Added storage, reorganized dirs/files, updated systemd

2018-05-15 00:42:18 -04:00 · 2018-05-15 00:42:18 -04:00 · 71ff1ad1e2
commit 71ff1ad1e2
parent 00ed2f9337
3 changed files with 21 additions and 17 deletions
--- a/vault/files/config.hcl.jinja
+++ b/vault/files/config.hcl.jinja
@ -4,6 +4,12 @@ backend "s3" {
  bucket = "{{ vault.backend.bucket }}"
 }
 {% endif -%}
+{%- if vault.storage and vault.storage.type == "consul" %}
+storage "consul" {
+  address = "{{ vault.storage.address }}"
+  path = "{{ vault.storage.path }}"
+}
+{% endif -%}

 listener "{{ vault.listen_protocol }}" {
  address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
--- a/vault/files/vault_systemd.service.jinja
+++ b/vault/files/vault_systemd.service.jinja
@ -2,11 +2,17 @@
 [Unit]
 Description=vault server
 Requires=network-online.target
-After=network-online.target consul.service
+After=network-online.target{% if vault.storage and vault.storage.type == "consul" %} consul.service{% endif %}

 [Service]
 EnvironmentFile=-/etc/sysconfig/vault
-Restart=on-failure
-ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
 User={{ vault.user }}
 Group={{ vault.group }}
+ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %}-config="/etc/vault.d/config.hcl"{% endif %}
+ExecReload=/bin/kill -signal HUP $MAINPID
+ExecStop=/usr/local/bin/vault operator step-down
+Restart=on-failure
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+SecureBits=keep-caps
+NoNewPrivileges=yes
+KillSignal=SIGINT
--- a/vault/server.sls
+++ b/vault/server.sls
@ -16,29 +16,21 @@ generate self signed SSL certs:
      - file: /usr/local/bin/self-cert-gen.sh
 {% endif -%}

-/etc/vault:
+/etc/vault.d:
  file.directory:
    - user: root
    - group: root
    - mode: 755

-/etc/vault/config:
-  file.directory:
-    - user: root
-    - group: root
-    - mode: 755
-    - require:
-      - file: /etc/vault
-
-/etc/vault/config/server.hcl:
+/etc/vault.d/config.hcl:
  file.managed:
-    - source: salt://vault/files/server.hcl.jinja
+    - source: salt://vault/files/config.hcl.jinja
    - template: jinja
    - user: root
    - group: root
    - mode: 644
    - require:
-      - file: /etc/vault/config
+      - file: /etc/vault.d

 {%- if vault.service.type == 'systemd' %}
 /etc/systemd/system/vault.service:
@ -69,8 +61,8 @@ vault:
      {%- if vault.self_signed_cert.enabled %}
      - cmd: generate self signed SSL certs
      {% endif %}
-      - file: /etc/vault/config/server.hcl
+      - file: /etc/vault.d/config.hcl
      - cmd: install vault
    - onchanges:
      - cmd: install vault
-      - file: /etc/vault/config/server.hcl
+      - file: /etc/vault.d/config.hcl