hashistack/playbooks/group_vars/all/vault.yml
Bertrand Lanson dc096e497d
All checks were successful
development / Check commit compliance (push) Successful in 32s
pull-requests-open / Check commit compliance (pull_request) Successful in 33s
feat: redirect to wiki and add assets
2024-08-29 20:13:45 +02:00

125 lines
3.1 KiB
YAML

---
#########
# Vault #
#########
vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
vault_extra_files: true
# vault_extra_files_list: []
vault_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
# vault_extra_configuration: {}
###########
# general #
###########
# vault_cluster_name: vault
# vault_bind_addr: "0.0.0.0"
# vault_cluster_addr: "{{ api_interface_address }}"
# vault_enable_ui: true
# vault_disable_mlock: false
# vault_disable_cache: false
######################
# seal configuration #
######################
vault_seal_configuration:
key_shares: 3
key_threshold: 2
#########################
# storage configuration #
#########################
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join: >-
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##########################
# listener configuration #
##########################
# vault_enable_tls: false
vault_listener_configuration:
- tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
vault_tls_listener_configuration:
- tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
tls_key_file: "{{ vault_certs_dir }}/cert.key"
tls_disable_client_certs: true
vault_certificates_extra_files_dir: >
{{
[] if external_tls_externally_managed_certs | bool else
[{
'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
'dest': "{{ vault_certs_dir }}"
}]
}}
vault_extra_listener_configuration: []
########################
# service registration #
########################
# vault_enable_service_registration: "{{ enable_consul | bool }}"
vault_service_registration_configuration:
consul:
address: >-
127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
token: "{{ _credentials.consul.tokens.vault.secret_id }}"
vault_service_registration_policy: |
service "vault" {
policy = "write"
}
#########################
# plugins configuration #
#########################
# vault_enable_plugins: false
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
#################
# vault logging #
#################
# vault_log_level: info
vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
vault_log_to_file_configuration:
log_file: "{{ vault_logs_dir }}/vault.log"
log_rotate_duration: 24h
log_rotate_max_files: 30