From e36ac0cd111f68ca0979f48e962a4df3dd481bec Mon Sep 17 00:00:00 2001 From: Thedro Neely Date: Wed, 18 Dec 2019 19:54:23 -0500 Subject: roles/vault/vault.yml: Add playbook --- roles/vault/files/config.json | 15 +++++++ roles/vault/files/supervisord.conf | 30 ++++++++++++++ roles/vault/vault.yml | 83 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 roles/vault/files/config.json create mode 100644 roles/vault/files/supervisord.conf create mode 100644 roles/vault/vault.yml (limited to 'roles/vault') diff --git a/roles/vault/files/config.json b/roles/vault/files/config.json new file mode 100644 index 0000000..3ca5a3d --- /dev/null +++ b/roles/vault/files/config.json @@ -0,0 +1,15 @@ +ui = true + +storage "file" { + path = "/opt/vault/data" +} + +listener "tcp" { + address = "0.0.0.0:8100" + tls_disable = 1 +} + +telemetry { + prometheus_retention_time = "30s", + disable_hostname = true +} diff --git a/roles/vault/files/supervisord.conf b/roles/vault/files/supervisord.conf new file mode 100644 index 0000000..e736361 --- /dev/null +++ b/roles/vault/files/supervisord.conf @@ -0,0 +1,30 @@ +; Supervisor config file. + +[program:vault] +command=/opt/vault/vault server -config /opt/vault/config.json +directory=/opt/%(program_name)s +stopasgroup=true +stdout_logfile=/var/log/%(program_name)s.log +stdout_logfile_maxbytes=0 +stdout_logfile_backups=0 +redirect_stderr=true +user=%(program_name)s + +[inet_http_server] +port = 9100 +username = vault +password = vault + +[unix_http_server] +file=/run/supervisord.sock + +[supervisord] +logfile=/var/log/supervisord.log +loglevel=info +user=root + +[rpcinterface:supervisor] +supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface + +[supervisorctl] +serverurl=unix:///run/supervisord.sock diff --git a/roles/vault/vault.yml b/roles/vault/vault.yml new file mode 100644 index 0000000..e8d0f61 --- /dev/null +++ b/roles/vault/vault.yml @@ -0,0 +1,83 @@ +--- +- hosts: vault + vars: + username: vault + deploy_path: "/opt/{{ username }}" + version: 1.3.0 + tasks: + - name: Ensuring group exists + group: + name: "{{ username }}" + state: present + - name: Creating user and making home directory + user: + system: yes + state: present + name: "{{ username }}" + groups: "{{ username }}" + home: "/opt/{{ username }}" + - name: Installing the required dependencies + apk: + state: present + update_cache: yes + name: + - sudo + - supervisor + - libcap + - block: + - name: Downloading application + get_url: + url: "https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip" + dest: "{{ deploy_path }}" + - name: Extracting the application + shell: unzip vault_{{ version }}_linux_amd64.zip + args: + chdir: "{{ deploy_path }}" + creates: vault + warn: false + - name: Creating data folder + file: + path: "{{ deploy_path }}/data" + state: directory + mode: '0755' + - name: Copying config file + copy: + src: config.json + dest: "{{ deploy_path }}" + owner: "{{ username }}" + group: "{{ username }}" + mode: '0644' + register: vaultConfig + become: true + become_user: "{{ username }}" + - name: Allowing program to call mlock + capabilities: + path: "{{ deploy_path }}/vault" + capability: cap_ipc_lock=+ep + state: present + - name: Copying supervisord config file + copy: + src: supervisord.conf + dest: /etc/supervisord.conf + owner: root + group: root + mode: '0644' + register: supervisorConfig + - name: Ensuring supervisord has been started + service: + name: supervisord + state: started + - name: Restarting supervisord due to config change + service: + name: supervisord + state: restarted + when: supervisorConfig.changed + - name: Ensuring vault has been started + supervisorctl: + name: vault + state: started + - name: Restarting vault due to config change + supervisorctl: + name: vault + state: restarted + when: vaultConfig.changed \ No newline at end of file -- cgit v1.2.3