Update to 2023-07-26 19:00

roles/consul/defaults/main.yml

@@ -10,9 +10,11 @@ consul_root_dir: /opt/consul
 # Used for example to grant access to cli cert with ACL
 consul_admin_groups: "{{ system_admin_groups | default([]) }}"
 
-# If ACL are enabled, you need to set a management token for ansible
-# to be able to manage Consul (eg snapshot before upgrades)
-# consul_mgm_token: XXXXXXXXX
+# An optional CONSUL_HTTP_TOKEN to use to take a snapshot of raft logs during pre-backup
+# for example:
+# consul_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
+# or a more advanced use
+# # consul_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id consul/creds/admin ttl=1m)
 
 # List of consul servers name or IP
 consul_servers: []

roles/consul/tasks/install.yml

@@ -7,7 +7,7 @@
   tags: consul
 
 - name: Install backup hooks
-  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=700
   loop:
     - pre
     - post

roles/consul/templates/pre-backup.j2

@@ -1,4 +1,15 @@
 #!/bin/sh
 
 set -eo pipefail
+{% if consul_conf.server %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+if [ -e /etc/profile.d/consul.sh ]; then
+  source /etc/profile.d/consul.sh
+fi
+{% if consul_conf.acl.enabled and consul_backup_token is defined %}
+export CONSUL_HTTP_TOKEN={{ consul_backup_token }}
+{% endif %}
+{% endif %}
 consul snapshot save {{ consul_root_dir }}/backup/consul.snap

roles/nomad/defaults/main.yml

@@ -256,3 +256,8 @@ nomad_extra_services: {}
 nomad_host_services: {}
 nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
 
+# An optional NOMAD_TOKEN to use to take a snapshot of raft logs during pre-backup
+# for example:
+# nomad_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
+# or a more advanced use
+# nomad_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id nomad/creds/admin ttl=1m)

roles/nomad/tasks/install.yml

@@ -78,7 +78,7 @@
   tags: nomad
 
 - name: Install backup hooks
-  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=700
   loop:
     - pre
     - post

roles/nomad/templates/pre-backup.j2

@@ -2,10 +2,15 @@
 
 set -eo pipefail
 
-{% if nomad_conf.tls.http %}
-NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
-NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
-NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
-NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
+{% if nomad_conf.server.enabled %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+if [ -e /etc/profile.d/nomad.sh ]; then
+  source /etc/profile.d/nomad.sh
+fi
+{% if nomad_conf.acl.enabled and nomad_backup_token is defined %}
+export NOMAD_TOKEN={{ nomad_backup_token }}
 {% endif %}
-{{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap
+{% endif %}
+/usr/local/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap

roles/vault/defaults/main.yml

@@ -12,9 +12,12 @@ vault_user: vault
 # expose your vault server on the public internet
 # vault_letsencrypt_cert: "{{ inventory_hostname }}"
 
-# A token having backup (raft snapshot) permission. If set, ansible will
-# take a snapshot of the data before upgrading vault
-# vault_bkp_token: XXXXX
+
+# A token having read access to sys/storage/raft/snapshot. If set, a snapshot will be taken
+# during pre-backup and removed in post-backup
+# vault_backup_token: XXXXX
+# You can also define a command to get the token, eg
+# vault_backup_token: $(cat /run/vault_agent/vault.token)
 
 # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
 vault_base_services:

roles/vault/tasks/install.yml

@@ -29,3 +29,10 @@
     dest: /etc/profile.d/vault.sh
     mode: 0755
   tags: vault
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/vault mode=700
+  loop:
+    - pre
+    - post
+  tags: vault

roles/vault/templates/post-backup.j2

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -eo pipefail
+rm -f {{ vault_root_dir }}/backup/vault.snap

roles/vault/templates/pre-backup.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if vault_backup_token is defined %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+export VAULT_TOKEN={{ vault_backup_token }}
+vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap
+{% endif %}

roles/vault_agent/templates/vault-agent.hcl.j2

@@ -24,7 +24,6 @@ auto_auth {
   # Not used, but prevent service failing if there's not template yet
   sink {
     type = "file"
-    wrap_ttl = "1s"
     config = {
       path = "/run/vault_agent/vault.token"
       mode = 0600

roles/vault_bin/defaults/main.yml

@@ -1,7 +1,7 @@
 # Version of Vault to install
-vault_version: 1.14.0
+vault_version: 1.14.1
 # URL of the archive
 vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
+vault_archive_sha256: 6031432dfc3de07f6523d206c44fc018aa969d94c8e9125a77340af359f57ea3