more vault work

2025-03-23 11:13:19 -06:00
parent a1903f3ab9
commit 1c3277c497
3 changed files with 95 additions and 0 deletions
--- a/files/vault/Alpine/openrc
+++ b/files/vault/Alpine/openrc
@@ -0,0 +1,50 @@
+#!/sbin/openrc-run
+
+capabilities="cap_ipd_lock=+ep"
+command="/usr/local/bin/vault"
+command_group="vault"
+command_user="vault"
+
+# args
+config_args="-config=/etc/$RC_SVCNAME/config.hcl"
+log_file="-log-file=/var/log/$RC_SVCNAME/vault.log"
+log_format="-log-format=json"
+log_level="-log-level=info"
+log_rotate="-log-rotate-bytes=10000 -log-rotate-max-files=10"
+log_args="$log_file $log_format $log_level $log_rotate"
+command_args="server $config_args $log_args -non-interactive"
+
+depend() {
+  need net
+}
+
+start_pre() {
+  checkpath --directory \
+    --owner $command_user:$command_group \
+    --mode 0755 \
+    /run/$RC_SVCNAME /var/log/$RC_SVCNAME
+}
+
+start() {
+  ebegin "Starting $RC_SVCNAME"
+  start-stop-daemon --start \
+    --exec $command \
+    --capabilities $capabilities \
+    --make-pidfile \
+    --pidfile /var/run/$RC_SVCNAME.pid \
+    --user $command_user:$command_group \
+    -- \
+    $command_args
+
+  eend$?
+}
+
+stop() {
+  ebegin "Stopping $RC_SVCNAME"
+  start-stop-daemon --stop \
+    --exec $command \
+    --pidfile /var/run/$RC_SVCNAME.pid
+
+  eend $?
+}
+# vim: set filetype=sh :
--- a/files/vault/config.hcl
+++ b/files/vault/config.hcl
@@ -0,0 +1,9 @@
+ui = {{ ui | default(true) }}
+cluster_addr = "https://{{ ansible_default_ipv4.address }}:{{ cluster_port | default('8201') }}"
+api_addr = "https://{{ansible_default_ipv4.address }}:{{ api_port | default('8200') }}"
+disable_mlock = {{ disable_mlock | default(true) }}
+
+storage "raft" {
+  path = "{{ raft_path | default('/var/lib/vault/data') }}"
+  node_id = "{{ raft_node_id | default(ansible_hostname) }}"
+}
--- a/tasks/pkgs/vault.yml
+++ b/tasks/pkgs/vault.yml
@@ -36,6 +36,42 @@
      ansible.builtin.set_fact:
        pkg_archive: "{{ pkg_archive + ['vault'] }}"

+    - name: Create group for vault
+      become: true
+      when:
+        - ansible_os_family == 'Alpine'
+      ansible.builtin.group:
+        name: vault
+        system: true
+        state: present
+
+    - name: Create user for vault
+      become: true
+      when:
+        - ansible_os_family == 'Alpine'
+      ansible.builtin.user:
+        comment: hashicorp vault user
+        generate_ssh_key: true
+        home: /var/lib/vault
+        name: vault
+        group: vault
+        ssh_key_file: .ssh/id_ed25519
+        ssh_key_type: ed25519
+        state: present
+        system: true
+
+    - name: Install vault openrc script
+      become: true
+      when:
+        - ansible_os_family == 'Alpine'
+      ansible.builtin.copy:
+        backup: false
+        dest: /etc/init.d/vault
+        owner: root
+        group: root
+        mode: '0755'
+        src: vault/Alpine/openrc
+
    - name: Set vault_configured
      ansible.builtin.set_fact:
        vault_configured: true