2023-07-30 20:49:18 +00:00
|
|
|
---
|
|
|
|
- block:
|
|
|
|
- name: Create network specs
|
|
|
|
template:
|
|
|
|
src: etc/containers/systemd/vault.network.j2
|
|
|
|
dest: "/etc/containers/systemd/vault.network"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "0640"
|
|
|
|
when: vault_network | splitext | last == ".network"
|
|
|
|
notify: __vault_restart
|
|
|
|
|
|
|
|
- name: Create container volumes
|
2023-07-30 20:53:16 +00:00
|
|
|
containers.podman.podman_volume:
|
2023-07-30 20:49:18 +00:00
|
|
|
name: "{{ item.name }}"
|
|
|
|
options: "{{ item.options | default(omit) }}"
|
|
|
|
state: "{{ item.state | default('present') }}"
|
|
|
|
loop: "{{ vault_volumes }}"
|
|
|
|
loop_control:
|
|
|
|
label: "{{ item.name }}"
|
|
|
|
when: item.type | default("volume") | lower == "volume"
|
|
|
|
register: __vault_volumes_raw
|
|
|
|
|
|
|
|
- name: Register container volumes map
|
|
|
|
set_fact:
|
|
|
|
__vault_volumes_map: "{{ __vault_volumes_raw.results | json_query('[].volume') | items2dict(key_name='Name', value_name='Mountpoint') }}"
|
|
|
|
|
|
|
|
- name: Deploy vault env file
|
|
|
|
template:
|
|
|
|
src: etc/containers/systemd/vault.env.j2
|
|
|
|
dest: "/etc/containers/systemd/vault.env"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "0640"
|
|
|
|
notify: __vault_restart
|
|
|
|
|
|
|
|
- name: Deploy vault config
|
|
|
|
template:
|
|
|
|
src: vault/config.hcl.j2
|
|
|
|
dest: "{{ __vault_volumes_map[vault_config_volume] }}/config.hcl"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "0644"
|
|
|
|
notify: __vault_reload
|
|
|
|
|
|
|
|
- name: Create container specs
|
|
|
|
template:
|
|
|
|
src: etc/containers/systemd/vault.container.j2
|
|
|
|
dest: "/etc/containers/systemd/vault.container"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "0640"
|
|
|
|
notify: __vault_restart
|
|
|
|
|
|
|
|
- name: Ensure service state
|
|
|
|
systemd:
|
|
|
|
name: "vault.service"
|
|
|
|
state: started
|
|
|
|
daemon_reload: True
|
|
|
|
enabled: True
|
|
|
|
become: True
|
|
|
|
become_user: root
|
|
|
|
|
|
|
|
- block:
|
|
|
|
- name: Flush handlers
|
|
|
|
meta: flush_handlers
|
|
|
|
|
|
|
|
- name: Wait for Vault startup
|
|
|
|
uri:
|
|
|
|
url: "{{ vault_url }}/{{ __vault_health_path }}"
|
|
|
|
follow_redirects: none
|
|
|
|
method: GET
|
|
|
|
register: __vault_http_result
|
|
|
|
until: __vault_http_result.status == 200
|
|
|
|
retries: 10
|
|
|
|
delay: 3
|
|
|
|
|
|
|
|
- name: Unseal vault
|
|
|
|
hashivault_unseal:
|
|
|
|
keys: "{{ vault_unseal_keys }}"
|
|
|
|
url: "{{ vault_url }}"
|
|
|
|
become: True
|
|
|
|
become_user: root
|
|
|
|
when:
|
|
|
|
- vault_auto_unseal | bool
|
|
|
|
- vault_unseal_keys | length > 0
|