-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-vault.yml
125 lines (107 loc) · 2.88 KB
/
setup-vault.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
- hosts: localhost
gather_facts: true
become: yes
become_user: root
become_method: sudo
tasks:
- name: Add multiple repositories into the same file
yum_repository:
name: Hashicorp
description: Hashicorp AmazonLinux Repository
file: hashicorp
baseurl: https://rpm.releases.hashicorp.com/AmazonLinux/\$releasever/\$basearch/stable
gpgcheck: yes
gpgkey: https://rpm.releases.hashicorp.com/gpg
enabled: yes
- name: Install Packages
yum:
name: vault
state: present
update_cache: true
register: installs
- name: Create vault data directory
file:
path: /var/lib/vault/data
state: directory
recurse: true
owner: vault
group: vault
mode: '0770'
- name: create directory for configuration and tls
file:
path: /etc/vault.d/
state: directory
owner: vault
group: vault
mode: '0770'
- name: config file for running vault as a service
copy:
dest: /etc/vault.d/vault.hcl
content: |
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
storage "file" {
path = "/var/lib/vault/data"
}
owner: vault
group: vault
force: yes
- name: install systemd
copy:
dest: /lib/systemd/system/vault.service
content: |
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
LogLevel=info
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
owner: vault
group: vault
force: yes
register: vault_service
- name: Create vault user
user:
name: vault
system: yes
shell: /bin/false
home: /etc/vault.d
createhome: null
append: yes
- name: restart vault service
service:
name: vault
state: restarted
enabled: yes
when: vault_service is changed