.. | ||
defaults | ||
handlers | ||
meta | ||
tasks | ||
templates | ||
vars | ||
.docsible | ||
README.md |
📃 Role overview
vault
Description: Install and configure hashicorp vault for debian-based distros.
Field | Value |
---|---|
Readme update | 26/08/2024 |
Defaults
These are static variables with lower priority
File: defaults/main.yml
Var | Type | Value | Required | Title |
---|---|---|---|---|
vault_version | str | latest |
n/a | n/a |
vault_start_service | bool | True |
n/a | n/a |
vault_config_dir | str | /etc/vault.d |
n/a | n/a |
vault_data_dir | str | /opt/vault |
n/a | n/a |
vault_certs_dir | str | {{ vault_config_dir }}/tls |
n/a | n/a |
vault_logs_dir | str | /var/log/vault |
n/a | n/a |
vault_extra_files | bool | False |
n/a | n/a |
vault_extra_files_list | list | [] |
n/a | n/a |
vault_env_variables | dict | {} |
n/a | n/a |
vault_extra_configuration | dict | {} |
n/a | n/a |
vault_cluster_name | str | vault |
n/a | n/a |
vault_bind_addr | str | 0.0.0.0 |
n/a | n/a |
vault_cluster_addr | str | {{ ansible_default_ipv4.address }} |
n/a | n/a |
vault_enable_ui | bool | True |
n/a | n/a |
vault_disable_mlock | bool | False |
n/a | n/a |
vault_disable_cache | bool | False |
n/a | n/a |
vault_storage_configuration | dict | {'file': {'path': '{{ vault_data_dir }}'}} |
n/a | n/a |
vault_enable_tls | bool | False |
n/a | n/a |
vault_listener_configuration | list | [{'tcp': {'address': '{{ vault_cluster_addr }}:8200', 'tls_disable': True}}] |
n/a | n/a |
vault_tls_listener_configuration | list | [{'tcp': {'tls_disable': False, 'tls_cert_file': '{{ vault_certs_dir }}/cert.pem', 'tls_key_file': '{{ vault_certs_dir }}/key.pem', 'tls_disable_client_certs': True}}] |
n/a | n/a |
vault_certificates_extra_files_dir | list | [] |
n/a | n/a |
vault_extra_listener_configuration | list | [] |
n/a | n/a |
vault_enable_service_registration | bool | False |
n/a | n/a |
vault_service_registration_configuration | dict | {'consul': {'address': '127.0.0.1:8500', 'scheme': 'http', 'token': ''}} |
n/a | n/a |
vault_enable_plugins | bool | False |
n/a | n/a |
vault_plugins_directory | str | {{ vault_config_dir }}/plugins |
n/a | n/a |
vault_log_level | str | info |
n/a | n/a |
vault_enable_log_to_file | bool | False |
n/a | n/a |
vault_log_to_file_configuration | dict | {'log_file': '{{ vault_logs_dir }}/vault.log', 'log_rotate_duration': '24h', 'log_rotate_max_files': 30} |
n/a | n/a |
Vars
These are variables with higher priority
File: vars/main.yml
Var | Type | Value | Required | Title |
---|---|---|---|---|
vault_user | str | vault |
n/a | n/a |
vault_group | str | vault |
n/a | n/a |
vault_binary_path | str | /usr/local/bin/vault |
n/a | n/a |
vault_deb_architecture_map | dict | {'x86_64': 'amd64', 'aarch64': 'arm64', 'armv7l': 'arm', 'armv6l': 'arm'} |
n/a | n/a |
vault_architecture | str | {{ vault_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }} |
n/a | n/a |
vault_service_name | str | vault |
n/a | n/a |
vault_github_api | str | https://api.github.com/repos |
n/a | n/a |
vault_github_project | str | hashicorp/vault |
n/a | n/a |
vault_github_url | str | https://github.com |
n/a | n/a |
vault_repository_url | str | https://releases.hashicorp.com/vault |
n/a | n/a |
vault_configuration | dict | {'cluster_name': '{{ vault_cluster_name }}', 'cluster_addr': "{{ 'https' if vault_enable_tls else 'http'}}://{{ vault_cluster_addr }}:8201", 'api_addr': "{{ 'https' if vault_enable_tls else 'http'}}://{{ vault_cluster_addr }}:8200", 'ui': '{{ vault_enable_ui }}', 'disable_mlock': '{{ vault_disable_mlock }}', 'disable_cache': '{{ vault_disable_cache }}', 'listener': '{{ vault_listener_configuration }}', 'storage': '{{ vault_storage_configuration }}'} |
n/a | n/a |
Tasks
File: tasks/recursive_copy_extra_dirs.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Ensure destination directory exists | ansible.builtin.file | False |
Vault | Create extra directory sources | ansible.builtin.file | True |
Vault | Template extra directory sources | ansible.builtin.template | True |
File: tasks/merge_variables.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Merge listener configuration | block | False |
Vault | Merge tls listener configuration | vars | True |
Vault | Merge extra listener configuration | vars | False |
Vault | Add certificates directory to extra_files_dir | ansible.builtin.set_fact | False |
Vault | Merge service registration configuration | vars | True |
Vault | Merge plugins configuration | vars | True |
Vault | Merge logging configuration | vars | True |
Vault | Merge extra configuration settings | vars | True |
File: tasks/main.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Set reload-check & restart-check variable | ansible.builtin.set_fact | False |
Vault | Import merge_variables.yml | ansible.builtin.include_tasks | False |
Vault | Import prerequisites.yml | ansible.builtin.include_tasks | False |
Vault | Import install.yml | ansible.builtin.include_tasks | False |
Vault | Import configure.yml | ansible.builtin.include_tasks | False |
Vault | Populate service facts | ansible.builtin.service_facts | False |
Vault | Set restart-check variable | ansible.builtin.set_fact | True |
Vault | Enable service: {{ vault_service_name }} | ansible.builtin.service | False |
Vault | Reload systemd daemon | ansible.builtin.systemd | True |
Vault | Start service: {{ vault_service_name }} | ansible.builtin.service | True |
File: tasks/install.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Get latest release of vault | block | True |
Vault | Get latest vault release from github api | ansible.builtin.uri | False |
Vault | Set wanted vault version to latest tag | ansible.builtin.set_fact | False |
Vault | Set wanted vault version to {{ vault_version }} | ansible.builtin.set_fact | True |
Vault | Get current vault version | block | False |
Vault | Stat vault version file | ansible.builtin.stat | False |
Vault | Get current vault version | ansible.builtin.slurp | True |
Vault | Download and install vault binary | block | True |
Vault | Set vault package name to download | ansible.builtin.set_fact | False |
Vault | Download checksum file for vault archive | ansible.builtin.get_url | False |
Vault | Extract correct checksum from checksum file | ansible.builtin.command | False |
Vault | Parse the expected checksum | ansible.builtin.set_fact | False |
Vault | Download vault binary archive | ansible.builtin.get_url | False |
Vault | Create temporary directory for archive decompression | ansible.builtin.file | False |
Vault | Unpack vault archive | ansible.builtin.unarchive | False |
Vault | Copy vault binary to {{ vault_binary_path }} | ansible.builtin.copy | False |
Vault | Update vault version file | ansible.builtin.copy | False |
Vault | Set restart-check variable | ansible.builtin.set_fact | False |
Vault | Cleanup temporary directory | ansible.builtin.file | False |
Vault | Copy systemd service file for vault | ansible.builtin.template | False |
Vault | Set reload-check & restart-check variable | ansible.builtin.set_fact | True |
Vault | Copy systemd service file for vault | ansible.builtin.template | False |
File: tasks/prerequisites.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Create group {{ vault_group }} | ansible.builtin.group | False |
Vault | Create user {{ vault_user }} | ansible.builtin.user | False |
Vault | Create directory {{ vault_config_dir }} | ansible.builtin.file | False |
Vault | Create directory {{ vault_data_dir}} | ansible.builtin.file | False |
Vault | Create directory {{ vault_certs_dir }} | ansible.builtin.file | False |
Vault | Create directory {{ vault_logs_dir }} | ansible.builtin.file | True |
File: tasks/configure.yml
Name | Module | Has Conditions |
---|---|---|
Vault | Create vault.env | ansible.builtin.template | False |
Vault | Copy vault.json template | ansible.builtin.template | False |
Vault | Set restart-check variable | ansible.builtin.set_fact | True |
Vault | Copy extra configuration files | block | True |
Vault | Get extra file types | ansible.builtin.stat | False |
Vault | Set list for file sources | vars | True |
Vault | Set list for directory sources | vars | True |
Vault | Template extra file sources | ansible.builtin.template | True |
Vault | Template extra directory sources | ansible.builtin.include_tasks | True |
Author Information
Bertrand Lanson
License
license (BSD, MIT)
Minimum Ansible Version
2.10
Platforms
- Ubuntu: ['focal', 'jammy', 'noble']
- Debian: ['bullseye', 'bookworm']