diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index 4b6421b..4e2f613 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -8,7 +8,7 @@ become: true tasks: - name: "Import variables" - ansible.builtin.import_role: + ansible.builtin.include_role: name: ednz_cloud.hashistack.hashistack tags: - always @@ -19,7 +19,7 @@ - consul when: - enable_consul | bool - ansible.builtin.import_tasks: + ansible.builtin.include_tasks: file: tasks/consul/consul_deploy.yml # Vault nodes deployment @@ -28,7 +28,7 @@ - vault when: - enable_vault | bool - ansible.builtin.import_tasks: + ansible.builtin.include_tasks: file: tasks/vault/vault_deploy.yml # Nomad nodes deployment @@ -37,7 +37,7 @@ - nomad when: - enable_nomad | bool - ansible.builtin.import_tasks: + ansible.builtin.include_tasks: file: tasks/nomad/nomad_deploy.yml # - fail: diff --git a/playbooks/generate_certs.yml b/playbooks/generate_certs.yml index a773526..5da90dc 100644 --- a/playbooks/generate_certs.yml +++ b/playbooks/generate_certs.yml @@ -7,363 +7,15 @@ become: true tasks: - name: "Import variables" - ansible.builtin.import_role: + ansible.builtin.include_role: name: ednz_cloud.hashistack.hashistack tags: - always - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - delegate_to: localhost - run_once: true + - name: "Create Certificate Authority" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.hashistack_ca + apply: + delegate_to: localhost tags: - always - - - name: "Generate external certificates" # noqa: run-once[task] - tags: - - always - delegate_to: localhost - run_once: true - block: - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - - - name: "Create private keys" - community.crypto.openssl_privatekey: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - loop: - - name: nomad - fqdn: "{{ nomad_fqdn }}" - - name: vault - fqdn: "{{ vault_fqdn }}" - - name: consul - fqdn: "{{ consul_fqdn }}" - - - name: "Create certificate signing request" - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.fqdn }}.pem.key" - common_name: "{{ item.fqdn }}" - organization_name: EDNZ Cloud - register: csr - loop: - - name: nomad - fqdn: "{{ nomad_fqdn }}" - - name: vault - fqdn: "{{ vault_fqdn }}" - - name: consul - fqdn: "{{ consul_fqdn }}" - - - name: "Create self-signed certificate from CSR" - community.crypto.x509_certificate: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem" - csr_content: "{{ item.csr }}" - privatekey_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/external/{{ item.item.fqdn }}.pem.key" - provider: selfsigned - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - loop: "{{ csr.results }}" - - - name: "Generate internal certificates" - tags: - - never - - internal - delegate_to: localhost - vars: - hashistack_ca_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.key" - hashistack_ca_cert_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca/ca.crt" - block: - - name: "Create internal CA" # noqa: run-once[task] - run_once: true - block: - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/ca" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - - - name: "Create CA private key" - community.crypto.openssl_privatekey: - path: "{{ hashistack_ca_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - - - name: "Create CA signing request" - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ hashistack_ca_key_path }}" - common_name: "CA" - organization_name: EDNZ Cloud - use_common_name_for_san: false - basic_constraints: - - CA:TRUE - basic_constraints_critical: true - key_usage: - - keyCertSign - key_usage_critical: true - register: ca_csr - - - name: "Create self-signed CA certificate from CSR" - community.crypto.x509_certificate: - path: "{{ hashistack_ca_cert_path }}" - csr_content: "{{ ca_csr.csr }}" - privatekey_path: "{{ hashistack_ca_key_path }}" - provider: selfsigned - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - - - name: "Create Vault certificates" - when: - - "'vault_servers' in group_names" - vars: - vault_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/key.pem" - vault_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}/cert.pem" - block: - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - - - name: "Create Vault certificate keys" - community.crypto.openssl_privatekey: - path: "{{ vault_private_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - - - name: "Create CSRs for Vault servers" - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ vault_private_key_path }}" - common_name: "{{ inventory_hostname }}" - subject_alt_name: - - "DNS:{{ inventory_hostname }}" - - "DNS:active.vault.service.consul" - - "DNS:standby.vault.service.consul" - - "DNS:vault.service.consul" - - "DNS:localhost" - - "IP:{{ api_interface_address }}" - - "IP:127.0.0.1" - key_usage_critical: true - key_usage: - - Digital Signature - - Key Encipherment - - Key Agreement - extended_key_usage: - - TLS Web Server Authentication - - TLS Web Client Authentication - organization_name: EDNZ Cloud - use_common_name_for_san: false - register: vault_csr - - - name: "Sign certificates with internal CA" - community.crypto.x509_certificate: - path: "{{ vault_certificate_path }}" - csr_content: "{{ vault_csr.csr }}" - provider: ownca - ownca_path: "{{ hashistack_ca_cert_path }}" - ownca_privatekey_path: "{{ hashistack_ca_key_path }}" - ownca_not_after: "+365d" - ownca_not_before: "-1d" - - - name: "Concatenate CA and Child certificates" - block: - - name: "Read content of ca.crt" - ansible.builtin.slurp: - src: "{{ hashistack_ca_cert_path }}" - register: ca_crt_content - - - name: "Read content of cert.pem" - ansible.builtin.slurp: - src: "{{ vault_certificate_path }}" - register: cert_pem_content - - - name: "Concatenate certificates" - ansible.builtin.copy: - content: | - {{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }} - dest: "{{ vault_certificate_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0644" - - - name: "Create Consul certificates" - when: - - "('consul_servers' in group_names) or ('consul_agents' in group_names)" - vars: - consul_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/key.pem" - consul_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}/cert.pem" - block: - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - - - name: "Create Consul certificate keys" - community.crypto.openssl_privatekey: - path: "{{ consul_private_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - - - name: "Create CSRs for Consul servers" - vars: - consul_csr_sans: >- - {%- set sans_list = [ - 'DNS:' + inventory_hostname, - 'DNS:consul.service.consul', - 'DNS:localhost', - 'IP:' + api_interface_address, - 'IP:127.0.0.1' - ] -%} - {%- if consul_enable_server -%} - {%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%} - {%- endif -%} - {{ sans_list }} - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ consul_private_key_path }}" - common_name: "{{ inventory_hostname }}" - subject_alt_name: "{{ consul_csr_sans }}" - key_usage_critical: true - key_usage: - - Digital Signature - - Key Encipherment - - Key Agreement - extended_key_usage: - - TLS Web Server Authentication - - TLS Web Client Authentication - organization_name: EDNZ Cloud - use_common_name_for_san: false - register: consul_csr - - - name: "Sign certificates with internal CA" - community.crypto.x509_certificate: - path: "{{ consul_certificate_path }}" - csr_content: "{{ consul_csr.csr }}" - provider: ownca - ownca_path: "{{ hashistack_ca_cert_path }}" - ownca_privatekey_path: "{{ hashistack_ca_key_path }}" - ownca_not_after: "+365d" - ownca_not_before: "-1d" - - - name: "Concatenate CA and Child certificates" - block: - - name: "Read content of ca.crt" - ansible.builtin.slurp: - src: "{{ hashistack_ca_cert_path }}" - register: ca_crt_content - - - name: "Read content of cert.pem" - ansible.builtin.slurp: - src: "{{ consul_certificate_path }}" - register: cert_pem_content - - - name: "Concatenate certificates" - ansible.builtin.copy: - content: | - {{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }} - dest: "{{ consul_certificate_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0644" - - - name: "Create Nomad certificates" - when: - - "('nomad_servers' in group_names) or ('nomad_clients' in group_names)" - vars: - nomad_private_key_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/key.pem" - nomad_certificate_path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}/cert.pem" - block: - - name: "Create temporary cert directory in {{ hashistack_sub_configuration_directories['certificates'] }}" # noqa: run-once[task] - ansible.builtin.file: - path: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}" - state: directory - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0755" - - - name: "Create Nomad certificate keys" - community.crypto.openssl_privatekey: - path: "{{ nomad_private_key_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - - - name: "Create CSRs for Nomad servers" - vars: - nomad_csr_sans: >- - {%- set sans_list = [ - 'DNS:' + inventory_hostname, - 'DNS:localhost', - 'IP:' + api_interface_address, - 'IP:127.0.0.1' - ] -%} - {%- if nomad_enable_server -%} - {%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%} - {%- if (enable_consul | bool) -%} - {%- set _ = sans_list.append('DNS:nomad.service.consul') -%} - {%- endif -%} - {%- endif -%} - {%- if nomad_enable_client -%} - {%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%} - {%- endif -%} - {{ sans_list }} - community.crypto.openssl_csr_pipe: - privatekey_path: "{{ nomad_private_key_path }}" - common_name: "{{ inventory_hostname }}" - subject_alt_name: "{{ nomad_csr_sans }}" - key_usage_critical: true - key_usage: - - Digital Signature - - Key Encipherment - extended_key_usage: - - TLS Web Server Authentication - - TLS Web Client Authentication - organization_name: EDNZ Cloud - use_common_name_for_san: false - register: nomad_csr - - - name: "Sign certificates with internal CA" - community.crypto.x509_certificate: - path: "{{ nomad_certificate_path }}" - csr_content: "{{ nomad_csr.csr }}" - provider: ownca - ownca_path: "{{ hashistack_ca_cert_path }}" - ownca_privatekey_path: "{{ hashistack_ca_key_path }}" - ownca_not_after: "+365d" - ownca_not_before: "-1d" - - - name: "Concatenate CA and Child certificates" - block: - - name: "Read content of ca.crt" - ansible.builtin.slurp: - src: "{{ hashistack_ca_cert_path }}" - register: ca_crt_content - - - name: "Read content of cert.pem" - ansible.builtin.slurp: - src: "{{ nomad_certificate_path }}" - register: cert_pem_content - - - name: "Concatenate certificates" - ansible.builtin.copy: - content: | - {{ cert_pem_content['content'] | b64decode }}{{ ca_crt_content['content'] | b64decode }} - dest: "{{ nomad_certificate_path }}" - owner: "{{ lookup('env', 'USER') }}" - group: "{{ lookup('env', 'USER') }}" - mode: "0644" diff --git a/playbooks/inventory/multinode.ini b/playbooks/inventory/multinode.ini index b57b61e..bf01735 100644 --- a/playbooks/inventory/multinode.ini +++ b/playbooks/inventory/multinode.ini @@ -33,6 +33,17 @@ nomad_clients [deployment] localhost ansible_connection=local +[consul:children] +consul_servers +consul_agents + +[nomad:children] +nomad_servers +nomad_clients + +[vault:children] +vault_servers + [common:children] haproxy_servers vault_servers diff --git a/playbooks/tasks/consul/consul_agents.yml b/playbooks/tasks/consul/consul_agents.yml index 5d3f446..ba7e5fa 100644 --- a/playbooks/tasks/consul/consul_agents.yml +++ b/playbooks/tasks/consul/consul_agents.yml @@ -3,4 +3,4 @@ block: - name: "Deploy Consul Agents" ansible.builtin.include_role: - name: ednz_cloud.hashicorp_consul + name: ednz_cloud.hashistack.consul diff --git a/playbooks/tasks/consul/consul_control_plane.yml b/playbooks/tasks/consul/consul_control_plane.yml index 21f8b2f..f309133 100644 --- a/playbooks/tasks/consul/consul_control_plane.yml +++ b/playbooks/tasks/consul/consul_control_plane.yml @@ -1,19 +1,19 @@ --- - name: "Consul control plane" block: - - name: "Include ednz_cloud.hashicorp_consul" + - name: "Include ednz_cloud.hashistack.consul" ansible.builtin.include_role: - name: ednz_cloud.hashicorp_consul + name: ednz_cloud.hashistack.consul - - name: "Wait for consul cluster to initialize" # noqa: run-once[task] + - name: "Consul | Wait for consul cluster to initialize" # noqa: run-once[task] block: - - name: "Wait for consul nodes to stabilize" + - name: "Consul | Wait for consul nodes to stabilize" ansible.builtin.wait_for: host: "{{ api_interface_address }}" port: "{{ consul_api_port[consul_api_scheme] }}" delay: 10 - - name: "Waiting for consul api to respond" + - name: "Consul | Waiting for consul api to respond" ansible.builtin.uri: url: "{{ consul_api_addr }}" validate_certs: no @@ -25,7 +25,7 @@ delay: 5 register: uri_output - - name: "Initialize consul cluster" # noqa: run-once[task] + - name: "Consul | Initialize consul cluster" # noqa: run-once[task] community.general.consul_acl_bootstrap: bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ api_interface_address }}" @@ -35,16 +35,16 @@ register: _consul_init_secret when: - consul_init_server - - hashicorp_consul_configuration.acl.enabled + - consul_configuration.acl.enabled - - name: "Create consul agents token" + - name: "Consul | Create consul agents token" when: - consul_init_server - - hashicorp_consul_configuration.acl.enabled + - consul_configuration.acl.enabled block: - - name: "Create consul agents token" # noqa: run-once[task] no-handler + - name: "Consul | Create consul agents token" # noqa: run-once[task] no-handler block: - - name: "Create consul agent policy" + - name: "Consul | Create consul agent policy" community.general.consul_policy: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ api_interface_address }}" @@ -56,7 +56,7 @@ rules: "{{ consul_default_agent_policy }}" register: _consul_agent_policy - - name: "Create consul agents token" + - name: "Consul | Create consul agents token" community.general.consul_token: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ api_interface_address }}" @@ -69,10 +69,3 @@ - id: "{{ _consul_agent_policy.policy.ID }}" state: present register: _consul_agent_token - - - name: "Restart consul service" # noqa: no-handler - ansible.builtin.service: - name: "{{ hashicorp_consul_service_name }}" - state: restarted - throttle: 1 - when: _consul_agent_token.changed diff --git a/playbooks/tasks/consul/consul_vars.yml b/playbooks/tasks/consul/consul_vars.yml deleted file mode 100644 index fb593df..0000000 --- a/playbooks/tasks/consul/consul_vars.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -# hashistack configuration merging for consul -- name: "Consul | Merge stringified configuration" - vars: - _config_to_merge: "{{ hashicorp_consul_configuration_string }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ - hashicorp_consul_configuration | - combine(_config_to_merge|from_yaml, recursive=true) - }}" - when: - - hashicorp_consul_configuration_string is defined - -- name: "Consul | Merge servers specific stringified configuration" - vars: - _config_to_merge: "{{ hashicorp_consul_servers_configuration_string }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ - hashicorp_consul_configuration | - combine(_config_to_merge|from_yaml, recursive=true) - }}" - when: - - hashicorp_consul_configuration_string is defined - - "'consul_servers' in group_names" - -- name: "Consul | Merge addresses configuration" - vars: - _config_to_merge: "{{ consul_address_configuration }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ - hashicorp_consul_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: consul_address_configuration is defined - -- name: "Consul | Merge TLS configuration" - vars: - _config_to_merge: - tls: "{{ consul_tls_configuration }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ - hashicorp_consul_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: consul_enable_tls - -- name: "Consul | Merge token configuration" - delegate_to: localhost - block: - - name: "Consul | Merge token configuration" - vars: - _config_to_merge: - acl: - tokens: - agent: "{{ _credentials.consul.tokens.agent.secret_id }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ hashicorp_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" - -- name: "Consul | Merge extra configuration settings" - vars: - _config_to_merge: "{{ consul_extra_configuration }}" - ansible.builtin.set_fact: - hashicorp_consul_configuration: "{{ - hashicorp_consul_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: consul_extra_configuration is defined diff --git a/playbooks/tasks/misc/load_all_vars.yml b/playbooks/tasks/misc/load_all_vars.yml deleted file mode 100644 index b77b930..0000000 --- a/playbooks/tasks/misc/load_all_vars.yml +++ /dev/null @@ -1,205 +0,0 @@ ---- -# hashistack variable injection playbook -- name: "Load global variables" - block: - - name: "Stat global configuration file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}" - register: _global_config_file - delegate_to: localhost - - - name: "Make sure global configuration file exists" - ansible.builtin.assert: - that: - - _global_config_file.stat.exists - fail_msg: >- - Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it. - delegate_to: localhost - - - name: "Load global variables" - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}" - files_matching: "{{ configuration_global_vars_file }}" - depth: 1 - delegate_to: localhost - -- name: "Load credentials variables" - block: - - name: "Stat credentials file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}" - register: _credentials_file - delegate_to: localhost - - - name: "Stat vault credentials file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['secrets'] }}/vault.yml" - register: _vault_credentials_file - delegate_to: localhost - - - name: "Make sure credentials file exists" - ansible.builtin.assert: - that: - - _credentials_file.stat.exists - fail_msg: >- - Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. - delegate_to: localhost - - - name: "Load credentials variables" - ansible.builtin.include_vars: - dir: "{{ sub_configuration_directories['secrets'] }}" - files_matching: "{{ configuration_credentials_vars_file }}" - depth: 1 - name: _credentials - delegate_to: localhost - - - name: "Load vault credentials if vault.yml exists" - ansible.builtin.include_vars: - dir: "{{ sub_configuration_directories['secrets'] }}" - files_matching: "vault.yml" - depth: 1 - name: _vault_credentials - when: _vault_credentials_file.stat.exists - delegate_to: localhost - - - name: "Merge vault credentials into _credentials" - vars: - _config_to_merge: - vault: "{{ _vault_credentials }}" - ansible.builtin.set_fact: - _credentials: "{{ _credentials | combine(_vault_credentials, recursive=true) }}" - when: _vault_credentials_file.stat.exists - delegate_to: localhost - -- name: "Load group specific variables" - block: - - name: "Stat group specific config file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}" - register: _group_config_file - loop: "{{ group_names }}" - loop_control: - loop_var: group_name - - - name: Load group specific variables - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}/{{ item.group_name }}" - files_matching: "{{ configuration_global_vars_file }}" - depth: 1 - loop: "{{ _group_config_file.results }}" - when: item.stat.exists - and item.group_name in group_names - loop_control: - loop_var: item - delegate_to: localhost - -- name: "Load host specific variables" - block: - - name: "Stat host specific config file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}" - register: _host_config_file - loop: "{{ group_names }}" - loop_control: - loop_var: group_name - delegate_to: localhost - - - name: Load host specific variables - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}" - files_matching: "{{ configuration_global_vars_file }}" - loop: "{{ _host_config_file.results }}" - when: item.stat.exists - loop_control: - loop_var: item - delegate_to: localhost - -- name: "Ensure remote directories exists" - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: root - group: root - mode: 0755 - loop: - - "{{ hashistack_remote_config_dir }}" - - "{{ hashistack_remote_data_dir }}" - -- name: "Load custom CA certificates" - block: - - name: "Check if CA directory exists" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['certificates'] }}/ca" - register: _hashistack_ca_directory - delegate_to: localhost - - - name: "Find custom ca certificates to copy" - ansible.builtin.find: - paths: "{{ sub_configuration_directories['certificates'] }}/ca" - patterns: "*.crt" - register: _hashistack_cacert_files - delegate_to: localhost - when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir - - - name: "Ensure remote ca directory exists" - ansible.builtin.file: - path: "{{ hashistack_remote_config_dir }}/ca" - state: directory - owner: root - group: root - mode: 0755 - - - name: "Copy custom ca certificates" - ansible.builtin.copy: - src: "{{ item.path }}" - dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}" - owner: root - group: root - mode: 0644 - loop: "{{ _hashistack_cacert_files.files }}" - register: _hashistack_copied_ca - - - name: "Copy and update trust store" - block: - - name: "Copy ca certificates to /usr/loca/share/ca-certificates" - ansible.builtin.file: - state: link - src: "{{ item.dest }}" - dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}" - owner: root - group: root - loop: "{{ _hashistack_copied_ca.results }}" - register: _hashistack_usr_local_share_ca_certificates - - - name: "Update the trust store" - ansible.builtin.command: update-ca-certificates - changed_when: false - when: _hashistack_usr_local_share_ca_certificates.changed - - # - name: "Initialize list of CA certificates" - # ansible.builtin.set_fact: - # hashistack_cacert_extra_files: [] - # delegate_to: localhost - - # - name: "Add custom CA to list of extra certificates" - # ansible.builtin.set_fact: - # hashistack_cacert_extra_files: "{{ - # hashistack_cacert_extra_files | default([]) - # + [{'src': item.path, 'dest': '/etc/ssl/certs/hashistack-custom-' + item.path | basename}] }}" - # loop: "{{ _hashistack_cacert_files.files }}" - # delegate_to: localhost - # when: _hashistack_cacert_files.matched > 0 - -- name: "Merge consul configurations" - ansible.builtin.import_tasks: - file: "consul/consul_vars.yml" - when: - - enable_consul | bool - - "('consul_servers' in group_names) or ('consul_agents' in group_names)" - -- name: "Merge vault configurations" - ansible.builtin.import_tasks: - file: "vault/vault_vars.yml" - when: - - enable_vault | bool - - "'vault_servers' in group_names" diff --git a/playbooks/tasks/misc/load_ca_certificates.yml b/playbooks/tasks/misc/load_ca_certificates.yml deleted file mode 100644 index 892dd5c..0000000 --- a/playbooks/tasks/misc/load_ca_certificates.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: "Check if CA directory exists" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['certificates'] }}/ca" - register: _hashistack_ca_directory - delegate_to: localhost - -- name: "Find custom ca certificates to copy" - ansible.builtin.find: - paths: "{{ sub_configuration_directories['certificates'] }}/ca" - patterns: "*.crt" - register: _hashistack_cacert_files - delegate_to: localhost - when: _hashistack_ca_directory.stat.exists and _hashistack_ca_directory.stat.isdir - -- name: "Ensure remote ca directory exists" - ansible.builtin.file: - path: "{{ hashistack_remote_config_dir }}/ca" - state: directory - owner: root - group: root - mode: 0755 - -- name: "Copy custom ca certificates" - ansible.builtin.copy: - src: "{{ item.path }}" - dest: "{{ hashistack_remote_config_dir }}/ca/{{ item.path | basename }}" - owner: root - group: root - mode: 0644 - loop: "{{ _hashistack_cacert_files.files }}" - register: _hashistack_copied_ca - when: not _hashistack_cacert_files.skipped | default(False) - -- name: "Copy and update trust store" - when: not _hashistack_copied_ca.skipped | default(False) - block: - - name: "Copy ca certificates to /usr/local/share/ca-certificates" - ansible.builtin.file: - state: link - src: "{{ item.dest }}" - dest: "/usr/local/share/ca-certificates/hashistack-customca-{{ item.dest | basename }}" - owner: root - group: root - loop: "{{ _hashistack_copied_ca.results }}" - register: _hashistack_usr_local_share_ca_certificates - - - name: "Update the trust store" # noqa: no-handler - ansible.builtin.command: update-ca-certificates - changed_when: false - when: _hashistack_usr_local_share_ca_certificates.changed diff --git a/playbooks/tasks/misc/load_credentials_vars.yml b/playbooks/tasks/misc/load_credentials_vars.yml deleted file mode 100644 index 7c8980d..0000000 --- a/playbooks/tasks/misc/load_credentials_vars.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: "Stat credentials file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}" - register: _credentials_file - delegate_to: localhost - -- name: "Stat vault credentials file" - ansible.builtin.stat: - path: "{{ sub_configuration_directories['secrets'] }}/vault.yml" - register: _vault_credentials_file - delegate_to: localhost - -- name: "Make sure credentials file exists" - ansible.builtin.assert: - that: - - _credentials_file.stat.exists - fail_msg: >- - Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it. - delegate_to: localhost - -- name: "Load credentials variables" - ansible.builtin.include_vars: - dir: "{{ sub_configuration_directories['secrets'] }}" - files_matching: "{{ configuration_credentials_vars_file }}" - depth: 1 - name: _credentials - delegate_to: localhost - -- name: "Load vault credentials if vault.yml exists" - ansible.builtin.include_vars: - dir: "{{ sub_configuration_directories['secrets'] }}" - files_matching: "vault.yml" - depth: 1 - name: _vault_credentials - when: _vault_credentials_file.stat.exists - delegate_to: localhost - -- name: "Merge vault credentials into _credentials" - vars: - _config_to_merge: - vault: "{{ _vault_credentials }}" - ansible.builtin.set_fact: - _credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}" - when: _vault_credentials_file.stat.exists - delegate_to: localhost diff --git a/playbooks/tasks/misc/load_global_vars.yml b/playbooks/tasks/misc/load_global_vars.yml deleted file mode 100644 index 54284d6..0000000 --- a/playbooks/tasks/misc/load_global_vars.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: "Include all default variables" - ansible.builtin.include_vars: - dir: "../../group_vars/all" - depth: 1 - extensions: ["yml"] - delegate_to: localhost - -- name: "Stat global configuration file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ configuration_global_vars_file }}" - register: _global_config_file - delegate_to: localhost - -- name: "Make sure global configuration file exists" - ansible.builtin.assert: - that: - - _global_config_file.stat.exists - fail_msg: >- - Main configuration file {{ _global_config_file.stat.path }} was not found, cannot continue without it. - delegate_to: localhost - -- name: "Load global variables" - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}" - files_matching: "{{ configuration_global_vars_file }}" - depth: 1 - delegate_to: localhost diff --git a/playbooks/tasks/misc/load_group_vars.yml b/playbooks/tasks/misc/load_group_vars.yml deleted file mode 100644 index d21a475..0000000 --- a/playbooks/tasks/misc/load_group_vars.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "Stat group specific config file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ group_name }}/{{ configuration_global_vars_file }}" - register: _group_config_file - loop: "{{ group_names }}" - loop_control: - loop_var: group_name - -- name: Load group specific variables - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}/{{ item.group_name }}" - files_matching: "{{ configuration_global_vars_file }}" - depth: 1 - loop: "{{ _group_config_file.results }}" - when: item.stat.exists - and item.group_name in group_names - loop_control: - loop_var: item - delegate_to: localhost diff --git a/playbooks/tasks/misc/load_host_vars.yml b/playbooks/tasks/misc/load_host_vars.yml deleted file mode 100644 index c95c2b7..0000000 --- a/playbooks/tasks/misc/load_host_vars.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: "Stat host specific config file" - ansible.builtin.stat: - path: "{{ configuration_directory }}/{{ group_name }}/{{ inventory_hostname }}/{{ configuration_global_vars_file }}" - register: _host_config_file - loop: "{{ group_names }}" - loop_control: - loop_var: group_name - delegate_to: localhost - -- name: Load host specific variables - ansible.builtin.include_vars: - dir: "{{ configuration_directory }}/{{ item.group_name }}/{{ inventory_hostname }}" - files_matching: "{{ configuration_global_vars_file }}" - loop: "{{ _host_config_file.results }}" - when: item.stat.exists - loop_control: - loop_var: item - delegate_to: localhost diff --git a/playbooks/tasks/nomad/nomad_clients.yml b/playbooks/tasks/nomad/nomad_clients.yml index cc64582..7cb8618 100644 --- a/playbooks/tasks/nomad/nomad_clients.yml +++ b/playbooks/tasks/nomad/nomad_clients.yml @@ -1,11 +1,15 @@ --- - name: "Nomad clients" block: - - name: "Install docker driver" + - name: "Nomad | Install docker driver" ansible.builtin.include_role: name: ednz_cloud.install_docker when: nomad_driver_enable_docker - - name: "Deploy Nomad Clients" + - name: "Include ednz_cloud.hashistack.cni" ansible.builtin.include_role: - name: ednz_cloud.hashicorp_nomad + name: ednz_cloud.hashistack.cni + + - name: "Nomad | Deploy Clients" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.nomad diff --git a/playbooks/tasks/nomad/nomad_control_plane.yml b/playbooks/tasks/nomad/nomad_control_plane.yml index df7fdaf..da92dfd 100644 --- a/playbooks/tasks/nomad/nomad_control_plane.yml +++ b/playbooks/tasks/nomad/nomad_control_plane.yml @@ -1,7 +1,7 @@ --- - name: "Nomad control plane" block: - - name: "Create consul tokens for service registration" + - name: "Nomad | Create consul tokens for service registration" when: - nomad_init_server - enable_consul @@ -11,9 +11,9 @@ _consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" _consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" block: - - name: "Create server credentials" + - name: "Nomad | Create server credentials" block: - - name: "Create consul server policy" + - name: "Nomad | Create consul server policy" community.general.consul_policy: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_host }}" @@ -25,7 +25,7 @@ rules: "{{ nomad_consul_integration_server_policy }}" register: _consul_nomad_server_policy - - name: "Create consul server token" # noqa: no-handler + - name: "Nomad | Create consul server token" # noqa: no-handler community.general.consul_token: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_host }}" @@ -39,9 +39,9 @@ state: present when: _consul_nomad_server_policy.changed - - name: "Create client credentials" + - name: "Nomad | Create client credentials" block: - - name: "Create consul client policy" + - name: "Nomad | Create consul client policy" community.general.consul_policy: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_host }}" @@ -53,7 +53,7 @@ rules: "{{ nomad_consul_integration_client_policy }}" register: _consul_nomad_client_policy - - name: "Create consul client token" # noqa: no-handler + - name: "Nomad | Create consul client token" # noqa: no-handler community.general.consul_token: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_host }}" @@ -67,11 +67,16 @@ state: present when: _consul_nomad_client_policy.changed - - name: "Include ednz_cloud.hashicorp_nomad" + - name: "Include ednz_cloud.hashistack.cni" ansible.builtin.include_role: - name: ednz_cloud.hashicorp_nomad + name: ednz_cloud.hashistack.cni + when: nomad_enable_client - - name: "Initialize nomad cluster" # noqa: run-once[task] + - name: "Include ednz_cloud.hashistack.nomad" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.nomad + + - name: "Nomad | Initialize nomad cluster" # noqa: run-once[task] ednz_cloud.hashistack.nomad_acl_bootstrap: bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}" api_url: "{{ nomad_api_addr }}" @@ -79,4 +84,4 @@ register: _nomad_init_secret when: - nomad_init_server - - hashicorp_nomad_configuration.acl.enabled + - nomad_configuration.acl.enabled diff --git a/playbooks/tasks/nomad/nomad_deploy.yml b/playbooks/tasks/nomad/nomad_deploy.yml index 64dfd8b..7bf78ba 100644 --- a/playbooks/tasks/nomad/nomad_deploy.yml +++ b/playbooks/tasks/nomad/nomad_deploy.yml @@ -5,7 +5,7 @@ ansible.builtin.import_tasks: file: nomad_control_plane.yml when: - - "'nomad_servers' in group_names" + - nomad_enable_server tags: - nomad_servers @@ -13,7 +13,7 @@ ansible.builtin.import_tasks: file: nomad_clients.yml when: - - "'nomad_clients' in group_names" - - "'nomad_servers' not in group_names" + - nomad_enable_client + - not nomad_enable_server tags: - nomad_clients diff --git a/playbooks/tasks/nomad/nomad_vars.yml b/playbooks/tasks/nomad/nomad_vars.yml deleted file mode 100644 index 522af01..0000000 --- a/playbooks/tasks/nomad/nomad_vars.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -# hashistack configuration merging for nomad -- name: "Nomad | Merge stringified configuration" - vars: - _config_to_merge: "{{ hashicorp_nomad_configuration_string }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge|from_yaml, recursive=true) - }}" - when: - - hashicorp_nomad_configuration_string is defined - - "'nomad_servers' in group_names" - -- name: "Nomad | Merge addresses configuration" - vars: - _config_to_merge: "{{ nomad_address_configuration }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: nomad_address_configuration is defined - -- name: "Nomad | Merge consul integration configuration" - when: - - enable_consul | bool - - nomad_enable_consul_integration | bool - block: - - name: "Nomad | Merge consul tls configuration" - when: - - nomad_consul_integration_configuration.ssl is defined - - nomad_consul_integration_configuration.ssl | bool - block: - - name: "Nomad | Merge consul default client configuration" - vars: - _config_to_merge: "{{ nomad_consul_integration_tls_configuration }}" - ansible.builtin.set_fact: - nomad_consul_integration_configuration: "{{ - nomad_consul_integration_configuration | - combine(_config_to_merge, recursive=true) - }}" - - - name: "Nomad | Merge consul configuration for nomad servers" - when: - - nomad_enable_server - block: - - name: "Nomad | Merge consul default server configuration" - vars: - _config_to_merge: "{{ nomad_consul_integration_server_configuration }}" - ansible.builtin.set_fact: - nomad_consul_integration_configuration: "{{ - nomad_consul_integration_configuration | - combine(_config_to_merge, recursive=true) - }}" - - - name: "Nomad | Merge consul configuration for nomad clients" - when: - - nomad_enable_client - block: - - name: "Nomad | Merge consul default client configuration" - vars: - _config_to_merge: "{{ nomad_consul_integration_client_configuration }}" - ansible.builtin.set_fact: - nomad_consul_integration_configuration: "{{ - nomad_consul_integration_configuration | - combine(_config_to_merge, recursive=true) - }}" - - - name: "Nomad | Merge consul tls client configuration" - vars: - _config_to_merge: "{{ nomad_consul_integration_client_tls_configuration }}" - ansible.builtin.set_fact: - nomad_consul_integration_configuration: "{{ - nomad_consul_integration_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: - - nomad_consul_integration_configuration.ssl is defined - - nomad_consul_integration_configuration.ssl | bool - - - name: "Nomad | Merge consul block into main configuration" - vars: - _config_to_merge: - consul: "{{ nomad_consul_integration_configuration }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge, recursive=true) - }}" - -- name: "Nomad | Merge TLS configuration" - vars: - _config_to_merge: - tls: "{{ nomad_tls_configuration }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: nomad_enable_tls - -- name: "Nomad | Merge plugin configuration" - vars: - _config_to_merge: - plugin: "{{ - nomad_driver_configuration | - combine(nomad_driver_extra_configuration, recursive=true) - }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: "'nomad_clients' in group_names" - -- name: "Nomad | Merge extra configuration settings" - vars: - _config_to_merge: "{{ nomad_extra_configuration }}" - ansible.builtin.set_fact: - hashicorp_nomad_configuration: "{{ - hashicorp_nomad_configuration | - combine(_config_to_merge, recursive=true) - }}" - when: nomad_extra_configuration is defined diff --git a/playbooks/tasks/vault/vault_control_plane.yml b/playbooks/tasks/vault/vault_control_plane.yml index 5246405..c0ace90 100644 --- a/playbooks/tasks/vault/vault_control_plane.yml +++ b/playbooks/tasks/vault/vault_control_plane.yml @@ -1,7 +1,7 @@ --- - name: "Vault control plane" block: - - name: "Create consul token for service registration" + - name: "Vault | Create consul token for service registration" when: - vault_init_server - enable_consul @@ -11,7 +11,7 @@ _consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}" _consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" block: - - name: "Create consul vault policy" + - name: "Vault | Create consul vault policy" community.general.consul_policy: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_vault_sr_host }}" @@ -23,7 +23,7 @@ rules: "{{ vault_service_registration_policy }}" register: _consul_vault_policy - - name: "Create consul vault token" # noqa: no-handler + - name: "Vault | Create consul vault token" # noqa: no-handler community.general.consul_token: token: "{{ _credentials.consul.root_token.secret_id }}" host: "{{ _consul_vault_sr_host }}" @@ -37,14 +37,19 @@ state: present when: _consul_vault_policy.changed - - name: "Include ednz_cloud.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashicorp_vault + - name: "Vault | Stat vault secret file" + ansible.builtin.stat: + path: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml" + register: _vault_needs_early_unseal - - name: "Initialize vault cluster" # noqa: run-once[task] + - name: "Include ednz_cloud.hashistack.vault" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.vault + + - name: "Vault | Initialize vault cluster" # noqa: run-once[task] ednz_cloud.hashistack.vault_init: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" + api_url: "{{ vault_configuration['api_addr'] }}" + tls_verify: false key_shares: "{{ vault_seal_configuration['key_shares'] }}" key_threshold: "{{ vault_seal_configuration['key_threshold'] }}" retries: 5 @@ -53,10 +58,10 @@ until: not _vault_init_secret.failed when: vault_init_server - - name: "Write vault configuration to file" # noqa: run-once[task] no-handler + - name: "Vault | Write vault configuration to file" # noqa: run-once[task] no-handler ansible.builtin.copy: content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}" - dest: "{{ sub_configuration_directories.secrets }}/vault.yml" + dest: "{{ hashistack_sub_configuration_directories.secrets }}/vault.yml" owner: "{{ lookup('env', 'USER') }}" group: "{{ lookup('env', 'USER') }}" mode: "0644" @@ -66,23 +71,25 @@ delegate_to: localhost - name: "Load vault cluster variables necessary for unseal operation" - ansible.builtin.import_tasks: - file: ../misc/load_credentials_vars.yml + ansible.builtin.import_role: + name: ednz_cloud.hashistack.hashistack + vars: + hashistack_only_load_credentials: true - - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler + - name: "Vault | Unseal the bootstrap node" # noqa: run-once[task] no-handler ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" + api_url: "{{ vault_configuration['api_addr'] }}" + tls_verify: false key_shares: "{{ _credentials.vault['keys'] }}" when: - vault_init_server - _vault_init_secret.changed register: _vault_unseal_secret - - name: "Unseal all vault nodes" + - name: "Vault | Unseal all vault nodes" ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashicorp_vault_configuration['api_addr'] }}" - tls_verify: "{{ vault_tls_verify }}" + api_url: "{{ vault_configuration['api_addr'] }}" + tls_verify: false key_shares: "{{ _credentials.vault['keys'] }}" retries: 5 delay: 5 diff --git a/playbooks/tasks/vault/vault_vars.yml b/playbooks/tasks/vault/vault_vars.yml deleted file mode 100644 index 6a5758b..0000000 --- a/playbooks/tasks/vault/vault_vars.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# hashistack configuration merging for vault -- name: "Vault | Merge listener configuration" - ansible.builtin.set_fact: - vault_listener_configuration: "{{ - vault_listener_configuration | - combine((vault_enable_tls | bool) | ternary(vault_tls_listener_configuration, {}), recursive=True) | - combine(vault_extra_listener_configuration | default({}), recursive=True) - }}" - -- name: "Vault | Merge service registration configuration" - vars: - _config_to_merge: - service_registration: "{{ vault_service_registration_configuration }}" - ansible.builtin.set_fact: - hashicorp_vault_configuration: "{{ - hashicorp_vault_configuration | - combine(_config_to_merge) - }}" - when: vault_enable_service_registration - -- name: "Vault | Merge plugins configuration" - vars: - _config_to_merge: - plugin_directory: "{{ vault_plugin_directory }}" - ansible.builtin.set_fact: - hashicorp_vault_configuration: "{{ - hashicorp_vault_configuration | - combine(_config_to_merge) - }}" - when: vault_enable_plugins - -- name: "Vault | Merge logging configuration" - vars: - _config_to_merge: "{{ vault_logging_configuration }}" - ansible.builtin.set_fact: - hashicorp_vault_configuration: "{{ - hashicorp_vault_configuration | - combine(_config_to_merge) - }}" - when: vault_enable_log_to_file - -- name: "Vault | Merge extra configuration settings" - vars: - _config_to_merge: "{{ vault_extra_configuration }}" - ansible.builtin.set_fact: - hashicorp_vault_configuration: "{{ - hashicorp_vault_configuration | - combine(_config_to_merge) - }}" - when: vault_extra_configuration is defined