fdio.infra.ansible/roles/vault/tasks/main.yaml

   1 ---
   2 # file: roles/vault/tasks/main.yaml
   3
   4 - name: Inst - Update Package Cache (APT)
   5   apt:
   6     update_cache: true
   7     cache_valid_time: 3600
   8   when:
   9     - ansible_distribution|lower == 'ubuntu'
  10   tags:
  11     - vault-inst-prerequisites
  12
  13 - name: Inst - Prerequisites
  14   package:
  15     name: "{{ packages | flatten(levels=1) }}"
  16     state: latest
  17   tags:
  18     - vault-inst-prerequisites
  19
  20 - name: Conf - Add Vault Group
  21   group:
  22     name: "{{ vault_group }}"
  23     state: "{{ vault_user_state }}"
  24   tags:
  25     - vault-conf-user
  26
  27 - name: Conf - Add Vault user
  28   user:
  29     name: "{{ vault_user }}"
  30     group: "{{ vault_group }}"
  31     state: "{{ vault_group_state }}"
  32     system: true
  33   tags:
  34     - vault-conf-user
  35
  36 - name: Inst - Clean Vault
  37   file:
  38     path: "{{ vault_inst_dir }}/vault"
  39     state: "absent"
  40   tags:
  41     - vault-inst-package
  42
  43 - name: Inst - Download Vault
  44   get_url:
  45     url: "{{ vault_zip_url }}"
  46     dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
  47   tags:
  48     - vault-inst-package
  49
  50 - name: Inst - Unarchive Vault
  51   unarchive:
  52     src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
  53     dest: "{{ vault_inst_dir }}/"
  54     creates: "{{ vault_inst_dir }}/vault"
  55     remote_src: true
  56   tags:
  57     - vault-inst-package
  58
  59 - name: Inst - Vault
  60   copy:
  61     src: "{{ vault_inst_dir }}/vault"
  62     dest: "{{ vault_bin_dir }}"
  63     owner: "{{ vault_user }}"
  64     group: "{{ vault_group }}"
  65     force: true
  66     mode: 0755
  67     remote_src: true
  68   tags:
  69     - vault-inst-package
  70
  71 - name: Inst - Check Vault mlock capability
  72   command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  73   changed_when: false  # read-only task
  74   ignore_errors: true
  75   register: vault_mlock_capability
  76   tags:
  77     - vault-inst-package
  78
  79 - name: Inst - Enable non root mlock capability
  80   command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
  81   when: vault_mlock_capability is failed
  82   tags:
  83     - vault-inst-package
  84
  85 - name: Conf - Create directories
  86   file:
  87     dest: "{{ item }}"
  88     state: directory
  89     owner: "{{ vault_user }}"
  90     group: "{{ vault_group }}"
  91     mode: 0750
  92   with_items:
  93     - "{{ vault_data_dir }}"
  94     - "{{ vault_config_dir }}"
  95     - "{{ vault_ssl_dir }}"
  96   tags:
  97     - vault-conf
  98
  99 - name: Conf - Vault main configuration
 100   template:
 101     src: "{{ vault_main_configuration_template }}"
 102     dest: "{{ vault_main_config }}"
 103     owner: "{{ vault_user }}"
 104     group: "{{ vault_group }}"
 105     mode: 0400
 106   tags:
 107     - vault-conf
 108
 109 #- name: Conf - Copy Certificates And Keys
 110 #  copy:
 111 #    content: "{{ item.src }}"
 112 #    dest: "{{ item.dest }}"
 113 #    owner: "{{ vault_user }}"
 114 #    group: "{{ vault_group }}"
 115 #    mode: 0600
 116 #  no_log: true
 117 #  loop: "{{ vault_certificates | flatten(levels=1) }}"
 118 #  tags:
 119 #    - vault-conf
 120
 121 - name: Conf - System.d Script
 122   template:
 123     src: "vault_systemd.service.j2"
 124     dest: "/lib/systemd/system/vault.service"
 125     owner: "root"
 126     group: "root"
 127     mode: 0644
 128   notify:
 129     - "Restart Vault"
 130   tags:
 131     - vault-conf
 132
 133 - meta: flush_handlers