fdio.infra.ansible/roles/vault/defaults/main.yaml

   1 ---
   2 # file: roles/vault/defaults/main.yaml
   3
   4 # Inst - Prerequisites.
   5 packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}"
   6 packages_base:
   7   - "curl"
   8   - "unzip"
   9 packages_by_distro:
  10   ubuntu:
  11     - []
  12 packages_by_arch:
  13   aarch64:
  14     - []
  15   x86_64:
  16     - []
  17
  18 # Inst - Vault Map.
  19 vault_version: "1.8.1"
  20 vault_architecture_map:
  21   amd64: "amd64"
  22   x86_64: "amd64"
  23   armv7l: "arm"
  24   aarch64: "arm64"
  25   32-bit: "386"
  26   64-bit: "amd64"
  27 vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
  28 vault_os: "{{ ansible_system|lower }}"
  29 vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
  30 vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}"
  31
  32 # Conf - Service.
  33 vault_node_role: "server"
  34 vault_restart_handler_state: "restarted"
  35 vault_systemd_service_name: "vault"
  36
  37 # Inst - System paths.
  38 vault_bin_dir: "/usr/local/bin"
  39 vault_config_dir: "/etc/vault.d"
  40 vault_data_dir: "/var/vault"
  41 vault_inst_dir: "/opt"
  42 vault_run_dir: "/var/run/vault"
  43 vault_ssl_dir: "/etc/vault.d/ssl"
  44
  45 # Conf - User and group.
  46 vault_group: "vault"
  47 vault_group_state: "present"
  48 vault_user: "vault"
  49 vault_user_state: "present"
  50
  51 # Conf - Main
  52 vault_group_name: "vault_instances"
  53 vault_cluster_name: "yul1"
  54 vault_datacenter: "yul1"
  55 vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}"
  56 vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
  57 vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
  58 vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}"
  59 vault_port: 8200
  60 vault_use_config_path: false
  61 vault_main_config: "{{ vault_config_dir }}/vault_main.hcl"
  62 vault_main_configuration_template: "vault_main_configuration.hcl.j2"
  63 vault_listener_localhost_enable: false
  64 vault_http_proxy: ""
  65 vault_https_proxy: ""
  66 vault_no_proxy: ""
  67
  68 # Conf - Listeners
  69 vault_tcp_listeners:
  70   - vault_address: "{{ vault_address }}"
  71     vault_port: "{{ vault_port }}"
  72     vault_cluster_address: "{{ vault_cluster_address }}"
  73     vault_tls_disable: "{{ vault_tls_disable }}"
  74     vault_tls_config_path: "{{ vault_tls_config_path }}"
  75     vault_tls_cert_file: "{{ vault_tls_cert_file }}"
  76     vault_tls_key_file: "{{ vault_tls_key_file }}"
  77     vault_tls_ca_file: "{{ vault_tls_ca_file }}"
  78     vault_tls_min_version: "{{ vault_tls_min_version }}"
  79     vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}"
  80     vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}"
  81     vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}"
  82     vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}"
  83     vault_disable_mlock: true
  84
  85 # Conf - Backend
  86 vault_backend_consul: "vault_backend_consul.j2"
  87 vault_backend_file: "vault_backend_file.j2"
  88 vault_backend_raft: "vault_backend_raft.j2"
  89 vault_backend_etcd: "vault_backend_etcd.j2"
  90 vault_backend_s3: "vault_backend_s3.j2"
  91 vault_backend_dynamodb: "vault_backend_dynamodb.j2"
  92 vault_backend_mysql: "vault_backend_mysql.j2"
  93 vault_backend_gcs: "vault_backend_gcs.j2"
  94
  95 vault_cluster_disable: false
  96 vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
  97 vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
  98 vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
  99
 100 vault_max_lease_ttl: "768h"
 101 vault_default_lease_ttl: "768h"
 102
 103 vault_backend_tls_src_files: "{{ vault_tls_src_files }}"
 104 vault_backend_tls_config_path: "{{ vault_tls_config_path }}"
 105 vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}"
 106 vault_backend_tls_key_file: "{{ vault_tls_key_file }}"
 107 vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}"
 108
 109 vault_consul: "127.0.0.1:8500"
 110 vault_consul_path: "vault"
 111 vault_consul_service: "vault"
 112 vault_consul_scheme: "http"
 113
 114 vault_backend: "consul"
 115
 116 # Conf - Service registration
 117 vault_service_registration_consul_enable: true
 118 vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2"
 119 vault_service_registration_consul_check_timeout: "5s"
 120 vault_service_registration_consul_address: "127.0.0.1:8500"
 121 vault_service_registration_consul_service: "vault"
 122 vault_service_registration_consul_service_tags: ""
 123 vault_service_registration_consul_service_address:
 124 vault_service_registration_consul_disable_registration: false
 125 vault_service_registration_consul_scheme: "http"
 126
 127 vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}"
 128 vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}"
 129 vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}"
 130 vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}"
 131 vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}"
 132 vault_service_registration_consul_tls_skip_verify: false
 133
 134 # Conf - Telemetry
 135 vault_telemetry_enabled: true
 136 vault_telemetry_disable_hostname: false
 137 vault_prometheus_retention_time: 30s
 138
 139 # Conf - TLS
 140 validate_certs_during_api_reachable_check: true
 141
 142 vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}"
 143 vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}"
 144
 145 vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}"
 146 vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}"
 147
 148 vault_tls_copy_keys: true
 149 vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}"
 150 vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}"
 151 vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}"
 152 vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}"
 153
 154 vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}"
 155 vault_tls_cipher_suites: ""
 156 vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
 157 vault_tls_files_remote_src: false
 158 vault_tls_require_and_verify_client_cert: false
 159 vault_tls_disable_client_certs: false