--- - name: '[setup] gather facts if not already done' ansible.builtin.setup: gather_subset: - all_ipv4_addresses - default_ipv4 - dns - name: prepare directory layout become: true ansible.builtin.file: path: '{{ item }}' owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' mode: '0700' state: directory loop: - '{{ hc_vault_root_dir }}/config' - '{{ hc_vault_root_dir }}/data' - '{{ hc_vault_root_dir }}/tls' - name: install systemd unit file become: true notify: - 'vault : restart vault service' ansible.builtin.template: src: ../templates/vault-unit.service.j2 dest: /lib/systemd/system/vault.service mode: '0644' owner: root group: root - name: install default vault configuration file become: true notify: - 'vault : restart vault service' no_log: true ansible.builtin.template: src: ../templates/config.hcl.j2 dest: '{{ hc_vault_root_dir }}/config/main.hcl' mode: '0600' owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' - name: install environment file become: true notify: - 'vault : restart vault service' no_log: true ansible.builtin.template: src: ../templates/env.j2 dest: '{{ hc_vault_root_dir }}/config/vault.env' mode: '0600' owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' - name: install TLS certificate and key become: true notify: - 'vault : reload vault service' no_log: true block: - name: copy provided data block: - name: TLS certificate ansible.builtin.copy: content: '{{ hc_vault_server_tls_cert_data }}' dest: '{{ hc_vault_root_dir }}/tls/tls.cert' owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' mode: '0600' - name: Private key ansible.builtin.copy: content: '{{ hc_vault_server_tls_key_data }}' dest: '{{ hc_vault_root_dir }}/tls/tls.key' owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' mode: '0600' when: hc_vault_server_tls_cert_data and hc_vault_server_tls_key_data - name: generate new files block: - name: generate ECDSA key ansible.builtin.command: cmd: openssl ecparam -name prime256v1 -genkey -out tls.key chdir: '{{ hc_vault_root_dir }}/tls' creates: '{{ hc_vault_root_dir }}/tls/tls.key' - name: generate certificate ansible.builtin.command: cmd: > openssl req -new -days 3650 -nodes -x509 -subj "/C=FR/ST=Void/L=Void/O=IT/OU=Vault/CN={{ ansible_facts['fqdn'] }}" -addext "subjectAltName = DNS:localhost, DNS:{{ ansible_facts['hostname'] }}, IP:{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['all_ipv4_addresses'][0]) }}, IP:127.0.0.1" -addext "extendedKeyUsage = serverAuth" -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" -addext "basicConstraints = CA:FALSE" -key tls.key -out tls.cert chdir: '{{ hc_vault_root_dir }}/tls' creates: '{{ hc_vault_root_dir }}/tls/tls.cert' - name: update files ownership ansible.builtin.file: path: '{{ hc_vault_root_dir }}/tls/{{ item }}' state: file owner: '{{ hc_vault_runas }}' group: '{{ hc_vault_runas }}' mode: '0600' loop: - tls.key - tls.cert when: not hc_vault_server_tls_cert_data or not hc_vault_server_tls_key_data - name: flush handlers meta: flush_handlers