WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-infra/ansible_collections/nullified/infrastructure/roles/vault/tasks/prerequisites.yml

62 lines
2 KiB
YAML
Raw Blame History

---
# APT repository is unreliable, not working when this code was developed, so the zip solution is favored
- name: install required packages
become: true
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
force_apt_get: true
pkg:
- gpg
- curl
- coreutils
- name: create vault group
become: true
ansible.builtin.group:
name: '{{ hc_vault_runas }}'
system: true
- name: create vault user
become: true
ansible.builtin.user:
comment: vault dedicated user
create_home: true
home: '{{ hc_vault_root_dir }}'
group: '{{ hc_vault_runas }}'
name: '{{ hc_vault_runas }}'
password_lock: true
shell: '{{ hc_vault_default_shell }}'
state: present
system: true
umask: '{{ hc_vault_default_umask }}'
- name: check HC GPG key is imported
become: true
ansible.builtin.command: gpg --list-keys 'HashiCorp Security'
register: gpg_list_keys
changed_when: false
failed_when: false
- name: import and verify HC GPG key
become: true
block:
- name: fetch HC GPG key
ansible.builtin.get_url:
url: 'https://www.hashicorp.com/.well-known/pgp-key.txt'
dest: '{{ tmp_file.path }}/pgp-key.txt'
mode: '0600'
- name: import HC GPG key
ansible.builtin.command: 'gpg --import {{ tmp_file.path }}/pgp-key.txt'
- name: check GPG key ID
ansible.builtin.command: "gpg --list-keys 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_id_regexp }}'"
- name: check GPG key fingerprint
ansible.builtin.command: "gpg --fingerprint --list-signatures 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_fingerprint_regexp }}'"
when: gpg_list_keys.rc != 0
rescue:
- name: remove invalid GPG key
ansible.builtin.command: "gpg --delete-keys --batch --yes 'HashiCorp Security'"
- name: stop the playbook run
ansible.builtin.debug:
msg: 'Task "{{ ansible_failed_task }}" found an inconsistency with the imported GPG key; something somewhere is deeply wrong.'
failed_when: true
Reference in a new issue View git blame Copy permalink