112 lines
3.7 KiB
YAML
112 lines
3.7 KiB
YAML
---
|
|
- name: '[setup] gather facts if not already done'
|
|
ansible.builtin.setup:
|
|
gather_subset:
|
|
- all_ipv4_addresses
|
|
- default_ipv4
|
|
- dns
|
|
|
|
- name: prepare directory layout
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: '{{ item }}'
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
mode: '0700'
|
|
state: directory
|
|
loop:
|
|
- '{{ hc_vault_root_dir }}/config'
|
|
- '{{ hc_vault_root_dir }}/data'
|
|
- '{{ hc_vault_root_dir }}/tls'
|
|
|
|
- name: install systemd unit file
|
|
become: true
|
|
notify:
|
|
- 'vault : restart vault service'
|
|
ansible.builtin.template:
|
|
src: ../templates/vault-unit.service.j2
|
|
dest: /lib/systemd/system/vault.service
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: install default vault configuration file
|
|
become: true
|
|
notify:
|
|
- 'vault : restart vault service'
|
|
no_log: true
|
|
ansible.builtin.template:
|
|
src: ../templates/config.hcl.j2
|
|
dest: '{{ hc_vault_root_dir }}/config/main.hcl'
|
|
mode: '0600'
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
|
|
- name: install environment file
|
|
become: true
|
|
notify:
|
|
- 'vault : restart vault service'
|
|
no_log: true
|
|
ansible.builtin.template:
|
|
src: ../templates/env.j2
|
|
dest: '{{ hc_vault_root_dir }}/config/vault.env'
|
|
mode: '0600'
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
|
|
- name: install TLS certificate and key
|
|
become: true
|
|
notify:
|
|
- 'vault : reload vault service'
|
|
no_log: true
|
|
block:
|
|
- name: copy provided data
|
|
block:
|
|
- name: TLS certificate
|
|
ansible.builtin.copy:
|
|
content: '{{ hc_vault_server_tls_cert_data }}'
|
|
dest: '{{ hc_vault_root_dir }}/tls/tls.cert'
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
mode: '0600'
|
|
- name: Private key
|
|
ansible.builtin.copy:
|
|
content: '{{ hc_vault_server_tls_key_data }}'
|
|
dest: '{{ hc_vault_root_dir }}/tls/tls.key'
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
mode: '0600'
|
|
when: hc_vault_server_tls_cert_data and hc_vault_server_tls_key_data
|
|
- name: generate new files
|
|
block:
|
|
- name: generate ECDSA key
|
|
ansible.builtin.command:
|
|
cmd: openssl ecparam -name prime256v1 -genkey -out tls.key
|
|
chdir: '{{ hc_vault_root_dir }}/tls'
|
|
creates: '{{ hc_vault_root_dir }}/tls/tls.key'
|
|
- name: generate certificate
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
openssl req -new -days 3650 -nodes -x509
|
|
-subj "/C=FR/ST=Void/L=Void/O=IT/OU=Vault/CN={{ ansible_facts['fqdn'] }}"
|
|
-addext "subjectAltName = DNS:localhost, DNS:{{ ansible_facts['hostname'] }}, IP:{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['all_ipv4_addresses'][0]) }}, IP:127.0.0.1"
|
|
-addext "extendedKeyUsage = serverAuth"
|
|
-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
|
|
-addext "basicConstraints = CA:FALSE"
|
|
-key tls.key -out tls.cert
|
|
chdir: '{{ hc_vault_root_dir }}/tls'
|
|
creates: '{{ hc_vault_root_dir }}/tls/tls.cert'
|
|
- name: update files ownership
|
|
ansible.builtin.file:
|
|
path: '{{ hc_vault_root_dir }}/tls/{{ item }}'
|
|
state: file
|
|
owner: '{{ hc_vault_runas }}'
|
|
group: '{{ hc_vault_runas }}'
|
|
mode: '0600'
|
|
loop:
|
|
- tls.key
|
|
- tls.cert
|
|
when: not hc_vault_server_tls_cert_data or not hc_vault_server_tls_key_data
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|