From ddf406fd37f88d9989c3e2a2c4f6ec5a0653d28b Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Wed, 26 Jun 2024 00:00:00 +0000 Subject: [PATCH] feat(vault): add a HashiCorp Vault role --- .../roles/vault/defaults/main.yml | 21 +++ .../roles/vault/handlers/main.yml | 20 +++ .../infrastructure/roles/vault/meta/main.yml | 21 +++ .../roles/vault/tasks/initialize.yml | 38 +++++ .../roles/vault/tasks/install.yml | 151 ++++++++++++++++++ .../infrastructure/roles/vault/tasks/main.yml | 61 +++++++ .../roles/vault/tasks/prerequisites.yml | 62 +++++++ .../roles/vault/tasks/security.yml | 14 ++ .../roles/vault/templates/config.hcl.j2 | 18 +++ .../roles/vault/templates/env.j2 | 3 + .../vault/templates/vault-unit.service.j2 | 39 +++++ .../roles/vault/templates/vault.nft.j2 | 13 ++ .../roles/vault/tests/inventory | 2 + .../infrastructure/roles/vault/vars/main.yml | 1 + inventory/group_vars/vault/vars.yml | 2 + inventory/host_vars/actinium/vars.yml | 4 + playbooks/internal.yml | 7 + 17 files changed, 477 insertions(+) create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/defaults/main.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/handlers/main.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/meta/main.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/prerequisites.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/security.yml create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/templates/config.hcl.j2 create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/templates/env.j2 create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault-unit.service.j2 create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault.nft.j2 create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/tests/inventory create mode 100644 collections/ansible_collections/nullified/infrastructure/roles/vault/vars/main.yml create mode 100644 inventory/group_vars/vault/vars.yml diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/defaults/main.yml new file mode 100644 index 0000000..ac58573 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/defaults/main.yml @@ -0,0 +1,21 @@ +--- +hc_vault_api_port: 8200 +hc_vault_architecture: linux_amd64 +hc_vault_cluster_nodes: +hc_vault_default_binary_path: /usr/local/bin/vault +hc_vault_default_shell: /usr/sbin/nologin +hc_vault_default_umask: '0077' +hc_vault_enable_ui: false +hc_vault_environment_vars: {} +hc_vault_gpg_key_fingerprint_regexp: '\bC874[[:space:]]+011F[[:space:]]+0AB4[[:space:]]+0511[[:space:]]+0D02[[:space:]]+1055[[:space:]]+3436[[:space:]]+5D94[[:space:]]+72D7[[:space:]]+468F\b' +hc_vault_gpg_key_id_regexp: 34365D9472D7468F +hc_vault_initialize: false +hc_vault_raft_cluster_port: 8201 +hc_vault_root_dir: /srv/vault +hc_vault_runas: vault +hc_vault_server_config: +hc_vault_server_tls_cert_data: +hc_vault_server_tls_key_data: +hc_vault_init_key_shares_count: 1 +hc_vault_init_key_threshold: 1 +hc_vault_init_provisioner_data_filepath: /tmp diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/handlers/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/handlers/main.yml new file mode 100644 index 0000000..0a60819 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/handlers/main.yml @@ -0,0 +1,20 @@ +--- +- name: 'reload vault service' + become: true + ansible.builtin.systemd_service: + name: vault.service + enabled: true + state: reloaded + +- name: 'restart vault service' + become: true + ansible.builtin.systemd_service: + name: vault.service + daemon_reload: true + enabled: true + state: restarted + +- name: 'load firewall rules' + become: true + ansible.builtin.command: /usr/sbin/nft -f /etc/nftables.d/vault.nft + when: nft_rules.changed diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/meta/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/meta/main.yml new file mode 100644 index 0000000..d0d54b0 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Florian L. + namespace: nullified + description: Install HashiCorp Vault + # issue_tracker_url: http://example.com/issue/tracker + license: MIT + min_ansible_version: 2.15 + + # https://galaxy.ansible.com/api/v1/platforms/ + platforms: + - name: Debian + versions: + - bookworm + + galaxy_tags: + - hashicorp + - vault + - secrets + +dependencies: [] diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml new file mode 100644 index 0000000..b77f064 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml @@ -0,0 +1,38 @@ +--- +- name: initialize vault + become: true + no_log: true + ansible.builtin.command: + cmd: > + vault operator init + -tls-skip-verify -non-interactive -format=yaml + -key-shares={{ hc_vault_init_key_shares_count }} + -key-threshold={{ hc_vault_init_key_threshold }} + chdir: '{{ hc_vault_root_dir }}' + environment: + VAULT_ADDR: 'https://127.0.0.1:8200' + DBUS_SESSION_BUS_ADDRESS: '/dev/null' + register: init_data + +- name: set init data filename + no_log: true + ansible.builtin.set_fact: + hc_vault_init_data_filename: "{{ hc_vault_init_data_filepath | default('/tmp', True) }}/vault_{{ ansible_facts['fqdn'] }}_init.yml" + +- name: save initialization data + connection: local + no_log: true + block: + - name: save content to temp file + ansible.builtin.copy: + content: '{{ init_data.stdout }}' + dest: '{{ hc_vault_init_data_filename }}' + mode: '0600' + owner: "{{ ansible_facts['user_id'] }}" + group: "{{ ansible_facts['user_id'] }}" + +- name: print init data file location + no_log: true + ansible.builtin.debug: + msg: 'Initialization data is stored in file "{{ hc_vault_init_data_filename }}". MAKE SURE TO SAVE IT SOMEWHERE SAFE!' + verbosity: 0 diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml new file mode 100644 index 0000000..b048181 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml @@ -0,0 +1,151 @@ +--- +- name: '[setup] gather facts if not already done' + ansible.builtin.setup: + gather_subset: + - all_ipv4_addresses + - default_ipv4 + - dns + +- name: install vault binary + when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version + notify: + - 'vault : restart vault service' + block: + - name: download archive + ansible.builtin.get_url: + url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip' + dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip' + mode: '0600' + - name: download SHASUMs file signature + ansible.builtin.get_url: + url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig' + dest: '{{ tmp_file.path }}/shasums.sig' + mode: '0600' + - name: download SHASUMs files for vault releases + ansible.builtin.get_url: + url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS' + dest: '{{ tmp_file.path }}/shasums.txt' + mode: '0600' + - name: Verify downloaded files integrity + block: + - name: check SHASUMs file integrity + ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt' + - name: check SHASUM of the downloaded archive + ansible.builtin.command: + cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt' + chdir: '{{ tmp_file.path }}' + register: shasum_check + failed_when: 'search_string not in shasum_check.stdout' + vars: + search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK' + - name: install vault package + become: true + ansible.builtin.shell: | + cd {{ tmp_file.path }} + unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip + install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }} + {{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid") + - name: prepare directory layout + become: true + ansible.builtin.file: + path: '{{ item }}' + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + mode: '0700' + state: directory + loop: + - '{{ hc_vault_root_dir }}/config' + - '{{ hc_vault_root_dir }}/data' + - '{{ hc_vault_root_dir }}/tls' + +- name: install systemd unit file + become: true + notify: + - 'vault : restart vault service' + ansible.builtin.template: + src: ../templates/vault-unit.service.j2 + dest: /lib/systemd/system/vault.service + mode: '0644' + owner: root + group: root + +- name: install default vault configuration file + become: true + notify: + - 'vault : restart vault service' + no_log: true + ansible.builtin.template: + src: ../templates/config.hcl.j2 + dest: '{{ hc_vault_root_dir }}/config/main.hcl' + mode: '0600' + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + +- name: install environment file + become: true + notify: + - 'vault : restart vault service' + no_log: true + ansible.builtin.template: + src: ../templates/env.j2 + dest: '{{ hc_vault_root_dir }}/config/vault.env' + mode: '0600' + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + +- name: install TLS certificate and key + become: true + notify: + - 'vault : reload vault service' + no_log: true + block: + - name: copy provided data + block: + - name: TLS certificate + ansible.builtin.copy: + content: '{{ hc_vault_server_tls_cert_data }}' + dest: '{{ hc_vault_root_dir }}/tls/tls.cert' + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + mode: '0600' + - name: Private key + ansible.builtin.copy: + content: '{{ hc_vault_server_tls_key_data }}' + dest: '{{ hc_vault_root_dir }}/tls/tls.key' + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + mode: '0600' + when: hc_vault_server_tls_cert_data and hc_vault_server_tls_key_data + - name: generate new files + block: + - name: generate ECDSA key + ansible.builtin.command: + cmd: openssl ecparam -name prime256v1 -genkey -out tls.key + chdir: '{{ hc_vault_root_dir }}/tls' + creates: '{{ hc_vault_root_dir }}/tls/tls.key' + - name: generate certificate + ansible.builtin.command: + cmd: > + openssl req -new -days 3650 -nodes -x509 + -subj "/C=FR/ST=Void/L=Void/O=IT/OU=Vault/CN={{ ansible_facts['fqdn'] }}" + -addext "subjectAltName = DNS:localhost, DNS:{{ ansible_facts['hostname'] }}, IP:{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['all_ipv4_addresses'][0]) }}, IP:127.0.0.1" + -addext "extendedKeyUsage = serverAuth" + -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" + -addext "basicConstraints = CA:FALSE" + -key tls.key -out tls.cert + chdir: '{{ hc_vault_root_dir }}/tls' + creates: '{{ hc_vault_root_dir }}/tls/tls.cert' + - name: update files ownership + ansible.builtin.file: + path: '{{ hc_vault_root_dir }}/tls/{{ item }}' + state: file + owner: '{{ hc_vault_runas }}' + group: '{{ hc_vault_runas }}' + mode: '0600' + loop: + - tls.key + - tls.cert + when: not hc_vault_server_tls_cert_data or not hc_vault_server_tls_key_data + +- name: flush handlers + meta: flush_handlers diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml new file mode 100644 index 0000000..4e6c36e --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml @@ -0,0 +1,61 @@ +--- +- name: create temp directory + ansible.builtin.tempfile: + state: directory + register: tmp_file + changed_when: false + +- name: find vault path + ansible.builtin.command: 'bash -c "command -v vault"' + register: output_vault_binary_path + failed_when: false + changed_when: false + +- name: find local vault binary version + become: true + environment: + DBUS_SESSION_BUS_ADDRESS: /dev/null + VAULT_ADDR: 'https://127.0.0.1:8200' + ansible.builtin.shell: "{{ output_vault_binary_path.stdout }} version | sed -E 's/Vault[[:space:]]+v([0-9.-]+)(\\b|$).*$/\\1/'" + when: output_vault_binary_path.rc == 0 + register: output_vault_binary_version + changed_when: false + +- name: set binary facts + ansible.builtin.set_fact: + hc_vault_binary_installed: "{{ 'true' if output_vault_binary_path.rc == 0 else 'false' }}" + hc_vault_binary_path: "{{ output_vault_binary_path.stdout | default(hc_vault_default_binary_path, true) }}" + hc_vault_local_binary_version: "{{ output_vault_binary_version.get('stdout', None) }}" + +- name: run prerequisite tasks + ansible.builtin.import_tasks: prerequisites.yml + +- name: install vault + ansible.builtin.import_tasks: install.yml + +- name: run security configuration + ansible.builtin.import_tasks: security.yml + +- name: find vault initialization status + ansible.builtin.command: '{{ output_vault_binary_path.stdout }} operator init -status -tls-skip-verify' + become: true + register: hc_vault_init_status + environment: + DBUS_SESSION_BUS_ADDRESS: /dev/null + VAULT_ADDR: 'https://127.0.0.1:8200' + failed_when: hc_vault_init_status.rc == 1 + changed_when: false + +- name: initialize vault + ansible.builtin.import_tasks: initialize.yml + when: hc_vault_initialize and hc_vault_init_status.rc == 2 + +- name: cleanup + become: true + ansible.builtin.file: + path: '{{ tmp_file.path }}' + state: absent + changed_when: false + +- name: flush handlers + meta: flush_handlers diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/prerequisites.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/prerequisites.yml new file mode 100644 index 0000000..8966cc7 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/prerequisites.yml @@ -0,0 +1,62 @@ +--- +# APT repository is unreliable, not working when this code was developed, so the zip solution is favored +- name: install required packages + become: true + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + force_apt_get: true + pkg: + - gpg + - curl + - coreutils + +- name: create vault group + become: true + ansible.builtin.group: + name: '{{ hc_vault_runas }}' + system: true + +- name: create vault user + become: true + ansible.builtin.user: + comment: vault dedicated user + create_home: true + home: '{{ hc_vault_root_dir }}' + group: '{{ hc_vault_runas }}' + name: '{{ hc_vault_runas }}' + password_lock: true + shell: '{{ hc_vault_default_shell }}' + state: present + system: true + umask: '{{ hc_vault_default_umask }}' + +- name: check HC GPG key is imported + become: true + ansible.builtin.command: gpg --list-keys 'HashiCorp Security' + register: gpg_list_keys + changed_when: false + failed_when: false + +- name: import and verify HC GPG key + become: true + block: + - name: fetch HC GPG key + ansible.builtin.get_url: + url: 'https://www.hashicorp.com/.well-known/pgp-key.txt' + dest: '{{ tmp_file.path }}/pgp-key.txt' + mode: '0600' + - name: import HC GPG key + ansible.builtin.command: 'gpg --import {{ tmp_file.path }}/pgp-key.txt' + - name: check GPG key ID + ansible.builtin.command: "gpg --list-keys 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_id_regexp }}'" + - name: check GPG key fingerprint + ansible.builtin.command: "gpg --fingerprint --list-signatures 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_fingerprint_regexp }}'" + when: gpg_list_keys.rc != 0 + rescue: + - name: remove invalid GPG key + ansible.builtin.command: "gpg --delete-keys --batch --yes 'HashiCorp Security'" + - name: stop the playbook run + ansible.builtin.debug: + msg: 'Task "{{ ansible_failed_task }}" found an inconsistency with the imported GPG key; something somewhere is deeply wrong.' + failed_when: true diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/security.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/security.yml new file mode 100644 index 0000000..01c2abd --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/security.yml @@ -0,0 +1,14 @@ +--- +- name: install firewall rules + become: true + ansible.builtin.template: + src: ../templates/vault.nft.j2 + dest: /etc/nftables.d/vault.nft + mode: '0600' + owner: root + group: root + vars: + firewall_lb_ips: '{{ hc_vault_security_lb_ips | default({}, True) }}' + firewall_cluster_nodes_ips: '{{ hc_vault_security_cluster_nodes | default({}, True) }}' + notify: + - 'vault : load firewall rules' diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/config.hcl.j2 b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/config.hcl.j2 new file mode 100644 index 0000000..ed6ddda --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/config.hcl.j2 @@ -0,0 +1,18 @@ +{%- if not hc_vault_server_config %} +ui = {% if hc_vault_enable_ui %}true{% else %}false{% endif +%} +disable_mlock = false + +storage "file" { + path = "{{ hc_vault_root_dir }}/data" +} + +# HTTPS listener +listener "tcp" { + address = "0.0.0.0:8200" + tls_cert_file = "{{ hc_vault_root_dir }}/tls/tls.cert" + tls_key_file = "{{ hc_vault_root_dir }}/tls/tls.key" + tls_min_version = "tls13" +} +{%- else %} +{{ hc_vault_server_config }} +{% endif %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/env.j2 b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/env.j2 new file mode 100644 index 0000000..6c5075b --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/env.j2 @@ -0,0 +1,3 @@ +{% for item in hc_vault_environment_vars.keys() -%} + {{ item }} = {{ hc_vault_environment_vars[item] }} +{% endfor %} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault-unit.service.j2 b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault-unit.service.j2 new file mode 100644 index 0000000..8080ac1 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault-unit.service.j2 @@ -0,0 +1,39 @@ +[Unit] +Description="HashiCorp Vault" +Requires=network-online.target +After=network-online.target +StartLimitIntervalSec=120 +StartLimitBurst=4 +ConditionCapability=CAP_IPC_LOCK +ConditionCapability=CAP_SYSLOG +ConditionFileNotEmpty={{ hc_vault_root_dir }}/config/main.hcl +ConditionPathIsDirectory={{ hc_vault_root_dir }}/tls + +[Install] +WantedBy=multi-user.target + +[Service] +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_IPC_LOCK CAP_SYSLOG +EnvironmentFile={{ hc_vault_root_dir }}/config/vault.env +ExecStart={{ hc_vault_binary_path }} server -config={{ hc_vault_root_dir }}/config/main.hcl +Group={{ hc_vault_runas }} +KillMode=process +KillSignal=SIGINT +LimitCORE=0 +LimitMEMLOCK=infinity +LimitNOFILE=65536 +LockPersonality=yes +NoNewPrivileges=yes +OOMScoreAdjust=-500 +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +Restart=on-failure +RestartSec=5 +SecureBits=keep-caps +TimeoutSec=30 +Type=notify-reload +UMask=0077 +User={{ hc_vault_runas }} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault.nft.j2 b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault.nft.j2 new file mode 100644 index 0000000..297ff49 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/templates/vault.nft.j2 @@ -0,0 +1,13 @@ +{%- set api_source_ips = firewall_lb_ips | default({}, True) -%} +{%- set noop = api_source_ips.update(firewall_cluster_nodes_ips) -%} +table inet filter { + chain input { + {% if firewall_lb_ips %}ip saddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp dport {{ hc_vault_api_port }} accept + {% if firewall_cluster_nodes_ips %}ip saddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp dport {{ hc_vault_raft_cluster_port }}{% endif +%} + } + + chain output { + {% if firewall_lb_ips %}ip daddr { {{ api_source_ips | join (', ') }} } {% endif %}tcp sport {{ hc_vault_api_port }} accept + {% if firewall_cluster_nodes_ips %}ip daddr { {{ firewall_cluster_nodes_ips | join(', ') }} } tcp sport {{ hc_vault_raft_cluster_port }}{% endif +%} + } +} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tests/inventory b/collections/ansible_collections/nullified/infrastructure/roles/vault/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/vars/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/inventory/group_vars/vault/vars.yml b/inventory/group_vars/vault/vars.yml new file mode 100644 index 0000000..dbf3b40 --- /dev/null +++ b/inventory/group_vars/vault/vars.yml @@ -0,0 +1,2 @@ +hc_vault_version: '{{ vault_hc_vault_version }}' +hc_vault_architecture: linux_amd64 diff --git a/inventory/host_vars/actinium/vars.yml b/inventory/host_vars/actinium/vars.yml index 9a183b2..7b1a899 100644 --- a/inventory/host_vars/actinium/vars.yml +++ b/inventory/host_vars/actinium/vars.yml @@ -30,3 +30,7 @@ k3s_cluster_additional_tf_resources: tfvars_content: '{{ vault_invoice_ninja_tfvars }}' tfstate_path: '{{ vault_invoice_ninja_tfstate_path }}' # storage_dir: + +hc_vault_server_tls_cert_data: '{{ vault_hc_vault_server_tls_cert_data }}' +hc_vault_server_tls_key_data: '{{ vault_hc_vault_server_tls_key_data }}' +hc_vault_initialize: true diff --git a/playbooks/internal.yml b/playbooks/internal.yml index f98a70b..c010663 100644 --- a/playbooks/internal.yml +++ b/playbooks/internal.yml @@ -17,6 +17,13 @@ ansible.builtin.include_role: name: nullified.infrastructure.server +- name: setup vault + hosts: internal:&vault + tasks: + - name: include vault role + ansible.builtin.include_role: + name: nullified.infrastructure.vault + - name: setup mariadb servers hosts: internal:&mariadb tasks: