143 lines
3.9 KiB
YAML
143 lines
3.9 KiB
YAML
|
- hosts: all
|
||
|
become_user: root
|
||
|
|
||
|
environment:
|
||
|
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||
|
|
||
|
tasks:
|
||
|
- name: Install Dependencies | pip install ply version 3.8 for hvac[parser]
|
||
|
pip:
|
||
|
name: ply
|
||
|
version: "3.8"
|
||
|
extra_args: --user
|
||
|
|
||
|
- name: Install Dependencies | Install python packages
|
||
|
pip:
|
||
|
name:
|
||
|
- hvac
|
||
|
- hvac[parser]
|
||
|
extra_args: --user
|
||
|
|
||
|
##Install Hashicorp Vault
|
||
|
|
||
|
- name: Install Vault | Add GPG Key
|
||
|
shell:
|
||
|
cmd: "curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -"
|
||
|
|
||
|
- name: Install Vault | Get release codename
|
||
|
shell:
|
||
|
cmd: "lsb_release -cs"
|
||
|
register: codename
|
||
|
|
||
|
- name: Install Vault | Add repository
|
||
|
apt_repository:
|
||
|
repo: "sudo apt-add-repository 'deb [arch=amd64] https://apt.releases.hashicorp.com {{ codename }} main'"
|
||
|
|
||
|
- name: Install Vault | install Hashicorp Vault
|
||
|
apt:
|
||
|
name: vault
|
||
|
state: latest
|
||
|
update_cache: yes
|
||
|
|
||
|
- name: Install Vault | Create a directory if it does not exist
|
||
|
file:
|
||
|
path:
|
||
|
- "{{ vaultdata }}"
|
||
|
state: directory
|
||
|
recurse: yes
|
||
|
owner: vault
|
||
|
group: vault
|
||
|
mode: '0777'
|
||
|
|
||
|
- name: Install Vault | Remove file vault.hcl (delete file)
|
||
|
file:
|
||
|
path: /etc/vault.d/vault.hcl
|
||
|
state: absent
|
||
|
|
||
|
- name: Install Vault | Copy Config file
|
||
|
template:
|
||
|
dest: /etc/vault.d/vault.hcl
|
||
|
src: config.hcl.j2
|
||
|
owner: vault
|
||
|
group: vault
|
||
|
mode: '0644'
|
||
|
|
||
|
- name: Install Vault | Start vault service
|
||
|
systemd:
|
||
|
state: restarted
|
||
|
name: vault
|
||
|
enabled: yes
|
||
|
daemon_reload: yes
|
||
|
|
||
|
- name: Install Vault | Open port 8200
|
||
|
ansible.posix.firewalld:
|
||
|
port: 8200/tcp
|
||
|
permanent: yes
|
||
|
state: enabled
|
||
|
|
||
|
- name: Install Vault | reload service firewalld
|
||
|
systemd:
|
||
|
name: firewalld
|
||
|
state: reloaded
|
||
|
|
||
|
## Create Hashicorp Vault keys and token
|
||
|
|
||
|
- name: Vault Keys/tokens | Create unseal directories
|
||
|
file:
|
||
|
path: "{{ unseal_keys_dir_output }}"
|
||
|
state: directory
|
||
|
|
||
|
- name: Vault Keys/tokens | Create root key directories
|
||
|
file:
|
||
|
path: "{{ root_token_dir_output }}"
|
||
|
state: directory
|
||
|
|
||
|
- name: Vault Keys/tokens | Initialise Vault operator
|
||
|
shell: vault operator init -key-shares=5 -key-threshold=3 -format json
|
||
|
environment:
|
||
|
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||
|
register: vault_init_results
|
||
|
|
||
|
- name: Vault Keys/tokens | Parse output of vault init
|
||
|
set_fact:
|
||
|
vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"
|
||
|
|
||
|
- name: Vault Keys/tokens | Write unseal keys to files
|
||
|
copy:
|
||
|
dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
|
||
|
content: "{{ item.1 }}"
|
||
|
with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"
|
||
|
|
||
|
- name: Vault Keys/tokens | Write root token to file
|
||
|
copy:
|
||
|
content: "{{ vault_init_parsed.root_token }}"
|
||
|
dest: "{{root_token_dir_output}}/rootkey"
|
||
|
|
||
|
- name: Vault Keys/tokens | set root token as fact
|
||
|
set_fact:
|
||
|
vault_token: "{{ vault_init_parsed.root_token }}"
|
||
|
cacheable: yes
|
||
|
|
||
|
- debug: msg="{{ vault_token }}"
|
||
|
|
||
|
- name: Vault Keys/tokens | Add environmental vars
|
||
|
blockinfile:
|
||
|
path: /etc/environment
|
||
|
block: |
|
||
|
export VAULT_ADDR="{{ VAULT_ADDR_ENV }}"
|
||
|
export VAULT_TOKEN="{{ vault_token }}"
|
||
|
|
||
|
## unseal vault
|
||
|
|
||
|
- name: Vault Keys/tokens | Reading unseal key contents
|
||
|
command: cat {{item}}
|
||
|
register: unseal_keys
|
||
|
with_fileglob: "{{ unseal_keys_dir_output }}/*"
|
||
|
|
||
|
- name: Vault Keys/tokens | Unseal vault with unseal keys
|
||
|
shell: |
|
||
|
vault operator unseal {{ item.stdout }}
|
||
|
environment:
|
||
|
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||
|
with_items: "{{unseal_keys.results}}"
|