56 lines
1.0 KiB
Ruby
56 lines
1.0 KiB
Ruby
# Deploy `Vault` server config:
|
|
template '/etc/vault.d/vault.hcl' do
|
|
owner 'vault'
|
|
group 'vault'
|
|
mode '600'
|
|
|
|
variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
|
|
|
|
notifies :restart, 'service[vault]'
|
|
end
|
|
|
|
encrypted_remote_file '/etc/vault.d/vault.env' do
|
|
owner 'vault'
|
|
group 'vault'
|
|
mode '600'
|
|
source 'files/etc/vault.d/vault.env'
|
|
password ENV['ITAMAE_PASSWORD']
|
|
|
|
notifies :restart, 'service[vault]'
|
|
end
|
|
|
|
directory '/etc/vault.d/policies' do
|
|
owner 'vault'
|
|
group 'vault'
|
|
mode '755'
|
|
end
|
|
|
|
%w( consul-auto-config consul-connect-vault ).each do |conf|
|
|
remote_file "/etc/vault.d/policies/#{conf}.hcl" do
|
|
owner 'vault'
|
|
group 'vault'
|
|
mode '644'
|
|
end
|
|
end
|
|
|
|
remote_file '/etc/logrotate.d/vault' do
|
|
owner 'root'
|
|
group 'root'
|
|
mode '644'
|
|
end
|
|
|
|
|
|
%w(8200 8201).each do |port|
|
|
execute "ufw allow #{port}" do
|
|
user 'root'
|
|
|
|
not_if "LANG=c ufw status | grep #{port}"
|
|
|
|
notifies :run, 'execute[ufw reload-or-enable]'
|
|
end
|
|
end
|
|
|
|
service 'vault' do
|
|
action [:enable, :start]
|
|
end
|