fdio.infra.ansible/roles/vault/tasks/main.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

---
# file: roles/vault/tasks/main.yaml

- name: Inst - Update Package Cache (APT)
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 3600
  when:
    - ansible_distribution|lower == 'ubuntu'
  tags:
    - vault-inst-prerequisites

- name: Inst - Prerequisites
  ansible.builtin.package:
    name: "{{ packages | flatten(levels=1) }}"
    state: latest
  tags:
    - vault-inst-prerequisites

- name: Conf - Add Vault Group
  ansible.builtin.group:
    name: "{{ vault_group }}"
    state: "{{ vault_user_state }}"
  tags:
    - vault-conf-user

- name: Conf - Add Vault user
  ansible.builtin.user:
    name: "{{ vault_user }}"
    group: "{{ vault_group }}"
    state: "{{ vault_group_state }}"
    system: true
  tags:
    - vault-conf-user

- name: Inst - Clean Vault
  ansible.builtin.file:
    path: "{{ vault_inst_dir }}/vault"
    state: "absent"
  tags:
    - vault-inst-package

- name: Inst - Download Vault
  ansible.builtin.get_url:
    url: "{{ vault_zip_url }}"
    dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
  tags:
    - vault-inst-package

- name: Inst - Unarchive Vault
  ansible.builtin.unarchive:
    src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
    dest: "{{ vault_inst_dir }}/"
    creates: "{{ vault_inst_dir }}/vault"
    remote_src: true
  tags:
    - vault-inst-package

- name: Inst - Vault
  ansible.builtin.copy:
    src: "{{ vault_inst_dir }}/vault"
    dest: "{{ vault_bin_dir }}"
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    force: true
    mode: 0755
    remote_src: true
  tags:
    - vault-inst-package

- name: Inst - Check Vault mlock capability
  ansible.builtin.command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  changed_when: false  # read-only task
  ignore_errors: true
  register: vault_mlock_capability
  tags:
    - vault-inst-package

- name: Inst - Enable non root mlock capability
  ansible.builtin.command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  when: vault_mlock_capability is failed
  tags:
    - vault-inst-package

- name: Conf - Create directories
  ansible.builtin.file:
    dest: "{{ item }}"
    state: directory
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    mode: 0750
  with_items:
    - "{{ vault_data_dir }}"
    - "{{ vault_config_dir }}"
    - "{{ vault_ssl_dir }}"
  tags:
    - vault-conf

- name: Conf - Vault main configuration
  ansible.builtin.template:
    src: "{{ vault_main_configuration_template }}"
    dest: "{{ vault_main_config }}"
    owner: "{{ vault_user }}"
    group: "{{ vault_group }}"
    mode: 0400
  tags:
    - vault-conf

# - name: Conf - Copy Certificates And Keys
#   copy:
#     content: "{{ item.src }}"
#     dest: "{{ item.dest }}"
#     owner: "{{ vault_user }}"
#     group: "{{ vault_group }}"
#     mode: 0600
#   no_log: true
#   loop: "{{ vault_certificates | flatten(levels=1) }}"
#   tags:
#     - vault-conf

- name: Vault CLI Environment Variables
  ansible.builtin.lineinfile:
    path: "/etc/profile.d/vault.sh"
    line: "{{ item }}"
    mode: 0644
    create: true
  loop:
    - "export VAULT_ADDR=http://vault.service.consul:8200"
  tags:
    - vault-conf-env

- name: Conf - System.d Script
  ansible.builtin.template:
    src: "vault_systemd.service.j2"
    dest: "/lib/systemd/system/vault.service"
    owner: "root"
    group: "root"
    mode: 0644
  notify:
    - "Restart Vault"
  tags:
    - vault-conf

- meta: flush_handlers