95 lines
1.9 KiB
YAML
95 lines
1.9 KiB
YAML
---
|
|
- name: Install and Configure HashiCorp Vault
|
|
hosts: security_servers
|
|
become: true
|
|
vars:
|
|
vault_version: "1.15.2"
|
|
vault_datacenter: "dc1"
|
|
|
|
tasks:
|
|
- name: Create vault user
|
|
user:
|
|
name: vault
|
|
system: yes
|
|
shell: /bin/false
|
|
home: /opt/vault
|
|
|
|
- name: Download Vault binary
|
|
get_url:
|
|
url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
|
|
dest: /tmp/vault.zip
|
|
mode: '0644'
|
|
|
|
- name: Install unzip
|
|
apt:
|
|
name: unzip
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Extract Vault binary
|
|
unarchive:
|
|
src: /tmp/vault.zip
|
|
dest: /usr/local/bin/
|
|
remote_src: yes
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
|
|
- name: Create Vault directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: vault
|
|
group: vault
|
|
mode: '0750'
|
|
loop:
|
|
- /etc/vault.d
|
|
- /opt/vault/data
|
|
- /opt/vault/logs
|
|
|
|
- name: Generate Vault configuration
|
|
template:
|
|
src: vault.hcl.j2
|
|
dest: /etc/vault.d/vault.hcl
|
|
owner: vault
|
|
group: vault
|
|
mode: '0640'
|
|
notify: restart vault
|
|
|
|
- name: Create Vault systemd service
|
|
template:
|
|
src: vault.service.j2
|
|
dest: /etc/systemd/system/vault.service
|
|
notify:
|
|
- reload systemd
|
|
- restart vault
|
|
|
|
- name: Start and enable Vault service
|
|
service:
|
|
name: vault
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Wait for Vault to be ready
|
|
wait_for:
|
|
port: 8200
|
|
host: 127.0.0.1
|
|
delay: 10
|
|
|
|
- name: Display Vault status
|
|
debug:
|
|
msg: |
|
|
Vault has been installed and started.
|
|
Access Vault UI at: http://{{ ansible_default_ipv4.address }}:8200
|
|
Initialize Vault with: vault operator init
|
|
|
|
handlers:
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon_reload: yes
|
|
|
|
- name: restart vault
|
|
service:
|
|
name: vault
|
|
state: restarted
|