Vault security hardening and role isolation

2026-03-20 18:37:46 -02:30 · 2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
--- a/roles/vault/tasks/shared/sync.yml
+++ b/roles/vault/tasks/shared/sync.yml
@@ -0,0 +1,47 @@
+---
+
+- name: "sync_file | Cat the file"
+  command: "cat {{ sync_file_path }}"
+  register: sync_file_cat
+  when: inventory_hostname == sync_file_srcs|first
+
+- name: "sync_file | Cat the key file"
+  command: "cat {{ sync_file_key_path }}"
+  register: sync_file_key_cat
+  when: sync_file_is_cert|d() and inventory_hostname == sync_file_srcs|first
+
+- name: "sync_file | Set facts for file contents"
+  set_fact:
+    sync_file_contents: "{{ hostvars[sync_file_srcs|first]['sync_file_cat']['stdout'] }}"
+
+- name: "sync_file | Set fact for key contents"
+  set_fact:
+    sync_file_key_contents: "{{ hostvars[sync_file_srcs|first]['sync_file_key_cat']['stdout'] }}"
+  when: sync_file_is_cert|d()
+
+- name: "sync_file | Ensure the directory exists"
+  file:
+    group: "{{ sync_file_group|d('root') }}"
+    mode: "{{ sync_file_dir_mode|default('0750') }}"
+    owner: "{{ sync_file_owner|d('root') }}"
+    path: "{{ sync_file_dir }}"
+    state: directory
+  when: inventory_hostname not in sync_file_srcs
+
+- name: "sync_file | Copy the file to hosts that don't have it"
+  copy:
+    content: "{{ sync_file_contents }}"
+    dest: "{{ sync_file_path }}"
+    group: "{{ sync_file_group|d('root') }}"
+    mode: "{{ sync_file_mode|default('0640') }}"
+    owner: "{{ sync_file_owner|d('root') }}"
+  when: inventory_hostname not in sync_file_srcs
+
+- name: "sync_file | Copy the key file to hosts that don't have it"
+  copy:
+    content: "{{ sync_file_key_contents }}"
+    dest: "{{ sync_file_key_path }}"
+    group: "{{ sync_file_group|d('root') }}"
+    mode: "{{ sync_file_mode|default('0640') }}"
+    owner: "{{ sync_file_owner|d('root') }}"
+  when: sync_file_is_cert|d() and inventory_hostname not in sync_file_srcs