hcp-ansible/playbooks/group_vars/all.yml

288 lines
7.6 KiB
YAML

---
##########################
# General options ########
##########################
enable_vault: "yes"
enable_consul: "yes"
enable_nomad: "no"
nomad_version: latest
consul_version: latest
vault_version: latest
deployment_method: "host"
api_interface: "eth0"
api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
##########################
# Helper options #########
##########################
vault_versions:
host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
docker: "{{ vault_version }}"
consul_versions:
host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
docker: "{{ consul_version }}"
nomad_versions:
host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
docker: "{{ nomad_version }}"
configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
sub_configuration_directories:
nomad_servers: "{{ configuration_directory }}/nomad_servers"
vault_servers: "{{ configuration_directory }}/vault_servers"
consul_servers: "{{ configuration_directory }}/consul_servers"
configuration_global_vars_file: "globals.yml"
default_container_extra_volumes:
- "/etc/timezone:/etc/timezone"
- "/etc/localtime:/etc/localtime"
#################
# Support options
#################
hashistack_supported_distributions:
- ubuntu
- debian
hashistack_supported_distribution_versions:
debian:
- "11"
- "12"
ubuntu:
- "20.04"
- "22.04"
preflight_enable_host_ntp_checks: true
vault_required_ports: [8200, 8201]
consul_required_ports: [8300, 8301, 8302, 8500, 8501, 8502, 8503, 8600]
nomad_required_ports: []
##########################
# Nomad options ##########
##########################
hashi_nomad_cni_plugins_install: true
hashi_nomad_start_service: true
hashi_nomad_cni_plugins_version: latest
hashi_nomad_cni_plugins_install_path: /opt/cni/bin
hashi_nomad_version: latest
hashi_nomad_deploy_method: host # deployment method, either host or docker
hashi_nomad_env_variables: {}
hashi_nomad_data_dir: /opt/nomad
hashi_nomad_extra_files: false
hashi_nomad_extra_files_src: /tmp/extra_files
hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
hashi_nomad_configuration: {}
##########################
# Consul options #########
##########################
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: dc1
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
consul_enable_script_checks: true
##############################
# consul address configuration
##############################
consul_address_configuration:
# The address to which Consul will bind client interfaces,
# including the HTTP and DNS servers.
client_addr: "0.0.0.0"
# The address that should be bound to for internal cluster communications.
bind_addr: "{{ api_interface_address }}"
# The advertise address is used to change the address that we advertise to other nodes in the cluster.
advertise_addr: "{{ api_interface_address }}"
##########################
# consul ACL configuration
##########################
consul_acl_configuration:
enabled: true
default_policy: "deny" # can be allow or deny
enable_token_persistence: true
#####################
# extra configuration
#####################
consul_extra_configuration: {}
##########################
# consul DNS configuration
##########################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
hashi_consul_start_service: true
hashi_consul_version: latest
hashi_consul_deploy_method: "{{ deployment_method }}"
hashi_consul_env_variables: {}
hashi_cosul_config_dir: "/etc/consul.d"
hashi_consul_data_dir: "/opt/consul"
hashi_consul_extra_files: false
hashi_consul_extra_files_src: "{{ sub_configuration_directories.consul_servers }}/config"
hashi_consul_extra_files_dst: "{{ hashi_consul_config_dir }}/config"
hashi_consul_envoy_install: false
hashi_consul_envoy_version: latest
hashi_consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ hashi_consul_data_dir }}"
encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
server: "{{ 'consul_servers' in group_names }}"
retry_join: "{{
groups['consul_servers'] |
map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
list |
to_json |
from_json
}}"
ui_config:
enabled: true
connect:
enabled: false
leave_on_terminate: true
rejoin_after_leave: true
enable_script_checks: true
enable_syslog: true
log_level: INFO
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
ports:
dns: 8600
http: 8500
https: -1
grpc: 8502
grpc_tls: 8503
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
# this is used to circumvent jinja limitation to convert string to integer
hashi_consul_configuration_string: |
bootstrap_expect: {{ (groups['consul_servers'] | length) }}
##########################
# Vault options ##########
##########################
vault_cluster_name: vault
vault_enable_ui: true
vault_seal_configuration:
key_shares: 3
key_threshold: 2
#########
# storage
#########
vault_storage_configuration:
raft:
path: "{{ hashi_vault_data_dir }}/data"
node_id: "{{ ansible_hostname }}"
retry_join: |
[
{% for host in groups['vault_servers'] %}
{
'leader_api_addr': 'http://{{ hostvars[host].api_interface_address }}:8200'
}{% if not loop.last %},{% endif %}
{% endfor %}
]
##########
# listener
##########
vault_enable_tls: false
vault_listener_configuration:
tcp:
address: "0.0.0.0:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ hashi_vault_extra_files_dst }}/tls/cert.pem"
tls_key_file: "{{ hashi_vault_extra_files_dst }}/tls/key.pem"
vault_extra_listener_configuration: {}
######################
# service registration
######################
vault_enable_service_registration: false
vault_service_registration_configuration:
consul:
address: "127.0.0.1:8500"
scheme: "http"
#########
# plugins
#########
vault_enable_plugins: true
vault_plugin_directory: "{{ hashi_vault_extra_files_dst }}/plugin"
#########
# logging
#########
vault_enable_log_to_file: false
vault_logging_configuration:
log_level: info
log_format: standard
log_rotate_duration: 24h
log_rotate_max_files: 30
#########################
# vault container volumes
#########################
extra_vault_container_volumes: []
#####################
# extra configuration
#####################
vault_extra_configuration: {}
###############
# configuration
###############
hashi_vault_start_service: true
hashi_vault_version: latest
hashi_vault_deploy_method: "{{ deployment_method }}"
hashi_vault_env_variables: {}
hashi_vault_config_dir: "/etc/vault.d"
hashi_vault_data_dir: "/opt/vault"
hashi_vault_extra_files: true
hashi_vault_extra_files_src: "{{ sub_configuration_directories.vault_servers }}/config"
hashi_vault_extra_files_dst: "{{ hashi_vault_config_dir }}/config"
hashi_vault_extra_container_volumes: "{{ default_container_extra_volumes | union(extra_vault_container_volumes) | unique }}"
hashi_vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "http://{{ api_interface_address }}:8201"
api_addr: "http://{{ api_interface_address }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: false
disable_cache: false
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"