2022-03-13 05:35:31 +00:00
|
|
|
# Deploy `Vault` server config:
|
|
|
|
|
template '/etc/vault.d/vault.hcl' do
|
|
|
|
|
owner 'vault'
|
|
|
|
|
group 'vault'
|
2024-07-15 09:49:42 +00:00
|
|
|
mode '600'
|
2022-03-13 05:35:31 +00:00
|
|
|
|
|
|
|
|
variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
|
2024-07-15 12:27:23 +00:00
|
|
|
|
|
|
|
|
notifies :restart, 'service[vault]'
|
2022-03-13 05:35:31 +00:00
|
|
|
end
|
|
|
|
|
|
2024-07-15 12:28:07 +00:00
|
|
|
encrypted_remote_file '/etc/vault.d/vault.env' do
|
|
|
|
|
owner 'vault'
|
|
|
|
|
group 'vault'
|
|
|
|
|
mode '600'
|
|
|
|
|
source 'files/etc/vault.d/vault.env'
|
|
|
|
|
password ENV['ITAMAE_PASSWORD']
|
|
|
|
|
|
|
|
|
|
notifies :restart, 'service[vault]'
|
|
|
|
|
end
|
|
|
|
|
|
2022-03-13 12:16:08 +00:00
|
|
|
directory '/etc/vault.d/policies' do
|
|
|
|
|
owner 'vault'
|
|
|
|
|
group 'vault'
|
|
|
|
|
mode '755'
|
|
|
|
|
end
|
2022-03-13 12:34:14 +00:00
|
|
|
|
|
|
|
|
%w( consul-auto-config consul-connect-vault ).each do |conf|
|
|
|
|
|
remote_file "/etc/vault.d/policies/#{conf}.hcl" do
|
|
|
|
|
owner 'vault'
|
|
|
|
|
group 'vault'
|
|
|
|
|
mode '644'
|
|
|
|
|
end
|
|
|
|
|
end
|
2022-07-02 11:39:31 +00:00
|
|
|
|
|
|
|
|
remote_file '/etc/logrotate.d/vault' do
|
|
|
|
|
owner 'root'
|
|
|
|
|
group 'root'
|
|
|
|
|
mode '644'
|
|
|
|
|
end
|
2024-07-15 12:39:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
%w(8200 8201).each do |port|
|
|
|
|
|
execute "ufw allow #{port}" do
|
|
|
|
|
user 'root'
|
|
|
|
|
|
|
|
|
|
not_if "LANG=c ufw status | grep #{port}"
|
|
|
|
|
|
|
|
|
|
notifies :run, 'execute[ufw reload-or-enable]'
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
service 'vault' do
|
|
|
|
|
action [:enable, :start]
|
|
|
|
|
end
|
