Bertrand Lanson
2b8faa2bf5
All checks were successful
development / Check commit compliance (push) Successful in 5s
127 lines
3.2 KiB
YAML
127 lines
3.2 KiB
YAML
---
|
|
vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}"
|
|
|
|
#########
|
|
# Vault #
|
|
#########
|
|
|
|
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
|
|
vault_data_dir: "/opt/vault"
|
|
vault_certs_dir: "{{ vault_config_dir }}/tls"
|
|
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
|
|
|
|
vault_extra_files: true
|
|
# vault_extra_files_list: []
|
|
|
|
vault_env_variables: {}
|
|
|
|
#######################
|
|
# extra configuration #
|
|
#######################
|
|
|
|
# You should prioritize adding configuration
|
|
# to the configuration entries below, this
|
|
# option should be used to add pieces of configuration not
|
|
# available through standard variables.
|
|
|
|
# vault_extra_configuration: {}
|
|
|
|
###########
|
|
# general #
|
|
###########
|
|
|
|
# vault_cluster_name: vault
|
|
# vault_bind_addr: "0.0.0.0"
|
|
# vault_cluster_addr: "{{ api_interface_address }}"
|
|
# vault_enable_ui: true
|
|
# vault_disable_mlock: false
|
|
# vault_disable_cache: false
|
|
|
|
######################
|
|
# seal configuration #
|
|
######################
|
|
|
|
vault_seal_configuration:
|
|
key_shares: 3
|
|
key_threshold: 2
|
|
|
|
#########################
|
|
# storage configuration #
|
|
#########################
|
|
|
|
vault_storage_configuration:
|
|
raft:
|
|
path: "{{ vault_data_dir }}"
|
|
node_id: "{{ ansible_hostname }}"
|
|
retry_join: >-
|
|
[
|
|
{% for host in groups['vault_servers'] %}
|
|
{
|
|
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
|
|
}{% if not loop.last %},{% endif %}
|
|
{% endfor %}
|
|
]
|
|
|
|
##########################
|
|
# listener configuration #
|
|
##########################
|
|
|
|
# vault_enable_tls: false
|
|
vault_listener_configuration:
|
|
- tcp:
|
|
address: "{{ vault_cluster_addr }}:8200"
|
|
tls_disable: true
|
|
|
|
vault_tls_listener_configuration:
|
|
- tcp:
|
|
tls_disable: false
|
|
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
|
|
tls_key_file: "{{ vault_certs_dir }}/cert.key"
|
|
tls_disable_client_certs: true
|
|
|
|
vault_certificates_extra_files_dir: >
|
|
{{
|
|
[] if external_tls_externally_managed_certs | bool else
|
|
[{
|
|
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
|
|
'dest': "{{ vault_certs_dir }}"
|
|
}]
|
|
}}
|
|
|
|
vault_extra_listener_configuration: []
|
|
|
|
########################
|
|
# service registration #
|
|
########################
|
|
|
|
# vault_enable_service_registration: "{{ enable_consul | bool }}"
|
|
vault_service_registration_configuration:
|
|
consul:
|
|
address: >-
|
|
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
|
|
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
|
|
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
|
|
|
|
vault_service_registration_policy: |
|
|
service "vault" {
|
|
policy = "write"
|
|
}
|
|
|
|
#########################
|
|
# plugins configuration #
|
|
#########################
|
|
|
|
# vault_enable_plugins: false
|
|
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
|
|
|
|
#################
|
|
# vault logging #
|
|
#################
|
|
|
|
# vault_log_level: info
|
|
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
|
|
vault_log_to_file_configuration:
|
|
log_file: "{{ vault_logs_dir }}/vault.log"
|
|
log_rotate_duration: 24h
|
|
log_rotate_max_files: 30
|