--- vault_init_server: "{{ (inventory_hostname == groups['vault_servers'][0]) | bool }}" ######### # Vault # ######### vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d" vault_data_dir: "/opt/vault" vault_certs_dir: "{{ vault_config_dir }}/tls" vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault" vault_extra_files: true # vault_extra_files_list: [] vault_env_variables: {} ####################### # extra configuration # ####################### # You should prioritize adding configuration # to the configuration entries below, this # option should be used to add pieces of configuration not # available through standard variables. # vault_extra_configuration: {} ########### # general # ########### # vault_cluster_name: vault # vault_bind_addr: "0.0.0.0" # vault_cluster_addr: "{{ api_interface_address }}" # vault_enable_ui: true # vault_disable_mlock: false # vault_disable_cache: false ###################### # seal configuration # ###################### vault_seal_configuration: key_shares: 3 key_threshold: 2 ######################### # storage configuration # ######################### vault_storage_configuration: raft: path: "{{ vault_data_dir }}" node_id: "{{ ansible_hostname }}" retry_join: >- [ {% for host in groups['vault_servers'] %} { 'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200' }{% if not loop.last %},{% endif %} {% endfor %} ] ########################## # listener configuration # ########################## # vault_enable_tls: false vault_listener_configuration: - tcp: address: "{{ vault_cluster_addr }}:8200" tls_disable: true vault_tls_listener_configuration: - tcp: tls_disable: false tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt" tls_key_file: "{{ vault_certs_dir }}/cert.key" tls_disable_client_certs: true vault_certificates_extra_files_dir: > {{ [] if external_tls_externally_managed_certs | bool else [{ 'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}", 'dest': "{{ vault_certs_dir }}" }] }} vault_extra_listener_configuration: [] ######################## # service registration # ######################## # vault_enable_service_registration: "{{ enable_consul | bool }}" vault_service_registration_configuration: consul: address: >- 127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }} scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}" token: "{{ _credentials.consul.tokens.vault.secret_id }}" vault_service_registration_policy: | service "vault" { policy = "write" } ######################### # plugins configuration # ######################### # vault_enable_plugins: false vault_plugins_directory: "{{ vault_config_dir }}/plugins" ################# # vault logging # ################# # vault_log_level: info vault_enable_log_to_file: "{{ enable_log_to_file | bool }}" vault_log_to_file_configuration: log_file: "{{ vault_logs_dir }}/vault.log" log_rotate_duration: 24h log_rotate_max_files: 30