roles/vault/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

---
- hosts: vault
  vars:
    username: vault
    deploy_path: "/opt/{{ username }}"
    version: 1.3.0
  tasks:
  - name: Ensuring group exists
    group:
      name: "{{ username }}"
      state: present
  - name: Creating user and making home directory
    user:
      system: yes
      state: present
      name: "{{ username }}"
      groups: "{{ username }}"
      home: "{{ deploy_path }}"
  - name: Installing the required dependencies
    apk:
      state: present
      update_cache: yes
      name:
        - sudo
        - supervisor
        - libcap
  - block:
    - name: Downloading application
      get_url:
        url: "https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip"
        dest: "{{ deploy_path }}"
    - name: Extracting the application
      shell: unzip vault_{{ version }}_linux_amd64.zip
      args: 
        chdir: "{{ deploy_path }}"
        creates: vault
        warn: false
    - name: Creating data folder
      file:
        path: "{{ deploy_path }}/data"
        state: directory
        mode: '0755'
    - name: Copying config file
      copy:
        src: config.json
        dest: "{{ deploy_path }}"
        owner: "{{ username }}"
        group: "{{ username }}"
        mode: '0644'
      register: vaultConfig
    become: true
    become_user: "{{ username }}"
  - name: Allowing program to call mlock
    capabilities:
      path: "{{ deploy_path }}/vault"
      capability: cap_ipc_lock=+ep
      state: present
  - name: Copying supervisord config file
    copy:
      src: supervisord.conf
      dest: /etc/supervisord.conf
      owner: root
      group: root
      mode: '0644'
    register: supervisorConfig
  - name: Ensuring supervisord has been started
    service:
      name: supervisord
      state: started
  - name: Restarting supervisord due to config change
    service:
      name: supervisord
      state: restarted
    when: supervisorConfig.changed
  - name: Ensuring vault has been started
    supervisorctl:
      name: vault
      state: started
  - name: Restarting vault due to config change
    supervisorctl:
      name: vault
      state: restarted
    when: vaultConfig.changed