blob: 300cfdb363a350b185a1f50f80af47fd2f66754d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
---
# file: roles/vault/tasks/main.yaml
- name: Inst - Update Package Cache (APT)
apt:
update_cache: true
cache_valid_time: 3600
when:
- ansible_distribution|lower == 'ubuntu'
tags:
- vault-inst-prerequisites
- name: Inst - Prerequisites
package:
name: "{{ packages | flatten(levels=1) }}"
state: latest
tags:
- vault-inst-prerequisites
- name: Conf - Add Vault Group
group:
name: "{{ vault_group }}"
state: "{{ vault_user_state }}"
tags:
- vault-conf-user
- name: Conf - Add Vault user
user:
name: "{{ vault_user }}"
group: "{{ vault_group }}"
state: "{{ vault_group_state }}"
system: true
tags:
- vault-conf-user
- name: Inst - Clean Vault
file:
path: "{{ vault_inst_dir }}/vault"
state: "absent"
tags:
- vault-inst-package
- name: Inst - Download Vault
get_url:
url: "{{ vault_zip_url }}"
dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
tags:
- vault-inst-package
- name: Inst - Unarchive Vault
unarchive:
src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
dest: "{{ vault_inst_dir }}/"
creates: "{{ vault_inst_dir }}/vault"
remote_src: true
tags:
- vault-inst-package
- name: Inst - Vault
copy:
src: "{{ vault_inst_dir }}/vault"
dest: "{{ vault_bin_dir }}"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
force: true
mode: 0755
remote_src: true
tags:
- vault-inst-package
- name: Inst - Check Vault mlock capability
command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
changed_when: false # read-only task
ignore_errors: true
register: vault_mlock_capability
tags:
- vault-inst-package
- name: Inst - Enable non root mlock capability
command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
when: vault_mlock_capability is failed
tags:
- vault-inst-package
- name: Conf - Create directories
file:
dest: "{{ item }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: 0750
with_items:
- "{{ vault_data_dir }}"
- "{{ vault_config_dir }}"
- "{{ vault_ssl_dir }}"
tags:
- vault-conf
- name: Conf - Vault main configuration
template:
src: "{{ vault_main_configuration_template }}"
dest: "{{ vault_main_config }}"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: 0400
tags:
- vault-conf
# - name: Conf - Copy Certificates And Keys
# copy:
# content: "{{ item.src }}"
# dest: "{{ item.dest }}"
# owner: "{{ vault_user }}"
# group: "{{ vault_group }}"
# mode: 0600
# no_log: true
# loop: "{{ vault_certificates | flatten(levels=1) }}"
# tags:
# - vault-conf
- name: Conf - System.d Script
template:
src: "vault_systemd.service.j2"
dest: "/lib/systemd/system/vault.service"
owner: "root"
group: "root"
mode: 0644
notify:
- "Restart Vault"
tags:
- vault-conf
- meta: flush_handlers
|