Initial multi-arch/os

- Add initial multi-architecture and OS support
- Add FreeBSD support
- Update documentation

CHANGELOG.md

@@ -201,3 +201,13 @@
 ## v1.4.1
 
 - Fix finicky var quoting issue
+
+## v1.4.2
+
+- All quoting issues sorted
+
+## v1.5.0
+
+- Add initial multi-archictecture and OS support
+- Add FreeBSD support
+- Update documentation

README.md

@@ -14,13 +14,17 @@ Consul-backed cluster in a Vagrant and VirtualBox based environment. See
 
 ## Requirements
 
-This role requires a Debian or RHEL based Linux distribution. It might work
-with other software versions, but does work with the following specific
-software and versions:
+This role requires FreeBSD, or a Debian or RHEL based Linux distribution. It
+might work with other software versions, but does work with the following
+specific software and versions:
 
 * Ansible: 2.2.2.0
 * Vault: 0.7.0
 * Debian: 8
+* FreeBSD 11
+* Ubuntu 16.04
+
+Sorry, there is no planned support at the moment for Windows.
 
 ## Role Variables
 

defaults/main.yml

@@ -2,8 +2,15 @@
 # File: defaults/main.yml - Main default variables for Vault
 
 vault_version: "{{ lookup('env','VAULT_VERSION') | default('0.7.0', true) }}"
-vault_pkg: "vault_{{ vault_version }}_linux_amd64.zip"
-vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}"
+vault_architecture_map:
+  # this first entry seems... redundant (but it's required for reasons)
+  amd64: amd64
+  x86_64: amd64
+  armv7l: arm
+  aarch64: arm64
+vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
+vault_os: "{{ ansible_system|lower }}"
+vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
 vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"
 vault_bin_path: /usr/local/bin
 vault_config_path: /etc/vault.d
@@ -44,4 +51,10 @@ vault_tls_key_file: "../files/{{ vault_node_name.key }}"
 vault_tls_key_file_dest: "{{ vault_tls_config_path }}/vault.key"
 vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12') }}"
 vault_tls_cipher_suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
-vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default("false") }}"
+vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false') }}"
+
+## Distribution
+
+### Vault
+
+vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"

tasks/main.yml

@@ -16,6 +16,11 @@
     msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role"
   when: ansible_distribution == "Debian" and ansible_distribution_version|version_compare(8.5, '<')
 
+- name: Fail if not a new release of FreeBSD
+  fail:
+    msg: "{{ ansible_distribution_version }} is not a supported version."
+  when: ansible_distribution == "FreeBSD" and ansible_distribution_version|version_compare(10, '<')
+
 - name: Fail if not a new release of Ubuntu
   fail:
     msg: "{{ ansible_distribution_version }} is not an acceptable version of {{ ansible_distribution }} for this role"
@@ -69,13 +74,22 @@
     group:  "{{ vault_group }}"
     mode: "0400"
 
+- name: BSD init script
+  template:
+    src: consul_bsdinit.j2
+    dest: /etc/rc.d/consul
+    owner: root
+    group: wheel
+    mode: "0755"
+  when: ansible_os_family == "FreeBSD"
+
 - name: SYSV init script
   template:
     src: vault_sysvinit.j2
     dest: /etc/init.d/vault
     owner: root
     group: root
-    mode: 0755
+    mode: "0755"
   when: not ansible_service_mgr == "systemd" and not ansible_os_family == "Debian" and not ansible_os_family == "FreeBSD" and not ansible_os_family == "Solaris"
 
 - name: Debian init script
@@ -84,7 +98,7 @@
     dest: /etc/init.d/vault
     owner: root
     group: root
-    mode: 0755
+    mode: "0755"
   when: not ansible_service_mgr == "systemd" and ansible_os_family == "Debian" and not ansible_os_family == "FreeBSD" and not ansible_os_family == "Solaris"
 
 - name: systemd unit
@@ -93,7 +107,7 @@
     dest: /lib/systemd/system/vault.service
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   when: ansible_service_mgr == "systemd" and not ansible_os_family == "FreeBSD" and not ansible_os_family == "Solaris"
 
 - name: Start Vault

templates/vault_bsdinit.j2.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# PROVIDE: vault
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# shellcheck disable=SC1091
+. /etc/rc.subr
+
+name="vault"
+# shellcheck disable=2034
+rcvar=$(set_rcvar)
+
+
+load_rc_config $name
+# shellcheck disable=2154
+: "${vault_enable="NO"}"
+# shellcheck disable=2154
+: "${vault_users="vault"}"
+
+# shellcheck disable=2034
+restart_cmd=vault_restart
+# shellcheck disable=2034
+start_cmd=vault_start
+# shellcheck disable=2034
+stop_cmd=vault_stop
+
+vault_start() {
+    echo "Starting ${name}."
+    for user in ${vault_users}; do
+        mkdir /var/run/vault
+        chown -R "{{ vault_user }}:{{ vault_group }}" /var/run/vault/
+        su -m "${user}" -c "{{ vault_bin_path }}/vault server -config={{ vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}{% endif %}&"
+    done
+}
+
+vault_stop() {
+    echo "Stopping $name."
+    pids=$(pgrep vault)
+    pkill vault
+    wait_for_pids "${pids}"
+}
+
+vault_restart() {
+    vault_stop
+    vault_start
+}
+
+run_rc_command "$1"

vars/FreeBSD.yml

@@ -0,0 +1,6 @@
+---
+# File: FreeBSD.yml - FreeBSD OS variables for Vault
+
+vault_os_packages:
+  - git
+  - unzip

version.txt

@@ -1 +1 @@
-v1.4.1
+v1.5.0