diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..69260444 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +.DS_Store +.vagrant +.tm_properties +*.retry +examples/hosts diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 00000000..2571c93c --- /dev/null +++ b/.travis.yml @@ -0,0 +1,26 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + +script: + # Basic role syntax check + - ANSIBLE_ROLES_PATH=.. ansible-playbook -i tests/inventory tests/test.yml --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..265e2244 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,4 @@ +## v1.0.0 + +- Installs Vault +- Installs Vault with Consul backend onto Consul VMs from brianshumate.consul diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 00000000..349780d8 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,3 @@ +# Contributors + +Thank you to all these fine folks for helping with ansible-vault! diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 00000000..b0444cce --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,15 @@ +ansible-vault + +Copyright 2016 Brian Shumate + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 00000000..332183ec --- /dev/null +++ b/README.md @@ -0,0 +1,111 @@ +# Vault + +![](https://travis-ci.org/brianshumate/ansible-vault.svg?branch=master) + +This Ansible role performs a basic [Vault](https://vault.io/) installation, +including filesystem structure, example configuration, and Vault UI +installation. + +It can also bootstrap a minimal development or evaluation cluster of 3 server +agents running in a Vagrant and VirtualBox based environment. See +[README_VAGRANT.md](https://github.com/brianshumate/ansible-vault/blob/master/examples/README_VAGRANT.md) and the associated [Vagrantfile](https://github.com/brianshumate/ansible-vault/blob/master/examples/Vagrantfile) for more details about the developer mode setup. + +## Requirements + +This role requires a Debian or RHEL based Linux distribution. It might work +with other software versions, but does work with the following specific +software and versions: + +* Ansible: 2.1.2.0 +* Vault: 0.6.2 +* Debian: 8 + +## Role Variables + +The role specifies variables in `defaults/main.yml` and `vars/*.yml`. + +| Name | Default Value | Description | +| -------------- | ------------- | -----------------------------------| +| `vault_version` | `0.6.2` | Version to install | +| `vault_zip_url` | `https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip` | Download URL | +| `vault_zip_sha256` | SHA256 SUM | Archive SHA256 summary | +| `vault_bin_path` | `/usr/local/bin` | Binary installation path | +| `vault_config_path` | `/etc/vault.d` | Configuration file path | +| `vault_data_path` | `/var/vault` | Data path | +| `vault_log_path` | `/var/log/vault` | Log path | +| `vault_user` | `vault` | OS user | +| `vault_group` | `bin` | OS group | +| `vault_datacenter` | `dc1` | Datacenter label | +| `vault_log_level` | `INFO` | Log level | +| `vault_syslog_enable` | `true` | Log to syslog | +| `vault_iface` | `eth1` | Network interface | +| `vault_address` | `{{ hostvars[inventory_hostname]['ansible_eth1']['ipv4']['address'] }}` | Primary interface address | +| `vault_port` | `8200` | TCP port number to use | +| `vault_node_name` | `{{ inventory_hostname_short }}` | Short node name | +| `vault_main_config` | `{{ vault_config_path }}/vault_main.hcl` | Main configuration file path | +| `vault_consul` | `127.0.0.1:8500` | Address of Consul backend | +| `vault_consul_path` | `vault` | Consul path to use | + +### OS Distribution Variables + +The Vault binary works on most Linux platforms and is not distribution +specific. Some distributions require installation of specific OS packages with different nomenclature, so this role has support for major Linux distributions. + +| Name | Default Value | Description | +| -------------- | ------------- | -----------------------------------| +| `vault_centos_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | +| `vault_centos_url` | `{{ vault_zip_url }}` | Vault package download URL | +| `vault_centos_sha256` | SHA256 SUM | Vault download SHA256 summary | +| `vault_centos_os_packages` | list | List of OS packages to install | +| `vault_debian_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | +| `vault_debian_url` | `{{ vault_zip_url }}` | Vault package download URL | +| `vault_debian_sha256` | SHA256 SUM | Vault download SHA256 summary | +| `vault_debian_os_packages` | list | List of OS packages to install | +| `vault_redhat_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | +| `vault_redhat_url` | `{{ vault_zip_url }}` | Vault package download URL | +| `vault_redhat_sha256` | SHA256 SUM | Vault download SHA256 summary | +| `vault_redhat_os_packages` | list | List of OS packages to install | +| `vault_ubuntu_pkg` | `{{ vault_version }}_linux_amd64.zip` | Vault package filename | +| `vault_ubuntu_url` | `{{ vault_zip_url }}` | Vault package download URL | +| `vault_ubuntu_sha256` | SHA256 SUM | Vault download SHA256 summary | +| `vault_ubuntu_os_packages` | list | List of OS packages to install | + +## Dependencies + +None + +## Example Playbook + + +After you have reviewed and altered any necessary variables, and created a +host inventory file, basic Vault installation is possible using the +included `site.yml` playbook example: + +``` +ansible-playbook -i hosts site.yml +``` + +You can also pass variables in using the `--extra-vars` option to the +`ansible-playbook` command: + +``` +ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui" +``` + +### Vagrant and VirtualBox + +See `examples/README_VAGRANT.md` for details on quick Vagrant deployments +under VirtualBox for testing, etc. + +## License + +BSD + +## Author Information + +[Brian Shumate](http://brianshumate.com) + +## Contributors + +Special thanks to the folks listed in [CONTRIBUTORS.md](https://github.com/brianshumate/ansible-vault/blob/master/CONTRIBUTORS.md) for their +contributions to this project. diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 00000000..fa32d87e --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,25 @@ +--- +# File: defaults/main.yml - Main default variables for Vault + +vault_version: "0.6.0" +#vault_version: "0.6.2" +vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip" +vault_zip_sha256: "283b4f591da8a4bf92067bf9ff5b70249f20705cc963bea96ecaf032911f27c2" +#vault_zip_sha256: "91432c812b1264306f8d1ecf7dd237c3d7a8b2b6aebf4f887e487c4e7f69338c" +vault_bin_path: "/usr/local/bin" +vault_config_path: "/etc/vault.d" +vault_data_path: "/var/vault" +vault_log_path: "/var/log/vault" +vault_user: "vault" +vault_group: "bin" +vault_group_name: "cluster_nodes" +vault_datacenter: "dc1" +vault_consul: "127.0.0.1:8500" +vault_consul_path: "vault" +vault_log_level: "INFO" +vault_syslog_enable: "true" +vault_iface: "eth1" +vault_address: "0.0.0.0" +vault_port: "8200" +vault_node_name: "{{ inventory_hostname_short }}" +vault_main_config: "{{ vault_config_path }}/vault_main.hcl" diff --git a/examples/README_VAGRANT.md b/examples/README_VAGRANT.md new file mode 100644 index 00000000..fbdd76d7 --- /dev/null +++ b/examples/README_VAGRANT.md @@ -0,0 +1,112 @@ +# Vault with Ansible + +This project provides documentation and a collection of scripts to help you +automate the deployment of Vault using +[Ansible](http://www.ansibleworks.com/). These are the instructions for +deploying a development cluster on Vagrant and VirtualBox. + +The documentation and scripts are merely a starting point designed to both +help familiarize you with the processes and quickly bootstrap an environment +for development. You may wish to expand on them and customize +them with additional features specific to your needs later. + +## Vagrant Development Cluster + +In some situations deploying a small cluster on your local development +machine can be handy. This document describes such a scenario using the +following technologies: + +* [Vault](https://vault.io) +* [VirtualBox](https://www.virtualbox.org/) +* [Vagrant](http://www.vagrantup.com/) with Ansible provisioner and + supporting plugin +* [Ansible](http://www.ansibleworks.com/) + +Each of the virtual machines for this guide are configured with +1.5GB RAM, 2 CPU cores, and 2 network interfaces. The first interface uses +NAT and has connection via the host to the outside world. The second +interface is a private network and is used for Vault intra-cluster +communication in addition to access from the host machine. + +The Vagrant configuration file (`Vagrantfile`) is responsible for +configuring the virtual machines and a baseline OS installation. + +The Ansible playbooks then further refine OS configuration, perform Vault +software download and installation, and the initialization of nodes +into a ready to use cluster. + +## Designed for Ansible Galaxy + +This role is designed to be installed via the `ansible-galaxy` command +instead of being directly run from the git repository. + +You should install it like this: + +``` +ansible-galaxy install brianshumate.vault +``` + +You'll want to make sure you have write access to `/etc/ansible/roles/` since +that is where the role will be installed by default, or define your own +Ansible role path by creating a `$HOME/.ansible.cfg` file with these contents: + +``` +[defaults] +roles_path = PATH_TO_ROLES +``` + +Change `PATH_TO_ROLES` to a directory that you have write access to. + +## Quick Start + +Begin from the top level directory of this project and use the following +steps to get up and running: + +1. Install [VirtualBox](https://www.virtualbox.org/wiki/Downloads), [Vagrant](http://downloads.vagrantup.com/), [vagrant-hosts](https://github.com/adrienthebo/vagrant-hosts), and [Ansible](http://www.ansibleworks.com/docs/intro_installation.html#latest-releases-via-pip). +2. Edit `/etc/hosts` or use the included `bin/preinstall` script to add + the following entries to your development system's `/etc/hosts` file: + * 10.1.42.240 vault1.local vault1 +3. cd `$PATH_TO_ROLES/brianshumate.conusul/examples` +4. `vagrant up` +6. You can `ssh` into the node and initialize Vault: + + ``` + vagrant ssh vault1 + VAULT_ADDR=http://10.1.42.240:8200 vault init + ``` + The VAULT_ADDR` variable is set because the vault CLI expects TLS + to be enabled by default and this role does not yet configure TLS. + +By default, this project will install Debian based nodes. If you prefer, it +can also install CentOS 7 based nodes by changing the command in step 4 to +the following: + +``` +BOX_NAME="chef/centos-7.0" vagrant up +``` + +## Notes + +1. This project functions with the following software versions: + * Vault version 0.6.2 + * Ansible: 2.1.2.0 + * VirtualBox version 5.0.26 + * Vagrant version 1.8.1 + * Vagrant Hosts version 2.8.0 +2. This project uses Debian 8 (Jessie) by default, but you can choose another + OS distribution with the *BOX_NAME* environment variable +3. The `bin/preinstall` shell script performs the following actions for you: + * Adds each node's host information to the host machine's `/etc/hosts` + * Optionally installs the Vagrant hosts plugin +4. If you notice an error like *vm: The '' provisioner could not be found.* + make sure you have vagrant-hosts plugin installed + +## References + +1. https://www.vaultproject.io/ +2. https://www.vaultproject.io/intro/getting-started/deploy.html +3. https://www.vaultproject.io/docs/index.html +4. http://www.ansible.com/ +5. http://www.vagrantup.com/ +6. https://www.virtualbox.org/ +7. https://github.com/adrienthebo/vagrant-hosts diff --git a/examples/Vagrantfile b/examples/Vagrantfile new file mode 100644 index 00000000..5f22cdf8 --- /dev/null +++ b/examples/Vagrantfile @@ -0,0 +1,42 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Vagrantfile for bootstrapping a development Vault cluster with +# VirtualBox provider and Ansible provisioner + +ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "site.yml" +BOX_MEM = ENV['BOX_MEM'] || "1024" +BOX_NAME = ENV['BOX_NAME'] || "debian/jessie64" +VAULT_HOSTS = ENV['VAULT_HOSTS'] || "vagrant_hosts" +LOGLEVEL = ENV['VAULT_LOGLEVEL'] || "INFO" +VAGRANTFILE_API_VERSION = "2" + +Vagrant.require_version ">= 1.5.0" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + + # Configure one Vault node + config.vm.define :vault do |vault_config| + vault_config.vm.box = BOX_NAME + vault_config.vm.network :private_network, ip: "10.1.42.240" + vault_config.vm.hostname = "vault.local" + vault_config.ssh.forward_agent = true + vault_config.vm.provider "virtualbox" do |v| + v.name = "vault-server" + v.customize ["modifyvm", :id, "--memory", BOX_MEM] + v.customize ["modifyvm", :id, "--ioapic", "on"] + v.customize ["modifyvm", :id, "--cpus", "2"] + v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] + v.customize ["modifyvm", :id, "--natdnsproxy1", "on"] + end + vault_config.vm.provision :ansible do |ansible| + ansible.inventory_path = VAULT_HOSTS + # Extra Ansible variables can be defined here + ansible.extra_vars = { + vault_log_level: LOGLEVEL + } + ansible.playbook = ANSIBLE_PLAYBOOK + ansible.limit = "all" + end + end +end diff --git a/examples/bin/preinstall b/examples/bin/preinstall new file mode 100755 index 00000000..407d2629 --- /dev/null +++ b/examples/bin/preinstall @@ -0,0 +1,53 @@ +#!/bin/bash + +# File: examples/bin/preinstall - convenience script to add Vault +# VM node host information to /etc/hosts for Vagrant + +vault="10\.1\.42\.240" + +# Log stuff +function logmsg { + msgtype="$1" + msgtxt="$2" + case "${msgtype}" in + greeting) + printf "🌞 ${txtylw}${msgtxt}\n" + ;; + info) + printf "💬 ${txtwht}${msgtxt}\n" + ;; + success) + printf "✅ ${txtgrn}${msgtxt}\n" + ;; + notice) + printf "🚩 ${txtylw}${msgtxt}\n" + ;; + alert) + printf "⛔️ ${txtred}${msgtxt}\n" >&2 + ;; + *) + printf "⁉️ ${txtwht}${msgtxt}\n" >&2 + ;; + esac +} + +# Check if sudo will need password +function sudocheck { + logmsg info "Enter your user account password for sudo if prompted" + sudo true +} + +# Add hosts entries if necessary +function add_host { + if grep vault /etc/hosts > /dev/null 2>&1; then + logmsg success "Vault VM server information present in /etc/hosts" + else + sudocheck + sudo sh -c "echo '# Vault Vagrant virtual machine host +10.1.42.210 vault.local vault +' >> /etc/hosts" + logmsg success "Vault server host information added to /etc/hosts" + fi +} + +add_host \ No newline at end of file diff --git a/examples/site.yml b/examples/site.yml new file mode 100644 index 00000000..bd47322e --- /dev/null +++ b/examples/site.yml @@ -0,0 +1,10 @@ +--- +# File: site.yml - Example Vault site playbook + +- name: Install Vault + hosts: vault_nodes + any_errors_fatal: true + become: yes + become_user: root + roles: + - { role: brianshumate.vault } diff --git a/examples/site_consul.yml b/examples/site_consul.yml new file mode 100644 index 00000000..1eedbd09 --- /dev/null +++ b/examples/site_consul.yml @@ -0,0 +1,10 @@ +--- +# File: site_consul.yml - Example Vault site playbook + +- name: Install Vault + hosts: consul_nodes + any_errors_fatal: true + become: yes + become_user: root + roles: + - { role: brianshumate.vault } diff --git a/examples/vagrant_hosts b/examples/vagrant_hosts new file mode 100644 index 00000000..b326df57 --- /dev/null +++ b/examples/vagrant_hosts @@ -0,0 +1,18 @@ +# File: vagrant_hosts +# Vault node hosts configuration for Vagrant +# +# NB: Replace the hosts below with your preferred node hostnames and continue +# the 'nodeN' pattern for additional nodes past 'vault3' +# Do not modify the labels (text appearing between []), however + +[vault_nodes] +vault1.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=./.vagrant/machines/vault1/virtualbox/private_key + +# If you want to install Vault onto your Consul VMs installed by the +# brianshumate.consul role, replace all instances of ~/ansible_roles +# below with your actual Ansible role path + +[consul_nodes] +consul1.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul1/virtualbox/private_key +consul2.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul2/virtualbox/private_key +consul3.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul3/virtualbox/private_key diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 00000000..6adcca12 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +# handlers file for vault + +- name: Restart vault + service: name=vault state=restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 00000000..7b9a1003 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,134 @@ +--- +galaxy_info: + author: Brian Shumate + description: Vault server role + company: your company (optional) + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license BSD + min_ansible_version: 1.9 + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + platforms: + - name: EL + versions: + # - all + # - 5 + - 6 + - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + - name: Ubuntu + versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + - trusty + # - utopic + - vivid + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + - name: Debian + versions: + # - all + # - etch + - jessie + # - lenny + # - squeeze + # - wheezy + # + # Below are all categories currently available. Just as with + # the platforms above, uncomment those that apply to your role. + # + galaxy_tags: + #- cloud + #- cloud:ec2 + #- cloud:gce + #- cloud:rax + #- clustering + #- database + #- database:nosql + #- database:sql + #- development + #- monitoring + - networking + #- packaging + - system + #- web +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/tasks/CentOS.yml b/tasks/CentOS.yml new file mode 100644 index 00000000..c3497391 --- /dev/null +++ b/tasks/CentOS.yml @@ -0,0 +1,22 @@ +--- +# File: tasks/CentOS.yml - CentOS tasks for Vault + +- name: "Distribution specific variables" + include_vars: main.yml + +- name: OS packages + yum: "name={{ item }} state=present" + with_items: "{{ vault_centos_os_packages }}" + tags: installation + +- name: Download Vault + get_url: "url={{ vault_zip_url }} dest=/tmp/{{ vault_centos_pkg }} sha256sum={{ vault_centos_sha256 }} timeout=74" + tags: installation + +- name: Install Vault + unarchive: "copy=no creates=/usr/local/bin/vault src=/tmp/{{ vault_centos_pkg }} dest=/usr/local/bin/ owner={{ vault_user }} group={{ vault_group }} mode=0755" + tags: installation + +- name: Cleanup + file: path=/tmp/"{{ vault_centos_pkg }}" state=absent + tags: installation diff --git a/tasks/Debian.yml b/tasks/Debian.yml new file mode 100644 index 00000000..63eee0af --- /dev/null +++ b/tasks/Debian.yml @@ -0,0 +1,22 @@ +--- +# File: tasks/Debian.yml - Debian tasks for Vault + +- name: "Distribution specific variables" + include_vars: main.yml + +- name: OS packages + apt: "name={{ item }} state=present update_cache=yes" + with_items: "{{ vault_debian_os_packages }}" + tags: installation + +- name: Download Vault + get_url: "url={{ vault_zip_url }} dest=/tmp/{{ vault_debian_pkg }} sha256sum={{ vault_debian_sha256 }} timeout=74 validate_certs=False" + tags: installation + +- name: Install Vault + unarchive: "copy=no creates=/usr/local/bin/vault src=/tmp/{{ vault_debian_pkg }} dest=/usr/local/bin/ owner={{ vault_user }} group={{ vault_group }} mode=0755" + tags: installation + +- name: Cleanup + file: path=/tmp/"{{ vault_debian_pkg }}" state=absent + tags: installation diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml new file mode 100644 index 00000000..b9303997 --- /dev/null +++ b/tasks/RedHat.yml @@ -0,0 +1,27 @@ +--- +# File: tasks/Red Hat.yml - Red Hat tasks for Vault + +- name: "Distribution specific variables" + include_vars: main.yml + +- name: OS packages + yum: "name={{ item }} state=present" + with_items: "{{ vault_redhat_os_packages }}" + tags: installation + +- name: dnsmasq package + yum: name=dnsmasq state=present + when: "vault_dnsmasq == true" + tags: installation + +- name: Download Vault + get_url: "url={{ vault_zip_url }} dest=/tmp/{{ vault_redhat_pkg }} sha256sum={{ vault_redhat_sha256 }} timeout=74" + tags: installation + +- name: Install Vault + unarchive: "copy=no creates=/usr/loca/bin/vault src=/tmp/{{ vault_redhat_pkg }} dest=/usr/local/bin/ owner={{ vault_user }} group={{ vault_group }} mode=0755" + tags: installation + +- name: Cleanup + file: path=/tmp/"{{ vault_redhat_pkg }}" state=absent + tags: installation diff --git a/tasks/Ubuntu.yml b/tasks/Ubuntu.yml new file mode 100644 index 00000000..d4d2fac1 --- /dev/null +++ b/tasks/Ubuntu.yml @@ -0,0 +1,27 @@ +--- +# File: tasks/Ubuntu.yml - Ubuntu tasks for Vault + +- name: "Distribution specific variables" + include_vars: main.yml + +- name: OS packages + apt: "name={{ item }} state=present update_cache=yes" + with_items: "{{ vault_ubuntu_os_packages }}" + tags: installation + +- name: dnsmasq package + apt: name=dnsmasq state=present + when: "vault_dnsmasq == true" + tags: installation + +- name: Download Vault + get_url: "url={{ vault_zip_url }} dest=/tmp/{{ vault_ubuntu_pkg }} sha256sum={{ vault_ubuntu_sha256 }} timeout=74" + tags: installation + +- name: Install Vault + unarchive: "copy=no creates=/usr/local/bin/vault src=/tmp/{{ vault_ubuntu_pkg }} dest=/usr/local/bin/ owner={{ vault_user }} group={{ vault_group }} mode=0755" + tags: installation + +- name: Cleanup + file: path=/tmp/"{{ vault_ubuntu_pkg }}" state=absent + tags: installation diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 00000000..3cfe0eb1 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,66 @@ +--- +# File: tasks/main.yml - Main tasks for Vault + +- name: Create cluster groupings + group_by: key=os_{{ ansible_os_family }} + +- name: "Add Vault user" + user: name=vault comment="Vault user" uid=1043 group=bin + +- name: "Distribution specific variables" + include_vars: main.yml + +- name: "CentOS tasks" + include: CentOS.yml + when: ansible_distribution == "CentOS" + +- name: "Debian tasks" + include: Debian.yml + when: ansible_distribution == "Debian" + +- name: "Red Hat tasks" + include: RedHat.yml + when: ansible_distribution == "RedHat" + +- name: "Ubuntu tasks" + include: Ubuntu.yml + when: ansible_distribution == "Ubuntu" + +- name: Enable non root mlock capability + command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" + +- name: Vault directory + file: "dest=/opt/vault state=directory owner={{ vault_user }} group={{ vault_group}}" + +- name: Vault data directory + file: "dest=/var/vault state=directory owner={{ vault_user }} group={{ vault_group}}" + +- name: Vault log directory + file: "dest=/var/log/vault state=directory owner={{ vault_user }} group={{ vault_group}}" + +- name: Vault PID directory + file: "dest=/var/run/vault state=directory owner={{ vault_user }} group={{ vault_group}}" + +- name: Vault dot d directory + file: "dest=/etc/vault.d state=directory owner={{ vault_user }} group={{ vault_group}}" + +- name: Vault server configuration + template: src=vault_main.hcl.j2 dest={{ vault_config_path }}/vault_main.hcl + +- name: SYSV init script + template: src=vault_sysvinit.j2 dest=/etc/init.d/vault owner=root group=root mode=755 + when: not ansible_distribution == "Debian" + +- name: Debian init script + template: src=vault_debian.init.j2 dest=/etc/init.d/vault owner=root group=root mode=755 + when: ansible_distribution == "Debian" and ansible_distribution_major_version|int <= 7 + +- name: systemd script + template: src=vault_systemd.service.j2 dest=/lib/systemd/system/vault.service owner=root group=root mode=644 + when: ansible_distribution_major_version|int >= 7 + +- name: Start Vault + service: name=vault state=started enabled=yes + +- name: Vault running? + wait_for: port=8200 delay=10 diff --git a/templates/vault_debian.init.j2 b/templates/vault_debian.init.j2 new file mode 100644 index 00000000..5ad8ff13 --- /dev/null +++ b/templates/vault_debian.init.j2 @@ -0,0 +1,117 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: vault +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Vault secret management tool +# Description: Vault secret management tool +### END INIT INFO + +PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +DESC="Vault secret management tool" +NAME=vault +DAEMON=/usr/local/bin/$NAME +PIDFILE=/var/run/$NAME/$NAME.pid +DAEMON_ARGS="server -config={{ vault_main_config }}" +USER={{ vault_user }} +SCRIPTNAME=/etc/init.d/$NAME + +[ -x "$DAEMON" ] || exit 0 + +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +[ -f /etc/default/rcS ] && . /etc/default/rcS + +. /lib/lsb/init-functions + +mkrundir() { + [ ! -d /var/run/vault ] && mkdir -p /var/run/vault + chown $USER /var/run/vault +} + +do_start() { + mkrundir + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile -- \ + $DAEMON_ARGS \ + || return 2 + + for i in `seq 1 30`; do + if ! start-stop-daemon --quiet --stop --test --pidfile $PIDFILE --exec $DAEMON --user $USER; then + RETVAL=2 + sleep 1 + continue + fi + if "$DAEMON" info >/dev/null; then + return 0 + fi + done + return "$RETVAL" +} + +do_stop() { + if ("${DAEMON}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then + "$DAEMON" leave + fi + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + rm -f $PIDFILE + return "$RETVAL" +} + +do_reload() { + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 + ;; + 1) log_end_msg 1 + ;; + *) log_end_msg 1 + ;; + esac + ;; + *) + log_end_msg 1 + ;; + esac + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac +: diff --git a/templates/vault_main.hcl.j2 b/templates/vault_main.hcl.j2 new file mode 100644 index 00000000..d35474ad --- /dev/null +++ b/templates/vault_main.hcl.j2 @@ -0,0 +1,9 @@ +backend "consul" { + address = "{{ vault_consul }}" + path = "{{ vault_consul_path }}" +} + +listener "tcp" { + address = "{{ vault_address}}:{{ vault_port }}" + tls_disable = 1 +} diff --git a/templates/vault_systemd.service.j2 b/templates/vault_systemd.service.j2 new file mode 100644 index 00000000..64b37eaa --- /dev/null +++ b/templates/vault_systemd.service.j2 @@ -0,0 +1,27 @@ +### BEGIN INIT INFO +# Provides: vault +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Vault agent +# Description: Vault secret management tool +### END INIT INFO + +[Unit] +Description=Vault secret management tool +Wants=basic.target +After=basic.target network.target + +[Service] +User={{ vault_user }} +Group={{ vault_group }} +PIDFile=/var/run/vault/vault.pid +ExecStart=/usr/local/bin/vault server -config={{ vault_main_config }} +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/templates/vault_sysvinit.j2 b/templates/vault_sysvinit.j2 new file mode 100644 index 00000000..32b13cc9 --- /dev/null +++ b/templates/vault_sysvinit.j2 @@ -0,0 +1,90 @@ +#!/bin/bash +# +# chkconfig: 2345 95 95 +# description: Vault secret management tool +# processname: vault +# pidfile: /var/run/vault/pidfile + +{% if ansible_distribution == "Ubuntu" %} +. /lib/lsb/init-functions +{% else %} +. /etc/init.d/functions +{% endif %} + +VAULT=/usr/local/bin/vault +CONFIG=/etc/vault.d/{{ vault_node_role }} +PID_FILE=/var/run/vault/vault.pid + +[ -e /etc/sysconfig/vault ] && . /etc/sysconfig/vault + +export GOMAXPROCS=$(nproc) + +mkrundir() { + [ ! -d /var/run/vault ] && mkdir -p /var/run/vault + chown {{ vault_user }} /var/run/vault +} + +KILLPROC_OPT="-p ${PID_FILE}" +mkpidfile() { + mkrundir + [ ! -f $PID_FILE ] && pidofproc $VAULT > $PID_FILE + chown {{ vault_user }} /var/run/vault + if [ $? -ne 0 ] ; then + rm $PID_FILE + KILLPROC_OPT="" + fi +} + +start() { + echo -n "Starting vault: " + mkrundir + [ -f $PID_FILE ] && rm $PID_FILE + daemon --user={{ vault_user }} \ + --pidfile="$PID_FILE" \ + "$VAULT" server -config={{ vault_main_config }} & + retcode=$? + touch /var/lock/subsys/vault + return $retcode +} + +stop() { + echo -n "Shutting down vault: " + if ("${VAULT}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then + "$VAULT" leave + fi + + mkpidfile + killproc $KILLPROC_OPT $VAULT -9 + + retcode=$? + rm -f /var/lock/subsys/vault $PID_FILE + return $retcode +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + status) + "$VAULT" info + ;; + restart) + stop + start + ;; + reload) + mkpidfile + killproc $KILLPROC_OPT $VAULT -HUP + ;; + condrestart) + [ -f /var/lock/subsys/vault ] && restart || : + ;; + *) + echo "Usage: vault {start|stop|status|reload|restart}" + exit 1 + ;; +esac +exit $? diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 00000000..1f7732d4 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,7 @@ +--- +- hosts: localhost + remote_user: root + become: yes + become_user: root + roles: + - ansible-vault diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 00000000..58597295 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,40 @@ +--- +# vars file for vault + +# CentOS vars +vault_centos_pkg: "{{ vault_version }}_linux_amd64.zip" +vault_centos_url: "{{ vault_zip_url }}" +vault_centos_sha256: "{{ vault_zip_sha256 }}" + +vault_centos_os_packages: + - libselinux-python + - git + - unzip + +# Debian vars +vault_debian_pkg: "{{ vault_version }}_linux_amd64.zip" +vault_debian_url: "{{ vault_zip_url }}" +vault_debian_sha256: "{{ vault_zip_sha256 }}" + +vault_debian_os_packages: + - git + - unzip + +# Red Hat vars +vault_redhat_pkg: "{{ vault_version }}_linux_amd64.zip" +vault_redhat_url: "{{ vault_zip_url }}" +vault_redhat_sha256: "{{ vault_zip_sha256 }}" + +vault_redhat_os_packages: + - libselinux-python + - git + - unzip + +# Ubuntu vars +vault_ubuntu_pkg: "{{ vault_version }}_linux_amd64.zip" +vault_ubuntu_url: "{{ vault_zip_url }}" +vault_ubuntu_sha256: "{{ vault_zip_sha256 }}" + +vault_ubuntu_os_packages: + - git + - unzip diff --git a/version.txt b/version.txt new file mode 100644 index 00000000..0ec25f75 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +v1.0.0