Update to 2023-07-03 00:00

roles/squid/defaults/main.yml

@@ -91,7 +91,6 @@ squid_base_acl:
     type: dstdomain
     items:
       - '"/etc/squid/acl/software_windows.domains"'
-      - '"/etc/squid/acl/service_fws.domains"'
       - '"/etc/squid/acl/service_dbd.domains"'
       - '"/etc/squid/acl/service_various.domains"'
       - '"/etc/squid/acl/software_epel.domains"'

roles/squid/files/acl/service_fws.domains

@@ -1,3 +0,0 @@
-.firewall-services.com
-.fws.fr
-iptek.biz

roles/squid/files/acl/software_fws.domains

@@ -1,2 +0,0 @@
-repo.firewall-services.com
-rpms.fws.fr

roles/squid/files/acl/software_various.domains

@@ -41,12 +41,6 @@ www.piwheels.org
 # Ruby
 api.rubygems.org
 
-# Seadrive
-download.seadrive.org
-rpm.seadrive.org
-linux-clients.seafile.com
-s3.eu-central-1.amazonaws.com
-
 # GLPI
 forge.glpi-project.org
 
@@ -255,6 +249,7 @@ www.zimbra.com
 openzal.org
 update.zextras.com
 download.zextras.com
+go.zextras.com
 
 # ZFS On Linux
 download.zfsonlinux.org
@@ -371,9 +366,6 @@ www.cloudflare.com
 static.metabase.com
 downloads.metabase.com
 
-# Zimbra / Zextras
-go.zextras.com
-
 # Zulip
 www.zulip.org
 packages.groonga.org
@@ -393,3 +385,6 @@ releases.hashicorp.com
 
 # Traefik plugins
 .plugin.pilot.traefik.io
+
+# COPR repositories
+download.copr.fedorainfracloud.org

roles/squid/tasks/main.yml

@@ -94,6 +94,14 @@
   notify: reload squid
   tags: proxy
 
+- name: Remove obsolete acl files
+  file: path=/etc/squid/acl/{{ item }} state=absent
+  loop:
+    - software_fws.domains
+    - service_fws.domains
+  notify: reload squid
+  tags: proxy
+
 - name: Deploy local white and blacklists
   template: src={{ item }}.j2 dest=/etc/squid/acl/{{ item }}
   with_items:

roles/vault/defaults/main.yml

@@ -1,5 +1,3 @@
----
-
 # Version of Vault to install
 vault_version: 1.14.0
 # URL of the archive
@@ -7,160 +5,3 @@ vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vaul
 # Expected sha256 of the archive
 vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
 
-# Root dir where Nomad will be installed
-vault_root_dir: /opt/vault
-
-# user under which vault will run.
-vault_user: vault
-
-# Setting vault_letsencrypt_cert will automate cert configuration
-# using Let's Encrypt. The server need to have the letsencrypt role assigned
-# Note that you probably want to use dns-01 challenges in this case so you won't have to
-# expose your vault server on the public internet
-# vault_letsencrypt_cert: "{{ inventory_hostname }}"
-
-# A token having backup (raft snapshot) permission. If set, ansible will
-# take a snapshot of the data before upgrading vault
-# vault_bkp_token: XXXXX
-
-# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
-vault_base_services:
-  api:
-    port: 8200
-    src_ip: []
-  cluster:
-    port: 8201
-    src_ip: [] # You should set this to the IP / CIDR of your other servers
-
-# Exemple
-# vault_extra_services:
-#   cluster:
-#     src_ip:
-#       - 10.127.0.10
-#       - 10.145.99.60
-vault_extra_services: {}
-vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
-
-# Configuration of the service (which will be converted to JSON)
-# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
-vault_base_conf:
-  # Name of the Vault cluster
-  cluster_name: Vault Cluster
-
-  # Log settings
-  log_level: INFO
-  log_format: standard
-
-  # Plugin settings
-  plugin_directory: "{{ vault_root_dir }}/plugins"
-  # This means vault will expect plugins to be owned by root
-  plugin_file_uid: 0
-
-  # Is the UI enabled ?
-  ui: True
-
-  # TCP listeners
-  listeners:
-    # Address/port on which vault will bind for API requests
-    - address: 0.0.0.0:{{ vault_services.api.port }}
-      # Address/port on which vault will bind for inter-node communications
-      cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
-
-      # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
-      # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
-      # Only change if you want to manually control the certificate to use
-      tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
-      tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
-
-      # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
-      x_forwarded_for_authorized_addrs: []
-      # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
-      # Default is False which means you can reach vault both directly or through your reverse proxy
-      x_forwarded_for_reject_not_present: False
-
-      telemetry:
-        # Allow unauthenticated access to /v1/sys/metrics
-        unauthenticated_metrics_access: True
-
-  # URL of the API to advertise
-  api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
-  # URL of the inter-node communication endpoint to advertise
-  cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
-
-  # When using integrated raft storage, mlock should be disabled
-  disable_mlock: True
-
-  storage:
-    # Integrated raf storage
-    raft:
-      path: "{{ vault_root_dir }}/data"
-      node_id: "{{ inventory_hostname }}"
-      performance_multiplier: 1
-      # retry_join:
-      #   - leader_api_addr: https://vault-1.example.org:8200
-      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
-      #   - leader_api_addr: https://vault-2.example.org:8200
-      #   - leader_api_addr: https://vault-3.example.org:8200
-      retry_join: []
-
-  # Service registration on consul
-  #service_registration:
-  #  address: http://localhost:8500
-  #  service: vault
-  #  token: XXXXX
-  #  service_tags:
-  #    - "traefik.enable=true"
-  #    - "traefik.http.routers.http.entrypoints=https"
-  #    - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
-  #  tls_ca_file: /opt/vault/tls/consul_ca.crt
-  #  tls_cert_file: /opt/vault/tls/consul_cert.crt
-  #  tls_key_file: /opt/vault/tls/consul_key.crt
-
-  telemetry:
-    prometheus_retention_time: 1h
-    disable_hostname: True
-    enable_hostname_label: True
-
-# You can add additional paramters in vault_extra_conf (or vault_host_conf)
-# they will be merged into the vault_base_conf before rendering
-# Example
-# vault_extra_conf:
-#   cluster_name: Vault Production
-#   storage:
-#     raft:
-#       retry_join:
-#         leader_api_addr: https://vault1.example.org:8201
-vault_extra_conf: {}
-vault_host_conf: {}
-# Merge all the conf
-vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
-
-# This can be used to spawn a consul-template service which will obtain and renew client cert
-# to reach Nomad API, so the Nomad secret can be used securely
-vault_base_secrets:
-  # The vault API to query. Default is our own API
-  vault_address: "{{ vault_conf.api_addr }}"
-  # The vault token to use
-  vault_token: XXXXXXX
-  nomad:
-    enabled: False
-    # The Nomad API address
-    address: https://nomad.service.consul:4646
-    # The Nomad management token vault will use to issue tokens for users
-    token: XXXXXXX
-    pki:
-      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
-      path: /pki/nomad
-      # The role used to issue the certificate
-      role: nomad-user
-      # The TTL of the certificate issued for vault
-      ttl: 72h
-      # The common name of the certificate
-      cn: vault
-    secret:
-      # The path where the Nomad secret engine is mounted
-      # Note: the secret must be already mounted
-      path: nomad
-vault_extra_secrets: {}
-vault_host_secrets: {}
-vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"

roles/vault/tasks/archive_pre.yml

@@ -1,21 +0,0 @@
----
-
-- name: Create the archive dir
-  file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
-  tags: vault
-
-#- name: Take a snapshot of the data
-#  command: vault operator raft snapshot save {{ vault_root_dir }}/archives/{{ vault_current_version }}/vault.snap
-#  when:
-#    - vault_bkp_token is defined
-#    - vault_sys_services.ansible_facts.services['nomad.service'] is defined
-#    - vault_sys_services.ansible_facts.services['nomad.service'].state == 'started'
-#    - vault_status.initialized is defined and vault_status.initialized
-#    - vault_status.sealed is defined and not vault_status.sealed
-#    - vault_status.leader_address == vault_conf.api_addr
-#  tags: vault
-
-- name: Backup previous version
-  copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
-  tags: vault
-

roles/vault/tasks/facts.yml

@@ -1,8 +1,16 @@
 ---
 
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: vault
+
 - set_fact:
     vault_install_mode: 'none'
-    vault_status: {}
   tags: vault
 
 - name: Detect if vault is installed
@@ -20,21 +28,11 @@
       shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
       changed_when: False
       register: vault_current_version
-     #- command: /usr/local/bin/vault status -format=json -tls-skip-verify
-     #  changed_when: False
-     #  register: vault_status
-     #  failed_when: False # do not fail if vault is not running
     - set_fact:
         vault_current_version: "{{ vault_current_version.stdout }}"
-     #   vault_status: "{{ (vault_status.rc == 0) | ternary(vault_status.stdout | from_json, {}) }}"
   tags: vault
 
 - when: vault_bin.stat.exists and vault_current_version != vault_version
   set_fact: vault_install_mode='upgrade'
   tags: vault
 
-- name: Check the state of the services
-  service_facts:
-  register: vault_sys_services
-  tags: vault
-

roles/vault/tasks/install.yml

@@ -2,11 +2,23 @@
 
 - name: Install needed tools
   package:
-    name:
-      - tar
-      - zstd
-      - unzip
-      - jq
+    name: "{{ vault_packages }}"
+  tags: vault
+
+# Migrate from the old vault role
+- name: Check if vualt is a link
+  stat: path=/usr/local/bin/vault
+  register: vault_link
+  tags: vault
+
+- when: vault_link.stat.islnk is defined and vault_link.stat.islnk
+  block:
+
+    - name: Remove vault link
+      file: path=/usr/local/bin/vault state=absent
+
+    - set_fact: vault_install_mode='upgrade'
+
   tags: vault
 
 - when: vault_install_mode != 'none'
@@ -14,63 +26,27 @@
     - name: Download vault
       get_url:
         url: "{{ vault_archive_url }}"
-        dest: "{{ vault_root_dir }}/tmp"
+        dest: /tmp
         checksum: sha256:{{ vault_archive_sha256 }}
 
     - name: Extract the archive
       unarchive:
-        src: "{{ vault_root_dir }}/tmp/vault_{{ vault_version }}_linux_amd64.zip"
-        dest: "{{ vault_root_dir }}/tmp"
-        remote_src: True
-
-    - name: Install vault binary
-      copy:
-        src: "{{ vault_root_dir }}/tmp/vault"
-        dest: "{{ vault_root_dir }}/bin/vault"
+        src: /tmp/vault_{{ vault_version }}_linux_amd64.zip
+        dest: /usr/local/bin
+        include: vault
         remote_src: True
         mode: 755
-      notify: restart vault
 
-    - name: Link in /usr/local/bin
-      file: src={{ vault_root_dir }}/bin/vault dest=/usr/local/bin/vault state=link force=True
+    - name: Remove ZIP archive
+      file: path=/tmp/vault_{{ vault_version }}_linux_amd64.zip state=absent
 
   tags: vault
 
 - name: Install bash completion support
   copy:
     content: |
-      complete -C {{ vault_root_dir }}/bin/vault vault
+      complete -C /usr/local/bin/vault vault
     dest: /etc/bash_completion.d/vault
     mode: 0644
   tags: vault
 
-- name: Deploy systemd service unit
-  template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
-  register: vault_unit
-  notify: restart vault
-  tags: vault
-
-- name: Install consul-template unit
-  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
-  notify: restart consul-template-vault
-  register: vault_secrets_nomad_unit
-  tags: vault
-
-- name: Reload systemd
-  systemd: daemon_reload=True
-  when: vault_unit.changed or vault_secrets_nomad_unit.changed
-  tags: vault
-
-- name: Install dehydrated hook
-  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
-  tags: vault
-
-- name: Install profile script
-  copy:
-    content: |
-      #!/bin/sh
-      export VAULT_ADDR={{ vault_conf.api_addr }}
-    dest: /etc/profile.d/vault.sh
-    mode: 0755
-  tags: vault
-

roles/vault/tasks/main.yml

@@ -1,35 +1,7 @@
 ---
 
-- include_tasks: user.yml
-  tags: always
-
-- include_tasks: directories.yml
-  tags: always
-
 - include_tasks: facts.yml
   tags: always
 
-- include_tasks: archive_pre.yml
-  when: vault_install_mode | default('none') == 'upgrade'
-  tags: always
-
 - include_tasks: install.yml
   tags: always
-
-- include_tasks: conf.yml
-  tags: always
-
-- include_tasks: iptables.yml
-  when: iptables_manage | default(True)
-  tags: always
-
-- include_tasks: services.yml
-  tags: always
-
-- include_tasks: archive_post.yml
-  when: vault_install_mode | default('none') == 'upgrade'
-  tags: always
-
-- include_tasks: cleanup.yml
-  tags: always
-

roles/vault/vars/RedHat.yml

@@ -0,0 +1,8 @@
+---
+
+vault_packages:
+  - tar
+  - zstd
+  - unzip
+  - jq
+

roles/vault_server/defaults/main.yml

@@ -0,0 +1,166 @@
+---
+
+# Version of Vault to install
+vault_version: 1.14.0
+# URL of the archive
+vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
+# Expected sha256 of the archive
+vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
+
+# Root dir where Nomad will be installed
+vault_root_dir: /opt/vault
+
+# user under which vault will run.
+vault_user: vault
+
+# Setting vault_letsencrypt_cert will automate cert configuration
+# using Let's Encrypt. The server need to have the letsencrypt role assigned
+# Note that you probably want to use dns-01 challenges in this case so you won't have to
+# expose your vault server on the public internet
+# vault_letsencrypt_cert: "{{ inventory_hostname }}"
+
+# A token having backup (raft snapshot) permission. If set, ansible will
+# take a snapshot of the data before upgrading vault
+# vault_bkp_token: XXXXX
+
+# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
+vault_base_services:
+  api:
+    port: 8200
+    src_ip: []
+  cluster:
+    port: 8201
+    src_ip: [] # You should set this to the IP / CIDR of your other servers
+
+# Exemple
+# vault_extra_services:
+#   cluster:
+#     src_ip:
+#       - 10.127.0.10
+#       - 10.145.99.60
+vault_extra_services: {}
+vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
+
+# Configuration of the service (which will be converted to JSON)
+# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
+vault_base_conf:
+  # Name of the Vault cluster
+  cluster_name: Vault Cluster
+
+  # Log settings
+  log_level: INFO
+  log_format: standard
+
+  # Plugin settings
+  plugin_directory: "{{ vault_root_dir }}/plugins"
+  # This means vault will expect plugins to be owned by root
+  plugin_file_uid: 0
+
+  # Is the UI enabled ?
+  ui: True
+
+  # TCP listeners
+  listeners:
+    # Address/port on which vault will bind for API requests
+    - address: 0.0.0.0:{{ vault_services.api.port }}
+      # Address/port on which vault will bind for inter-node communications
+      cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
+
+      # Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
+      # by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
+      # Only change if you want to manually control the certificate to use
+      tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
+      tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
+
+      # List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
+      x_forwarded_for_authorized_addrs: []
+      # If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
+      # Default is False which means you can reach vault both directly or through your reverse proxy
+      x_forwarded_for_reject_not_present: False
+
+      telemetry:
+        # Allow unauthenticated access to /v1/sys/metrics
+        unauthenticated_metrics_access: True
+
+  # URL of the API to advertise
+  api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
+  # URL of the inter-node communication endpoint to advertise
+  cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
+
+  # When using integrated raft storage, mlock should be disabled
+  disable_mlock: True
+
+  storage:
+    # Integrated raf storage
+    raft:
+      path: "{{ vault_root_dir }}/data"
+      node_id: "{{ inventory_hostname }}"
+      performance_multiplier: 1
+      # retry_join:
+      #   - leader_api_addr: https://vault-1.example.org:8200
+      #     leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
+      #   - leader_api_addr: https://vault-2.example.org:8200
+      #   - leader_api_addr: https://vault-3.example.org:8200
+      retry_join: []
+
+  # Service registration on consul
+  #service_registration:
+  #  address: http://localhost:8500
+  #  service: vault
+  #  token: XXXXX
+  #  service_tags:
+  #    - "traefik.enable=true"
+  #    - "traefik.http.routers.http.entrypoints=https"
+  #    - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
+  #  tls_ca_file: /opt/vault/tls/consul_ca.crt
+  #  tls_cert_file: /opt/vault/tls/consul_cert.crt
+  #  tls_key_file: /opt/vault/tls/consul_key.crt
+
+  telemetry:
+    prometheus_retention_time: 1h
+    disable_hostname: True
+    enable_hostname_label: True
+
+# You can add additional paramters in vault_extra_conf (or vault_host_conf)
+# they will be merged into the vault_base_conf before rendering
+# Example
+# vault_extra_conf:
+#   cluster_name: Vault Production
+#   storage:
+#     raft:
+#       retry_join:
+#         leader_api_addr: https://vault1.example.org:8201
+vault_extra_conf: {}
+vault_host_conf: {}
+# Merge all the conf
+vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
+
+# This can be used to spawn a consul-template service which will obtain and renew client cert
+# to reach Nomad API, so the Nomad secret can be used securely
+vault_base_secrets:
+  # The vault API to query. Default is our own API
+  vault_address: "{{ vault_conf.api_addr }}"
+  # The vault token to use
+  vault_token: XXXXXXX
+  nomad:
+    enabled: False
+    # The Nomad API address
+    address: https://nomad.service.consul:4646
+    # The Nomad management token vault will use to issue tokens for users
+    token: XXXXXXX
+    pki:
+      # The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
+      path: /pki/nomad
+      # The role used to issue the certificate
+      role: nomad-user
+      # The TTL of the certificate issued for vault
+      ttl: 72h
+      # The common name of the certificate
+      cn: vault
+    secret:
+      # The path where the Nomad secret engine is mounted
+      # Note: the secret must be already mounted
+      path: nomad
+vault_extra_secrets: {}
+vault_host_secrets: {}
+vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"

roles/vault_server/meta/main.yml

@@ -2,4 +2,5 @@
 
 dependencies:
   - role: mkdir
+  - role: vault
   - role: consul_template

roles/vault_server/tasks/archive_pre.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Create the archive dir
+  file: path={{ vault_root_dir }}/archives/{{ vault_current_version }} state=directory
+  tags: vault
+
+- name: Backup previous version
+  copy: src={{ vault_root_dir }}/bin/vault dest={{ vault_root_dir }}/archives/{{ vault_current_version }}/ remote_src=True
+  tags: vault
+

roles/vault_server/tasks/facts.yml

@@ -0,0 +1,11 @@
+---
+
+- block:
+    - name: Detect installed version
+      shell: /usr/local/bin/vault version | perl -pe 's/Vault v(\d+(\.\d+)*)\s.*/$1/'
+      changed_when: False
+      register: vault_current_version
+    - set_fact:
+        vault_current_version: "{{ vault_current_version.stdout }}"
+  tags: vault
+

roles/vault_server/tasks/install.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Deploy systemd service unit
+  template: src=vault.service.j2 dest=/etc/systemd/system/vault.service
+  register: vault_unit
+  notify: restart vault
+  tags: vault
+
+- name: Install consul-template unit
+  template: src=consul-template-vault.service.j2 dest=/etc/systemd/system/consul-template-vault.service
+  notify: restart consul-template-vault
+  register: vault_secrets_nomad_unit
+  tags: vault
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vault_unit.changed or vault_secrets_nomad_unit.changed
+  tags: vault
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/vault mode=755
+  tags: vault
+
+- name: Install profile script
+  copy:
+    content: |
+      #!/bin/sh
+      export VAULT_ADDR={{ vault_conf.api_addr }}
+    dest: /etc/profile.d/vault.sh
+    mode: 0755
+  tags: vault
+
+- name: Write version
+  copy: content={{ vault_version }} destination={{ vault_root_dir }}/meta/ansible_version

roles/vault_server/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: archive_pre.yml
+  when: vault_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: iptables.yml
+  when: iptables_manage | default(True)
+  tags: always
+
+- include_tasks: services.yml
+  tags: always
+
+- include_tasks: archive_post.yml
+  when: vault_install_mode | default('none') == 'upgrade'
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
+

roles/vault_server/templates/vault.service.j2

@@ -7,6 +7,7 @@ ConditionFileNotEmpty={{ vault_root_dir }}/etc/vault.hcl
 StartLimitIntervalSec=60
 StartLimitBurst=3
 
+# Vault version {{ vault_current_version }}
 [Service]
 Type=notify
 User={{ vault_user }}
@@ -19,7 +20,7 @@ SecureBits=keep-caps
 AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
-ExecStart={{ vault_root_dir }}/bin/vault server -config={{ vault_root_dir }}/etc/
+ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT