diff --git a/roles/vault/init.sls b/roles/vault/init.sls new file mode 100644 --- /dev/null +++ b/roles/vault/init.sls @@ -0,0 +1,9 @@ +# ------------------------------------------------------------- +# Salt — Vault +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +include: + - .vault diff --git a/roles/vault/vault/files/vault.hcl b/roles/vault/vault/files/vault.hcl new file mode 100644 --- /dev/null +++ b/roles/vault/vault/files/vault.hcl @@ -0,0 +1,35 @@ +# ------------------------------------------------------------- +# Vault configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# Source file: roles/vault/vault/files/vault.hcl +# ------------------------------------------------------------- +# +# +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# + +listener "tcp" { + address = "{{ ip }}:8200" +{% if certificates_available %} + tls_cert_file: "/usr/local/etc/certificates/vault/fullchain.pem" + tls_key_file: "/usr/local/etc/certificates/vault/private.key" +{% else %} + tls_disable = 1 +{% endif %} +} + +storage "raft" { + path = "/var/db/vault" + node_id = "{{ id }}" +} + +disable_mlock = true + +cluster_addr = "http://{{ ip }}:8201" +api_addr = "http://{{ ip }}:8200" +ui = true diff --git a/roles/vault/vault/init.sls b/roles/vault/vault/init.sls new file mode 100644 --- /dev/null +++ b/roles/vault/vault/init.sls @@ -0,0 +1,59 @@ +# ------------------------------------------------------------- +# Salt — Vault +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% from "map.jinja" import dirs with context %} +{% set network = salt['node.resolve_network']() %} + +# ------------------------------------------------------------- +# Software +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +vault: + pkg.installed + +# ------------------------------------------------------------- +# Configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{{ dirs.etc }}/vault.hcl: + file.managed: + - source: salt://roles/vault/vault/files/vault.hcl + - mode: 644 + - template: jinja + - context: + id: {{ grains['id'] }} + ip: {{ network['ipv4_address'] }} + certificates_available: {{ salt["file.file_exists"]("/usr/local/etc/certificates/vault") }} + +# ------------------------------------------------------------- +# Storage +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/var/db/vault: + file.directory: + - mode: 700 + - user: vault + - group: vault + +# ------------------------------------------------------------- +# Service +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% if grains["os"] == "FreeBSD" %} +/etc/rc.conf.d/vault/vault: + file.managed: + - makedirs: True + - mode: 644 + - contents: | + vault_enable="YES" + vault_syslog_output_enable="YES" +{% endif %} + +service_vault: + service.running: + - name: vault + - enable: true