  tags:
#    - vault-conf

- name: Conf - System.d Script
  template:
    src: "vault_systemd.service.j2"
    dest: "/lib/systemd/system/vault.service"
    owner: "root"
    group: "root"
    mode: 0644
  notify:
    - "Restart Vault"
  tags:
    - vault-conf

- meta: flush_handlers