chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!

ansible_collections/nullified/infrastructure/roles/vault/tasks/install_service.yml

@@ -0,0 +1,112 @@
+---
+- name: '[setup] gather facts if not already done'
+  ansible.builtin.setup:
+    gather_subset:
+      - all_ipv4_addresses
+      - default_ipv4
+      - dns
+
+- name: prepare directory layout
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    owner: '{{ hc_vault_runas }}'
+    group: '{{ hc_vault_runas }}'
+    mode: '0700'
+    state: directory
+  loop:
+    - '{{ hc_vault_root_dir }}/config'
+    - '{{ hc_vault_root_dir }}/data'
+    - '{{ hc_vault_root_dir }}/tls'
+
+- name: install systemd unit file
+  become: true
+  notify:
+    - 'vault : restart vault service'
+  ansible.builtin.template:
+    src: ../templates/vault-unit.service.j2
+    dest: /lib/systemd/system/vault.service
+    mode: '0644'
+    owner: root
+    group: root
+
+- name: install default vault configuration file
+  become: true
+  notify:
+    - 'vault : restart vault service'
+  no_log: true
+  ansible.builtin.template:
+    src: ../templates/config.hcl.j2
+    dest: '{{ hc_vault_root_dir }}/config/main.hcl'
+    mode: '0600'
+    owner: '{{ hc_vault_runas }}'
+    group: '{{ hc_vault_runas }}'
+
+- name: install environment file
+  become: true
+  notify:
+    - 'vault : restart vault service'
+  no_log: true
+  ansible.builtin.template:
+    src: ../templates/env.j2
+    dest: '{{ hc_vault_root_dir }}/config/vault.env'
+    mode: '0600'
+    owner: '{{ hc_vault_runas }}'
+    group: '{{ hc_vault_runas }}'
+
+- name: install TLS certificate and key
+  become: true
+  notify:
+    - 'vault : reload vault service'
+  no_log: true
+  block:
+    - name: copy provided data
+      block:
+        - name: TLS certificate
+          ansible.builtin.copy:
+            content: '{{ hc_vault_server_tls_cert_data }}'
+            dest: '{{ hc_vault_root_dir }}/tls/tls.cert'
+            owner: '{{ hc_vault_runas }}'
+            group: '{{ hc_vault_runas }}'
+            mode: '0600'
+        - name: Private key
+          ansible.builtin.copy:
+            content: '{{ hc_vault_server_tls_key_data }}'
+            dest: '{{ hc_vault_root_dir }}/tls/tls.key'
+            owner: '{{ hc_vault_runas }}'
+            group: '{{ hc_vault_runas }}'
+            mode: '0600'
+      when: hc_vault_server_tls_cert_data and hc_vault_server_tls_key_data
+    - name: generate new files
+      block:
+        - name: generate ECDSA key
+          ansible.builtin.command:
+            cmd: openssl ecparam -name prime256v1 -genkey -out tls.key
+            chdir: '{{ hc_vault_root_dir }}/tls'
+            creates: '{{ hc_vault_root_dir }}/tls/tls.key'
+        - name: generate certificate
+          ansible.builtin.command:
+            cmd: >
+              openssl req -new -days 3650 -nodes -x509
+                -subj "/C=FR/ST=Void/L=Void/O=IT/OU=Vault/CN={{ ansible_facts['fqdn'] }}"
+                -addext "subjectAltName = DNS:localhost, DNS:{{ ansible_facts['hostname'] }}, IP:{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['all_ipv4_addresses'][0]) }}, IP:127.0.0.1"
+                -addext "extendedKeyUsage = serverAuth"
+                -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
+                -addext "basicConstraints = CA:FALSE"
+                -key tls.key -out tls.cert
+            chdir: '{{ hc_vault_root_dir }}/tls'
+            creates: '{{ hc_vault_root_dir }}/tls/tls.cert'
+        - name: update files ownership
+          ansible.builtin.file:
+            path: '{{ hc_vault_root_dir }}/tls/{{ item }}'
+            state: file
+            owner: '{{ hc_vault_runas }}'
+            group: '{{ hc_vault_runas }}'
+            mode: '0600'
+          loop:
+            - tls.key
+            - tls.cert
+      when: not hc_vault_server_tls_cert_data or not hc_vault_server_tls_key_data
+
+- name: flush handlers
+  meta: flush_handlers