From 71ff1ad1e23307aa2fd3b84a0472a3a86fa82f60 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Tue, 15 May 2018 00:42:18 -0400 Subject: [PATCH] Added storage, reorganized dirs/files, updated systemd --- .../{server.hcl.jinja => config.hcl.jinja} | 6 ++++++ vault/files/vault_systemd.service.jinja | 12 ++++++++--- vault/server.sls | 20 ++++++------------- 3 files changed, 21 insertions(+), 17 deletions(-) rename vault/files/{server.hcl.jinja => config.hcl.jinja} (82%) diff --git a/vault/files/server.hcl.jinja b/vault/files/config.hcl.jinja similarity index 82% rename from vault/files/server.hcl.jinja rename to vault/files/config.hcl.jinja index 528f415..ff30c85 100644 --- a/vault/files/server.hcl.jinja +++ b/vault/files/config.hcl.jinja @@ -4,6 +4,12 @@ backend "s3" { bucket = "{{ vault.backend.bucket }}" } {% endif -%} +{%- if vault.storage and vault.storage.type == "consul" %} +storage "consul" { + address = "{{ vault.storage.address }}" + path = "{{ vault.storage.path }}" +} +{% endif -%} listener "{{ vault.listen_protocol }}" { address = "{{ vault.listen_address }}:{{ vault.listen_port }}" diff --git a/vault/files/vault_systemd.service.jinja b/vault/files/vault_systemd.service.jinja index a6417b7..9ee2c15 100644 --- a/vault/files/vault_systemd.service.jinja +++ b/vault/files/vault_systemd.service.jinja @@ -2,11 +2,17 @@ [Unit] Description=vault server Requires=network-online.target -After=network-online.target consul.service +After=network-online.target{% if vault.storage and vault.storage.type == "consul" %} consul.service{% endif %} [Service] EnvironmentFile=-/etc/sysconfig/vault -Restart=on-failure -ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %} User={{ vault.user }} Group={{ vault.group }} +ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %}-config="/etc/vault.d/config.hcl"{% endif %} +ExecReload=/bin/kill -signal HUP $MAINPID +ExecStop=/usr/local/bin/vault operator step-down +Restart=on-failure +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +SecureBits=keep-caps +NoNewPrivileges=yes +KillSignal=SIGINT diff --git a/vault/server.sls b/vault/server.sls index aa8dd54..02fdd5f 100644 --- a/vault/server.sls +++ b/vault/server.sls @@ -16,29 +16,21 @@ generate self signed SSL certs: - file: /usr/local/bin/self-cert-gen.sh {% endif -%} -/etc/vault: +/etc/vault.d: file.directory: - user: root - group: root - mode: 755 -/etc/vault/config: - file.directory: - - user: root - - group: root - - mode: 755 - - require: - - file: /etc/vault - -/etc/vault/config/server.hcl: +/etc/vault.d/config.hcl: file.managed: - - source: salt://vault/files/server.hcl.jinja + - source: salt://vault/files/config.hcl.jinja - template: jinja - user: root - group: root - mode: 644 - require: - - file: /etc/vault/config + - file: /etc/vault.d {%- if vault.service.type == 'systemd' %} /etc/systemd/system/vault.service: @@ -69,8 +61,8 @@ vault: {%- if vault.self_signed_cert.enabled %} - cmd: generate self signed SSL certs {% endif %} - - file: /etc/vault/config/server.hcl + - file: /etc/vault.d/config.hcl - cmd: install vault - onchanges: - cmd: install vault - - file: /etc/vault/config/server.hcl + - file: /etc/vault.d/config.hcl