dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/consul/tasks/conf.yml

120 lines
4.0 KiB
YAML
Raw Blame History

---
# Ensure certificates exists. This is needed so first consul service starts doesn't fail
# when vault-agent hasn't populated the cert yet
- name: Generate self-signed certificate
import_tasks: ../includes/create_selfsigned_cert.yml
vars:
cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
cert_key_mode: omit
when: consul_conf.tls.enabled
tags: consul
- name: Check if CA exists
stat: path={{ consul_conf.tls.defaults.ca_file }}
register: consul_ca_file
when: consul_conf.tls.enabled
tags: consul
- name: Copy cert as CA
copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True
when: consul_conf.tls.enabled and not consul_ca_file.stat.exists
tags: consul
- name: Deploy consul configuration
block:
- name: Deploy consul configuration
template:
src: consul.hcl.j2
dest: "{{ consul_root_dir }}/etc/consul.hcl"
owner: root
group: "{{ consul_user }}"
mode: 0640
backup: True
register: consul_main_conf
notify: restart consul
- name: Deploy consul reloadable configuration
template:
src: reload.hcl.j2
dest: "{{ consul_root_dir }}/etc/reload.hcl"
owner: root
group: "{{ consul_user }}"
mode: 0640
backup: True
register: consul_reload_conf
notify: reload consul
- name: Validate configuration
command: consul validate {{ consul_root_dir }}/etc
changed_when: False
become_user: "{{ consul_user }}"
register: consul_conf_validation
rescue:
- block:
- name: Restore main configuration
copy:
src: "{{ consul_main_conf.backup_file }}"
dest: "{{ consul_root_dir }}/etc/consul.hcl"
remote_src: True
owner: root
group: "{{ consul_user }}"
mode: 0640
when: consul_main_conf.backup_file is defined
- name: Restore reloadable configuration
copy:
src: "{{ consul_reload_conf.backup_file }}"
dest: "{{ consul_root_dir }}/etc/reload.hcl"
remote_src: True
owner: root
group: "{{ consul_user }}"
mode: 0640
when: consul_reload_conf.backup_file is defined
tags: consul
- name: Fail if configuration validation failed
fail:
msg: "Failed to validate configuration: {{ consul_conf_validation.stdout }}"
when: consul_conf_validation.rc != 0
tags: consul
# Now we remove the backup config to prevent consul warning about invalid config files
- name: List backup conf
shell: ls -1 {{ consul_root_dir }}/etc/*.hcl.*
failed_when: False
changed_when: False
register: consul_backup_configs
tags: consul
- name: Remove backup configs
file: path={{ item }} state=absent
loop: "{{ consul_backup_configs.stdout_lines }}"
tags: consul
- name: Set ACL on the TLS dir
shell: |
setfacl -R -b -k {{ consul_root_dir }}/tls
chown -R :{{ consul_user }} {{ consul_root_dir }}/tls
chmod 770 {{ consul_root_dir }}/tls
chmod 640 {{ consul_root_dir }}/tls/*
setfacl -m u:{{ consul_user }}:rx {{ consul_root_dir }}/tls
setfacl -m d:u:{{ consul_user }}:r {{ consul_root_dir }}/tls
setfacl -m u:{{ consul_user }}:r {{ consul_root_dir }}/tls/*
{% if consul_admin_groups | length > 0 %}
setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls/*
{% endif %}
changed_when: False
failed_when: False # Do not fail if eg, the FS doesn't support ACL
tags: consul
- name: Deploy profile script
template: src=profile.sh.j2 dest=/etc/profile.d/consul.sh
tags: consul
Reference in New Issue View Git Blame Copy Permalink