chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!
This commit is contained in:
NaeiKinDus 2025-02-23 00:00:00 +00:00
parent 4af69c31ce
commit 888590ed9f
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
188 changed files with 30 additions and 30 deletions

View file

@ -0,0 +1,18 @@
{%- if not hc_vault_server_config %}
ui = {% if hc_vault_enable_ui %}true{% else %}false{% endif +%}
disable_mlock = false
storage "file" {
path = "{{ hc_vault_root_dir }}/data"
}
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "{{ hc_vault_root_dir }}/tls/tls.cert"
tls_key_file = "{{ hc_vault_root_dir }}/tls/tls.key"
tls_min_version = "tls13"
}
{%- else %}
{{ hc_vault_server_config }}
{% endif %}

View file

@ -0,0 +1,3 @@
{% for item in hc_vault_environment_vars.keys() -%}
{{ item }} = {{ hc_vault_environment_vars[item] }}
{% endfor %}

View file

@ -0,0 +1,39 @@
[Unit]
Description="HashiCorp Vault"
Requires=network-online.target
After=network-online.target
StartLimitIntervalSec=120
StartLimitBurst=4
ConditionCapability=CAP_IPC_LOCK
ConditionCapability=CAP_SYSLOG
ConditionFileNotEmpty={{ hc_vault_root_dir }}/config/main.hcl
ConditionPathIsDirectory={{ hc_vault_root_dir }}/tls
[Install]
WantedBy=multi-user.target
[Service]
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYSLOG
EnvironmentFile={{ hc_vault_root_dir }}/config/vault.env
ExecStart={{ hc_vault_binary_path }} server -config={{ hc_vault_root_dir }}/config/main.hcl
Group={{ hc_vault_runas }}
KillMode=process
KillSignal=SIGINT
LimitCORE=0
LimitMEMLOCK=infinity
LimitNOFILE=65536
LockPersonality=yes
NoNewPrivileges=yes
OOMScoreAdjust=-500
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
Restart=on-failure
RestartSec=5
SecureBits=keep-caps
TimeoutSec=30
Type=notify-reload
UMask=0077
User={{ hc_vault_runas }}

View file

@ -0,0 +1,13 @@
{%- set api_source_ips = firewall_lb_ips | default({}, True) -%}
{%- set noop = api_source_ips.update(firewall_cluster_nodes_ips) -%}
table inet filter {
chain input {
{% if firewall_lb_ips %}ip saddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp dport {{ hc_vault_api_port }} accept
{% if firewall_cluster_nodes_ips %}ip saddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp dport {{ hc_vault_raft_cluster_port }}{% endif +%}
}
chain output {
{% if firewall_lb_ips %}ip daddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp sport {{ hc_vault_api_port }} accept
{% if firewall_cluster_nodes_ips %}ip daddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp sport {{ hc_vault_raft_cluster_port }}{% endif +%}
}
}