Added storage, reorganized dirs/files, updated systemd
This commit is contained in:
parent
00ed2f9337
commit
71ff1ad1e2
3 changed files with 21 additions and 17 deletions
|
@ -4,6 +4,12 @@ backend "s3" {
|
||||||
bucket = "{{ vault.backend.bucket }}"
|
bucket = "{{ vault.backend.bucket }}"
|
||||||
}
|
}
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
{%- if vault.storage and vault.storage.type == "consul" %}
|
||||||
|
storage "consul" {
|
||||||
|
address = "{{ vault.storage.address }}"
|
||||||
|
path = "{{ vault.storage.path }}"
|
||||||
|
}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
listener "{{ vault.listen_protocol }}" {
|
listener "{{ vault.listen_protocol }}" {
|
||||||
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
address = "{{ vault.listen_address }}:{{ vault.listen_port }}"
|
|
@ -2,11 +2,17 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=vault server
|
Description=vault server
|
||||||
Requires=network-online.target
|
Requires=network-online.target
|
||||||
After=network-online.target consul.service
|
After=network-online.target{% if vault.storage and vault.storage.type == "consul" %} consul.service{% endif %}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=-/etc/sysconfig/vault
|
EnvironmentFile=-/etc/sysconfig/vault
|
||||||
Restart=on-failure
|
|
||||||
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %} -config="/etc/vault/config/server.hcl"{% endif %}
|
|
||||||
User={{ vault.user }}
|
User={{ vault.user }}
|
||||||
Group={{ vault.group }}
|
Group={{ vault.group }}
|
||||||
|
ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %}-dev{% else %}-config="/etc/vault.d/config.hcl"{% endif %}
|
||||||
|
ExecReload=/bin/kill -signal HUP $MAINPID
|
||||||
|
ExecStop=/usr/local/bin/vault operator step-down
|
||||||
|
Restart=on-failure
|
||||||
|
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
|
||||||
|
SecureBits=keep-caps
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
KillSignal=SIGINT
|
||||||
|
|
|
@ -16,29 +16,21 @@ generate self signed SSL certs:
|
||||||
- file: /usr/local/bin/self-cert-gen.sh
|
- file: /usr/local/bin/self-cert-gen.sh
|
||||||
{% endif -%}
|
{% endif -%}
|
||||||
|
|
||||||
/etc/vault:
|
/etc/vault.d:
|
||||||
file.directory:
|
file.directory:
|
||||||
- user: root
|
- user: root
|
||||||
- group: root
|
- group: root
|
||||||
- mode: 755
|
- mode: 755
|
||||||
|
|
||||||
/etc/vault/config:
|
/etc/vault.d/config.hcl:
|
||||||
file.directory:
|
|
||||||
- user: root
|
|
||||||
- group: root
|
|
||||||
- mode: 755
|
|
||||||
- require:
|
|
||||||
- file: /etc/vault
|
|
||||||
|
|
||||||
/etc/vault/config/server.hcl:
|
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://vault/files/server.hcl.jinja
|
- source: salt://vault/files/config.hcl.jinja
|
||||||
- template: jinja
|
- template: jinja
|
||||||
- user: root
|
- user: root
|
||||||
- group: root
|
- group: root
|
||||||
- mode: 644
|
- mode: 644
|
||||||
- require:
|
- require:
|
||||||
- file: /etc/vault/config
|
- file: /etc/vault.d
|
||||||
|
|
||||||
{%- if vault.service.type == 'systemd' %}
|
{%- if vault.service.type == 'systemd' %}
|
||||||
/etc/systemd/system/vault.service:
|
/etc/systemd/system/vault.service:
|
||||||
|
@ -69,8 +61,8 @@ vault:
|
||||||
{%- if vault.self_signed_cert.enabled %}
|
{%- if vault.self_signed_cert.enabled %}
|
||||||
- cmd: generate self signed SSL certs
|
- cmd: generate self signed SSL certs
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- file: /etc/vault/config/server.hcl
|
- file: /etc/vault.d/config.hcl
|
||||||
- cmd: install vault
|
- cmd: install vault
|
||||||
- onchanges:
|
- onchanges:
|
||||||
- cmd: install vault
|
- cmd: install vault
|
||||||
- file: /etc/vault/config/server.hcl
|
- file: /etc/vault.d/config.hcl
|
||||||
|
|
Loading…
Reference in a new issue