dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/vault/defaults/main.yml

167 lines
6.0 KiB
YAML
Raw Blame History

---
# Version of Vault to install
vault_version: 1.14.0
# URL of the archive
vault_archive_url: https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip
# Expected sha256 of the archive
vault_archive_sha256: 3d5c27e35d8ed43d861e892fc7d8f888f2fda4319a36f344f8c09603fb184b50
# Root dir where Nomad will be installed
vault_root_dir: /opt/vault
# user under which vault will run.
vault_user: vault
# Setting vault_letsencrypt_cert will automate cert configuration
# using Let's Encrypt. The server need to have the letsencrypt role assigned
# Note that you probably want to use dns-01 challenges in this case so you won't have to
# expose your vault server on the public internet
# vault_letsencrypt_cert: "{{ inventory_hostname }}"
# A token having backup (raft snapshot) permission. If set, ansible will
# take a snapshot of the data before upgrading vault
# vault_bkp_token: XXXXX
# Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
vault_base_services:
api:
port: 8200
src_ip: []
cluster:
port: 8201
src_ip: [] # You should set this to the IP / CIDR of your other servers
# Exemple
# vault_extra_services:
# cluster:
# src_ip:
# - 10.127.0.10
# - 10.145.99.60
vault_extra_services: {}
vault_services: "{{ vault_base_services | combine(vault_extra_services, recursive=True) }}"
# Configuration of the service (which will be converted to JSON)
# The configuration is splited in a base conf, an extra conf, and a host conf so you can override part of the config easily
vault_base_conf:
# Name of the Vault cluster
cluster_name: Vault Cluster
# Log settings
log_level: INFO
log_format: standard
# Plugin settings
plugin_directory: "{{ vault_root_dir }}/plugins"
# This means vault will expect plugins to be owned by root
plugin_file_uid: 0
# Is the UI enabled ?
ui: True
# TCP listeners
listeners:
# Address/port on which vault will bind for API requests
- address: 0.0.0.0:{{ vault_services.api.port }}
# Address/port on which vault will bind for inter-node communications
cluster_address: 0.0.0.0:{{ vault_services.cluster.port }}
# Path of the certificate and key to use. The default is to use a self-signed certificate which will be generated
# by ansible. Do not modify these paths when using Let's Encrypt cert, as they will be placed here
# Only change if you want to manually control the certificate to use
tls_cert_file: "{{ vault_root_dir }}/tls/vault.crt"
tls_key_file: "{{ vault_root_dir }}/tls/vault.key"
# List of IP address for which the X-Forwarded-For header will be trusted. List here your reverse proxy IP/CIDR
x_forwarded_for_authorized_addrs: []
# If x_forwarded_for_authorized_addrs is set and a request does not have X-Forwarded-For address, should it be rejected
# Default is False which means you can reach vault both directly or through your reverse proxy
x_forwarded_for_reject_not_present: False
telemetry:
# Allow unauthenticated access to /v1/sys/metrics
unauthenticated_metrics_access: True
# URL of the API to advertise
api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
# URL of the inter-node communication endpoint to advertise
cluster_addr: https://{{ inventory_hostname }}:{{ vault_services.cluster.port }}
# When using integrated raft storage, mlock should be disabled
disable_mlock: True
storage:
# Integrated raf storage
raft:
path: "{{ vault_root_dir }}/data"
node_id: "{{ inventory_hostname }}"
performance_multiplier: 1
# retry_join:
# - leader_api_addr: https://vault-1.example.org:8200
# leader_ca_cert: /opt/vault/tls/ca-vault-1.crt
# - leader_api_addr: https://vault-2.example.org:8200
# - leader_api_addr: https://vault-3.example.org:8200
retry_join: []
# Service registration on consul
#service_registration:
# address: http://localhost:8500
# service: vault
# token: XXXXX
# service_tags:
# - "traefik.enable=true"
# - "traefik.http.routers.http.entrypoints=https"
# - "traefik.http.routers.http.rule=Host(`vault.example.org`)"
# tls_ca_file: /opt/vault/tls/consul_ca.crt
# tls_cert_file: /opt/vault/tls/consul_cert.crt
# tls_key_file: /opt/vault/tls/consul_key.crt
telemetry:
prometheus_retention_time: 1h
disable_hostname: True
enable_hostname_label: True
# You can add additional paramters in vault_extra_conf (or vault_host_conf)
# they will be merged into the vault_base_conf before rendering
# Example
# vault_extra_conf:
# cluster_name: Vault Production
# storage:
# raft:
# retry_join:
# leader_api_addr: https://vault1.example.org:8201
vault_extra_conf: {}
vault_host_conf: {}
# Merge all the conf
vault_conf: "{{ vault_base_conf | combine(vault_extra_conf, recursive=True) | combine(vault_host_conf, recursive=True) }}"
# This can be used to spawn a consul-template service which will obtain and renew client cert
# to reach Nomad API, so the Nomad secret can be used securely
vault_base_secrets:
# The vault API to query. Default is our own API
vault_address: "{{ vault_conf.api_addr }}"
# The vault token to use
vault_token: XXXXXXX
nomad:
enabled: False
# The Nomad API address
address: https://nomad.service.consul:4646
# The Nomad management token vault will use to issue tokens for users
token: XXXXXXX
pki:
# The path where the PKI used by Nomad is mounted. The PKI must be mounted and configured
path: /pki/nomad
# The role used to issue the certificate
role: nomad-user
# The TTL of the certificate issued for vault
ttl: 72h
# The common name of the certificate
cn: vault
secret:
# The path where the Nomad secret engine is mounted
# Note: the secret must be already mounted
path: nomad
vault_extra_secrets: {}
vault_host_secrets: {}
vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"
Reference in New Issue View Git Blame Copy Permalink