chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections
REQUIRES REGENERATING ansible.cfg!
This commit is contained in:
parent
4af69c31ce
commit
888590ed9f
188 changed files with 30 additions and 30 deletions
|
@ -0,0 +1,18 @@
|
|||
{%- if not hc_vault_server_config %}
|
||||
ui = {% if hc_vault_enable_ui %}true{% else %}false{% endif +%}
|
||||
disable_mlock = false
|
||||
|
||||
storage "file" {
|
||||
path = "{{ hc_vault_root_dir }}/data"
|
||||
}
|
||||
|
||||
# HTTPS listener
|
||||
listener "tcp" {
|
||||
address = "0.0.0.0:8200"
|
||||
tls_cert_file = "{{ hc_vault_root_dir }}/tls/tls.cert"
|
||||
tls_key_file = "{{ hc_vault_root_dir }}/tls/tls.key"
|
||||
tls_min_version = "tls13"
|
||||
}
|
||||
{%- else %}
|
||||
{{ hc_vault_server_config }}
|
||||
{% endif %}
|
|
@ -0,0 +1,3 @@
|
|||
{% for item in hc_vault_environment_vars.keys() -%}
|
||||
{{ item }} = {{ hc_vault_environment_vars[item] }}
|
||||
{% endfor %}
|
|
@ -0,0 +1,39 @@
|
|||
[Unit]
|
||||
Description="HashiCorp Vault"
|
||||
Requires=network-online.target
|
||||
After=network-online.target
|
||||
StartLimitIntervalSec=120
|
||||
StartLimitBurst=4
|
||||
ConditionCapability=CAP_IPC_LOCK
|
||||
ConditionCapability=CAP_SYSLOG
|
||||
ConditionFileNotEmpty={{ hc_vault_root_dir }}/config/main.hcl
|
||||
ConditionPathIsDirectory={{ hc_vault_root_dir }}/tls
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
AmbientCapabilities=CAP_IPC_LOCK
|
||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYSLOG
|
||||
EnvironmentFile={{ hc_vault_root_dir }}/config/vault.env
|
||||
ExecStart={{ hc_vault_binary_path }} server -config={{ hc_vault_root_dir }}/config/main.hcl
|
||||
Group={{ hc_vault_runas }}
|
||||
KillMode=process
|
||||
KillSignal=SIGINT
|
||||
LimitCORE=0
|
||||
LimitMEMLOCK=infinity
|
||||
LimitNOFILE=65536
|
||||
LockPersonality=yes
|
||||
NoNewPrivileges=yes
|
||||
OOMScoreAdjust=-500
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=full
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
SecureBits=keep-caps
|
||||
TimeoutSec=30
|
||||
Type=notify-reload
|
||||
UMask=0077
|
||||
User={{ hc_vault_runas }}
|
|
@ -0,0 +1,13 @@
|
|||
{%- set api_source_ips = firewall_lb_ips | default({}, True) -%}
|
||||
{%- set noop = api_source_ips.update(firewall_cluster_nodes_ips) -%}
|
||||
table inet filter {
|
||||
chain input {
|
||||
{% if firewall_lb_ips %}ip saddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp dport {{ hc_vault_api_port }} accept
|
||||
{% if firewall_cluster_nodes_ips %}ip saddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp dport {{ hc_vault_raft_cluster_port }}{% endif +%}
|
||||
}
|
||||
|
||||
chain output {
|
||||
{% if firewall_lb_ips %}ip daddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp sport {{ hc_vault_api_port }} accept
|
||||
{% if firewall_cluster_nodes_ips %}ip daddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp sport {{ hc_vault_raft_cluster_port }}{% endif +%}
|
||||
}
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue