roles/vault/vault.yml: Add playbook

3 files changed, 128 insertions, 0 deletions

diff --git a/roles/vault/files/config.json b/roles/vault/files/config.json
new file mode 100644
index 0000000..3ca5a3d
--- /dev/null
+++ b/roles/vault/files/config.json
@@ -0,0 +1,15 @@
+ui = true
+
+storage "file" {
+  path    = "/opt/vault/data"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8100"
+  tls_disable = 1
+}
+
+telemetry {
+  prometheus_retention_time = "30s",
+  disable_hostname = true
+}
diff --git a/roles/vault/files/supervisord.conf b/roles/vault/files/supervisord.conf
new file mode 100644
index 0000000..e736361
--- /dev/null
+++ b/roles/vault/files/supervisord.conf
@@ -0,0 +1,30 @@
+; Supervisor config file.
+
+[program:vault]
+command=/opt/vault/vault server -config /opt/vault/config.json
+directory=/opt/%(program_name)s
+stopasgroup=true
+stdout_logfile=/var/log/%(program_name)s.log
+stdout_logfile_maxbytes=0
+stdout_logfile_backups=0
+redirect_stderr=true
+user=%(program_name)s
+
+[inet_http_server]
+port = 9100
+username = vault
+password = vault
+
+[unix_http_server]
+file=/run/supervisord.sock
+
+[supervisord]
+logfile=/var/log/supervisord.log
+loglevel=info
+user=root
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///run/supervisord.sock
diff --git a/roles/vault/vault.yml b/roles/vault/vault.yml
new file mode 100644
index 0000000..e8d0f61
--- /dev/null
+++ b/roles/vault/vault.yml
@@ -0,0 +1,83 @@
+---
+- hosts: vault
+  vars:
+    username: vault
+    deploy_path: "/opt/{{ username }}"
+    version: 1.3.0
+  tasks:
+  - name: Ensuring group exists
+    group:
+      name: "{{ username }}"
+      state: present
+  - name: Creating user and making home directory
+    user:
+      system: yes
+      state: present
+      name: "{{ username }}"
+      groups: "{{ username }}"
+      home: "/opt/{{ username }}"
+  - name: Installing the required dependencies
+    apk:
+      state: present
+      update_cache: yes
+      name:
+        - sudo
+        - supervisor
+        - libcap
+  - block:
+    - name: Downloading application
+      get_url:
+        url: "https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip"
+        dest: "{{ deploy_path }}"
+    - name: Extracting the application
+      shell: unzip vault_{{ version }}_linux_amd64.zip
+      args: 
+        chdir: "{{ deploy_path }}"
+        creates: vault
+        warn: false
+    - name: Creating data folder
+      file:
+        path: "{{ deploy_path }}/data"
+        state: directory
+        mode: '0755'
+    - name: Copying config file
+      copy:
+        src: config.json
+        dest: "{{ deploy_path }}"
+        owner: "{{ username }}"
+        group: "{{ username }}"
+        mode: '0644'
+      register: vaultConfig
+    become: true
+    become_user: "{{ username }}"
+  - name: Allowing program to call mlock
+    capabilities:
+      path: "{{ deploy_path }}/vault"
+      capability: cap_ipc_lock=+ep
+      state: present
+  - name: Copying supervisord config file
+    copy:
+      src: supervisord.conf
+      dest: /etc/supervisord.conf
+      owner: root
+      group: root
+      mode: '0644'
+    register: supervisorConfig
+  - name: Ensuring supervisord has been started
+    service:
+      name: supervisord
+      state: started
+  - name: Restarting supervisord due to config change
+    service:
+      name: supervisord
+      state: restarted
+    when: supervisorConfig.changed
+  - name: Ensuring vault has been started
+    supervisorctl:
+      name: vault
+      state: started
+  - name: Restarting vault due to config change
+    supervisorctl:
+      name: vault
+      state: restarted
+    when: vaultConfig.changed
\ No newline at end of file