ansible-collections-commons

This is a collection of Ansible roles that perform common management tasks. The selection of roles is targeted at deploying the OSISM stack, but some of them may also be useful in other contexts.

The collection is published at https://galaxy.ansible.com/osism/commons.

For bugs or feature requests, please open an issue at https://github.com/osism/ansible-collection-commons/issues.

certificates

An ansible role to install and update CA certificates.

Role Variables

certificates_ca Default: []

This is a list which contains the name and the certificate.

certificates_ca.name

The name from the certificate file.

Example:

certificates_ca:
  - name: sample.crt
    certificate: |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----

certificates_ca_path Default: /usr/local/share/ca-certificates: The path where the certificates will be stored.

certificates_ca_package_name Default: ca-certificates: The Debian package which is needed to install for the certificates.

certificates_ca_update_command Default: /usr/sbin/update-ca-certificates: Command for updating the certificates.

cleanup

An ansible role for cleanup not longer needed packages, services and timers.

Role Variables

cleanup_packages_default Default: lxc

The packages which not needed anymore per default.

cleanup_packages_extra Default: []

Packages, which you can declare what you not needed anymore

cleanup_packages Default: cleanup_packages_default + cleanup_packages_extra + cleanup_packages_distribution

The whole packages from the first and second parameters including the distribution packages, which should be cleaned up.

cleanup_services_default Default: []

The services which are no longer needed per default.

cleanup_services_extra Default: []

Services that you can declare which you not needed anymore.

cleanup_services Default: cleanup_services_default + cleanup_services_extra + cleanup_services_distribution

The whole services from the default and your declaration which will be deleted.

cleanup_cloudinit Default: true

If you want to cleanup the cloudinit file let the default set to true, if not set it to false.

Distribution specific variables:

Debian:

cleanup_services_distribution Default: []

Services from Debian which are not longer needed.

cleanup_packages_distribution Default: - libvirt-bin - lxd - open-iscsi

Debian packages which are no longer needed.

cleanup_cloudinit_package_name Default: cloud-init

Debian cloudinit package declaration.

RedHat:

cleanup_services_distribution Default: []

Services from RedHat which are no longer needed.

cleanup_packages_distribution Default: - libvirt - iscsi-initiator-utils

RedHat packages which are no longer needed.

cleanup_cloudinit_package_name Default: cloud-init

RedHat cloudinit package declaration.

configfs

Configfs is a pseudofilesystem to modify kernel objects. This role mounts the filesystem, so you can interact with configfs.

Role Variables

No variables are needed here.

configuration

Install the configuration directory.

Generic Role Variables

operator_user Default: dragon

The user that will own the configuration directory.

operator_group Default: "{{ operator_user }}"

The group that will own the configuration directory.

configuration_type Default: git

That is the source type for the configuration. Currently only git is supported.

configuration_directory Default: /opt/configuration

The directory where the configuration will be stored in.

Variables for configuration type ``git``

configuration_git_package_name Default: git

Name of the package to install for the git binary.

configuration_git_proxy Default: ""

If you have to use a proxy to be able to reach your git server use this variable.

configuration_git_public_key Default: ""

The public key from the keypair which you use to connect to git.

configuration_git_private_key Default: ""

The private key from the keypair which you use to connect to git.

configuration_git_private_key_file Default: ~/.ssh/id_rsa.configuration

The path where your keypair is stored.

configuration_git_version Default: main

The branch name which should be used.

configuration_git_host Default: github.com

The host from where you get the repositories.

configuration_git_port Default: 22

The port that is used for downloading the repository.

configuration_git_repository Default: osism/ansible-collection-commons.git

The name of the repository which is needed.

configuration_git_protocol Default: ssh

Which protocol will be used for the downloads.

configuration_git_username Default: git

The username that is used for downloading the repository.

docker_compose

Ansible role for configuration and installation of docker-compose including its components.

Role Variables

docker_compose_install_type Default: package

Source of docker-compose installation. Currently only ‘package’ is supported.

docker_compose_package_name Default: docker-compose

The name of the docker-compose package to uninstall.

docker_compose_plugin_package_name Default: docker-compose-plugin

The name of the docker-compose-plugin package to install.

docker_compose_service_user Default: "{{ operator_user | default('dragon') }}"

The user the docker-compose service should run with.

docker_compose_service_group Default: "{{ operator_group | default('dragon') }}"

The group the docker-compose service should run with.

facts

Install custom ansible facts.

Role Variables

fact_files

List of facts to install.

firewall

Ensure UFW is installed as firewall service

Role Variables

ufw_servive_name Default: ufw

hostname: Ansible role for setting up the hostname. It uses the short hostname provided from the ansible inventory.

hosts

This role populates the /etc/hosts file with the hosts from the ansible inventory. For each host, if host_enable is true, the IPv4 address of the hosts_interface is added to /etc/hosts.

Role Variables

hosts_enable Default: true

Whether to include hosts by default.

hosts_interface

The IPv4 address assigned to this interface is placed in the hosts file.

hosts_group_name Default: all

Write only hosts that are included in this group to the hosts file.

hosts_use_dns_as_single_source_of_truth Default: false

Set this parameter to True if DNS is to be used as a single source of truth. No hosts from the hosts defined under hosts_group_name are then included in the hosts file.

hosts_type Default: block

valid values: [block, local, template] # TODO

hosts_file Default: /etc/hosts

Path to the managed hosts file.

hosts_file_backup Default: true

If this value is set to true, a backup of the file is created before any changes are made.

hosts_file_reset Default: false

If the type block is used and this value is set to True the hosts file is always completely reset.

hosts_ignore Default: []

A list of hosts that should not be included in the hosts file.

hosts_additional_entries Default: {}

A dictionary with entries in the form FQDN: IP_ADDRESS which are added to the end of the hosts file.

ipmitool

Ansbile role for installing ipmitool and its required kernel modules.

Role Variables

ipmitool_package_name Default: ipmitool

Distribution package for ipmitool.

ipmitool_kernel_modules Default: - ipmi_devintf - ipmi_si

Required kernel modules for running ipmitool.

kernel_modules

Ansible role for installing kernel modules. The configured modules are both loaded immediately via modprobe as well as added to the /etc/modules so that they will be automatically installed on boot.

Role Variables

kernel_modules_default Default: [ "bonding", "8021q" ]

Default list of kernel modules to install.

kernel_modules_extra Default: []

List of extra modules to install.

kernel_modules Default: kernel_modules_default + kernel_modules_extra

All modules which you want to install.

known_hosts

This role adds the ssh hostkeys from hosts in the ansible inventory to a known_hosts file.

Role Variables

operator_user Default: dragon

The user that will own the known_hosts file.

operator_group Default: operator_user

The group that will own the known_hosts file.

known_hosts_group_name Default: all

Add hosts from this group to known_hosts.

known_hosts_destination Default: /home/{{ operator_user }}/.ssh

Destination where the known_hosts file is stored.

kompose

This ansible role checks if kompose is already installed, if not triggers an install and checks the checksum.

Role Variables

kompose_install_type Default: url

From which source the download should done.

kompose_version Default: 1.22.0

Which version of kompose should be installed.

kompose_checksum Default: 6203d67263886bbd455168f59309496d486fc3a6df330b7ba37823b283bd9ea5

The checksum of the downloaded file.

kompose_url Default: "https://github.com/kubernetes/kompose/releases/download/v{{ kompose_version }}/kompose-linux-amd64"

Url for the download.

kubectl

This ansible role will install kubectl

Role Variables

kubectl_package_name Default: kubectl

Name of the kubctl package.

kubectl_configure_repository Default: true

Configure repository.

kubectl_debian_repository_arch Default: amd64

Repository architecture.

kubectl_debian_repository_key Default: https://raw.githubusercontent.com/kubernetes/k8s.io/main/apt/doc/apt-key.gpg

Repository gpg key.

kubectl_debian_repository Default: "deb [ arch={{ kubectl_debian_repository_arch }} signed-by=/usr/share/keyrings/kubectl.gpg ] https://apt.kubernetes.io/ kubernetes-xenial main"

Repository URL.

lynis

This ansible role will install lynis.

Role Variables

lynis_package_name Default: lynis

The package that should be installed.

lynis_configure_repository Default: true

Whether to add the lynis_debian_repository to the apt configuration.

lynis_debian_repository_arch Default: amd64

Repository architecture.

lynis_debian_repository_key Default: https://packages.cisofy.com/keys/cisofy-software-public.key

Add the repository gpg-key.

lynis_debian_repository Default: "deb [ arch={{ lynis_debian_repository_arch }} ] https://packages.cisofy.com/community/lynis/deb/ stable main"

Define which repository you want to install.

microcode

Ansible role for the installation of microcode.

Role Variables

microcode_packages_default Default: - amd64-microcode - intel-microcode

The packages that are needed for microcode

microcode_packages_extra Default: []

Extra packages which you want to install.

microcode_packages Default: microcode_packages_default + microcode_packages_extra

The whole packages that will be installed.

motd

Sets the content of the Message of the Day (/etc/motd) and the prelogin message and identification (/etc/issue) file.

Role Variables

motd_content Default: ""

Contents to be written to motd_path and issue_path.

Example:

motd_content: |
  ------------------------------------------------------------------------------
  * WARNING                                                                    *
  * You are accessing a secured system and your actions will be logged along   *
  * with identifying information. Disconnect immediately if you are not an     *
  * authorized user of this system.                                            *
  ------------------------------------------------------------------------------

motd_path Default: /etc/motd: The full path to the motd file.

issue_path Default: /etc/issue: The full path to the issue file.

network

Ansible role for managing and configuring the internal network types.

Role Variables

network_type Default: interfaces

Which type of network you want to install. Possible values are interfaces and netplan.

network_manage_devices Default: true

Flag whether all network devices are controlled by this role.

Note

Attention! If true, all additional configurations are deleted.

network_allow_service_restart Default: false

Allow the network to restart.

Note

Attention! This is only triggered, when the all interface file was changed.

network_restart_method Default: nothing

How should changed interfaces be treated? Options:

service - restart the network service for the interface

interface - down & up the interface

nothing - do nothing

* - undefined behavior

Configuration for type interfaces

List of all network interface configurations:

network_interfaces

For ipv6 you want to add an additional inet6 entry.

Example configuration:

- device: eth0
  # auto & allow are only used for the first device entry
  auto: true  # enable on boot (default)
  allow: []  # array of allow-[stanzas] eg. allow-hotplug

  family: inet  # network type eg. inet | inet6 (default)
  method: dhcp  # dhcp | static (default)
  # examples for method 'static'
  # description: 'a user description'
  # address: 192.168.1.11
  # network: 192.168.1.0
  # netmask: 193.168.1.255
  # broadcast: 192.168.1.255
  # gateway: 192.168.1.1

  # transport
  # mtu: 9000 # give a non-default mtu

  # ifmetric
  # metric: 10

  # optional dns settings
  # nameservers: ['9.9.9.9']
  # dns_search: "domain.net" # appended dns search string

  # optional additional subnets/ips
  # subnets: ['192.168.123.0/24', '192.168.124.11/32']

  bridge: {}  # optional bridge parameters
  #  ports:
  #  stp:
  #  fd:
  #  maxwait:
  #  waitport:

  bond: {}  # optional bonding parameters
  #  mode:
  #  miimon:
  #  master:
  #  slaves:
  #  lacp-rate:

  # optional vlan settings
  vlan: {}
  #  raw-device: 'eth0'

  # inline hook scripts
  pre-up: []  # pre-up script lines
  up: []  # up script lines
  post-up: []  # post-up script lines (alias for up)
  pre-down: []  # pre-down script lines (alias for down)
  down: []  # down script lines
  post-down: []  # post-down script lines

network_interfaces_path Default: /etc/network/interfaces

Destination path where to store the interface configuration files.

network_interface_path Default: /etc/network/interfaces.d

Sorce path from where to get the configuration file.

network_interface_permissions Default: 0644

To set the file permissions for network interfaces configuration files.

network_interface_restart_commands Default: interface: "ifdown {{ item.item.0 }}; ifup {{ item.item.0 }}"

Commands for restarting the interface.

network_interface_required_packages Default: - bridge-utils - ifenslave - ifmetric - ifupdown - vlan

The packages that are required for the type interfaces-installation.

Configuration for type netplan

network_netplan_required_packages Default: netplan.io

Package which is required for the type netplan-installation.

network_netplan_path Default: /etc/netplan

Directory to store the configuration file.

network_netplan_file Default: 01-osism.yaml

The configuration file for netplan.

network_netplan_permissions Default: 0644

To set the file permissions for netplan configuration files.

network_netplan_remove_unmanaged_files Default: true

Removing unused configuration files.

network_netplan_managed_files_defaults Default: network_netplan_file

Name of the used configuration file.

network_netplan_managed_files_extra Default: []

If there are more than one used configuration file, please declare it here.

network_netplan_managed_files Default: network_netplan_managed_files_defaults + network_netplan_managed_files_extra

The whole used configuration files.

network_version Default: 2

The 01-osism-file describes the network interfaces available on your system. Network version is needed for the network declaration.

network_renderer Default: networkd

The Daemon that actually provides network functionality.

network_bonds

Netplan-bond configuration. For more information please look at the netplan documentation.

network_bridges

Netplan-bridges configuration. For more information please look at the netplan documentation.

network_ethernets

Netplan-ethernet configuration. For more information please look at the netplan documentation.

network_tunnels

Netplan-tunnels configuration. For more information please look at the netplan documentation.

network_vlans

Netplan-vlans configuration. For more information please look at the netplan documentation.

network_dispatcher_package_name Default: networkd-dispatcher

The required package for the networkd-dispatcher.

network_dispatcher_service_name Default: networkd-dispatcher

The service name from the dispatcher. This is needed to start the service.

network_dispatcher_scripts Default: []

Where the scripts for the dispatcher are stored and where it should be run.

Example:

- src: /opt/configuration/network/vxlan.sh
  dest: routable.d/vxlan.sh
- src: /opt/configuration/network/iptables.sh
  dest: routable.d/iptables.sh

This is a interface to avoid error because ansible does not recognize.

Example:

network_dummy_interfaces:
  - lo-bgp
  - lo-vxlan

network_dummy_interface_mtu Default: 9000

Maximum Transfer Unit. Please look which MTU fits for your system.

operator

Ansible role to configure the operator user with all its dependencies.

Role Variables

operator_user Default: dragon

The operator user name.

operator_user_id Default: 45000

ID for the operator user.

operator_group Default: dragon

The group for the operator user.

operator_group_id Default: 45000

ID for the group.

operator_shell Default: /bin/bash

The default shell for the operator.

operator_authorized_keys Default: []

A list of ssh authorized keys to add.

operator_password

Encrypted password string to set for the operator user (optional).

Warning

Use “mkpasswd –method=sha-512” to generate an encrypted password. Do not set this variable to a clear-text password.

operator_sudo_nopasswd Default: true

Whether the operator user can invoke sudo without a password.

operator_sudo_cmd_list Default: ALL

Commands that the user can use with sudo.

operator_groups

Additional groups for the operator user. The default list of groups is distribution specific.

packages

This ansible role installs a number of required packages.

Role Variables

upgrade_packages Default: true

For updating the package cache.

required_packages_default Default: - ethtool - jq - rsyslog

The required packages which are needed.

required_packages_extra Default: []

Extra packages which you want to install.

required_packages Default: required_packages_default + required_packages_extra + required_packages_distribution

The whole packages which should be installed.

Debian Variables

apt_cache_valid_time Default: 3600

Update the apt cache if it is older than the cache_valid_time. This option is set in seconds.

required_packages_distribution Default: - debsums - selinux-utils - ssh

Required packages for Debian

RedHat Variables

required_packages_distribution Default: - libselinux-utils - openssh

Required packages for RedHat

podman

Ansible role to install podman.

Role Variables

podman_action Default: deploy

Name for which file should be included.

Example: config.yml or deploy.yml

podman_package_name Default: podman

The required package for podman.

proxy

This ansible role will setup the proxies.

Role Variables

proxy_proxies Default: {}

The proxies which will be configured. Please declare which you want to configure.

Example:

proxy_proxies:
http: http://proxy.tld:8080
https: http://proxy.tld:8080
ftp: http://proxy.tld:8080

proxy_no_proxy_default Default: - 127.0.0.1 - localhost

The addresses listed here are not configured via proxy.

proxy_no_proxy_extra Default: []

Here you can list extra addresses which are not to be configured via proxy.

proxy_no_proxy Default: proxy_no_proxy_default + proxy_no_proxy_extra

All addresses which should not configured via proxy

proxy_package_manager Default: true

Also set proxy for the package manager.

proxy_apt_conf_path Default: /etc/apt/apt.conf.d/01proxy

Debain specific path. This path is where to store the configuration file.

repository

Ansible role to configure the default repository sources.

Role Variables

repositories Default: {}

A dict of name:repository pairs, these will be used as the list of package sources. The format of the repository values is distribution-specific.

If not set explicitly, some default repositories are configured. For Ubuntu, these are mirrors of the main, restricted, universe and multiverse repositories for each of the release, -backports, -security and -updates pockets.

repository_cache_valid_time Default: 120

Only for Debian/Ubuntu:

Update the apt cache if it is older than the cache_valid_time. This option is set in seconds.

repository_key_files_directory Default: ""

Only for Debian/Ubuntu:

Keys stored in this directory are added to APT as trusted keys.

repository_keys

Only for Debian/Ubuntu:

List of URLs from which to collect GPG keys that APT should trust.

repository_key_ids

Only for Debian/Ubuntu:

Dict of ID:keyserver pairs, each key ID is fetched from its keyserver and added to APT as trusted key.

enable_phased_updates Default: false

Only for Debian/Ubuntu:

Enable phased updates.

repository_apt_acquire_forceipv4 Default: false

Only for Debian/Ubuntu:

Forcing IPv4 transport with apt-get.

resolvconf

Ansible role for configuring nameserver and its components.

Role Variables

resolvconf_nameserver_default Default: - 9.9.9.9 - 149.112.112.112

The default IP addresses from the nameservers you want to choose for the configuration.

resolvconf_nameserver_extra

If you want to install extra nameservers declare it here.

resolvconf_nameserver

The whole list of nameservers you want to configure.

resolvconf_fallback_nameserver

Alternitive nameserver with IPv4 and IPv6 addresses in a list if no DNS server information is known. If this option is not set, a compiled-in list is used instead.

resolvconf_search Default: osism.test

This is the local domain.

resolvconf_minimum_number_of_nameservers Default: 2

The minimum number of nameserver of name servers that must be configured.

resolvconf_cache Default: true

The cache for resolvconf. That means that requests are stored and takes the results from earlier requests. This is for a better performance because not every request is a new network request.

resolvconf_cache_from_localhost Default: false

Sometimes in the case of development you will need to set the localhost cache on false. For this you can use this parameter.

resolvconf_dns_over_tls Default: false

If true it will encrypted all connections, if false not. Please beware that you, if you want to use it, need a DNS server that supports DNS-over-TLS. You need a valid certificate too. Using DNS-over-TLS results in a little performance loss.

resolvconf_dnssec Default: allow-downgrade

Does not enforce secured DNS requests. Fallback to normal (insecure) DNS is allowed. To enforce DNSSEC set this variable to true. This will only work on systems where DNSSEC is supported. Using it results in a little perfomance loss.

resolvconf_read_etc_hosts Default: true

If set to true it allowes the systemd-resolved to read the /etc/hosts.

resolvconf_file Default: /etc/resolv.conf

Path to the configuration file.

services

Ansible role for manage services.

Role Variables

services_warning_default Default: nscd

Have a look at services_warning.

services_warning_extra

Have a look at services_warning.

services_warning

Services which shouldn’t be running. They will be displayed in a debug message.

services_required_default Default: cron

Have a look at services_required.

services_required_extra

Have a look at services_required.

services_required

The services declared in a list which should be managed.

sosreport

This ansible role installs and configures sosreport. Sosreport helps to collect informations from the configured plugins.

Role Variables

sosreport_unarchive Default: false

By default the sosreport will be unarchived on the destination machine after running.

sosreport_tmpdir Default: /tmp/sosreport

It is a temporary directory where the reports will be stored on the machine where the report is generated.

sosreport_required_packages Default: sosreport

Required packages for sosreport.

sosreport_name

The name will include by default the hostname and the date. It is the name under which the report will be stored.

sosreport_archive_filename

This will be the name from the archived sosreport.

sosreport_archive_directory

The directory where the archived sosreports will be stored in.

sosreport_plugins Default: - apt - auditd - block - devices - docker - dpkg - filesys - hardware - kernel - kvm - md - memory - networking - pci - process - processor - python - services - ssh - system - systemd - ubuntu - udev - usb - xfs

From where sosreport should collect the informations which you needed.

operator_user Default: dragon

The user with which sosreport should run and own the reqired directories.

operator_group Default: operator_user

The group from the user with which sosreport should run and own the reqired directories.

sshconfig

Ansible Role for configuring the ssh-client. Makes it possible to connect via ssh to the hosts.

Role Variables

operator_user Default: dragon

The user who will own the configuration directory.

operator_group Default: operator_user

The group which will own th econfiguration directory.

sshconfig_groupname Default: all

The groups (hosts) which will be configured.

sshconfig_order Default: 20

Priority for the ssh configuration file. The file will be stored in the config.d directory where oether files might exist. They are read in alphabetical order and with this variable you can minipulate the order in which it will be evaluated.

sshconfig_port Default: 22

The port on which the ssh-service will listen for connections.

sshconfig_private_key_file Default: /opt/ansible/secrets/id_rsa.operator

The file in which the ssh key from the operator is stored.

sshconfig_user Default: operator_user

User which should be used to establish the ssh connection.

state

This andible role transports facts into a state file.

Role Variables

state_name Default: osism

The name which the state file will have.

state_section Default: status

This declares the section in the file where the facts have to be added.

state_option Default: deployed

Given option that a fact must have befor adding to the file.

state_value Default: false

The value that is given for checking a fact. # Fix me

sysctl

This role configures sysctl (Kernelparameters). It can be used to tune the components from a system to a better perfoming way.Be aware that if you do it in the wrong way it can slow down the system too.

Role Variables

sysctl_defaults

In this section are the parameters for elesticsearch, rabbitmq and the notes all or compute are declared in a list.

sysctl_extra

Here you can declare extra variables that you want to configure.

sysdig

Ansible role for installation and configuration sysdig. Sysdig is a system visibility tool with native support for containers.

Role Variables

sysdig_package_name Default: sysdig

The required package which is needed.

sysdig_kernel_module_name Default: sysdig_probe

The kernel module name for configuring and enabling sysdig.

sysdig_configure_repository Default: true

For downloading packages via https, this package is needed first.

sysdig_debian_repository_arch Default: amd64

This means the architecture from the system where you want to install sysdig.

sysdig_debian_repository_key Default: https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public

The Url where the package will be downloaded from.

sysdig_debian_repository Default: deb [ arch={{ sysdig_debian_repository_arch }} ] https://download.sysdig.com/stable/deb stable-{{ sysdig_debian_repository_arch }}/

Repository name from the sysdig-file for debian distributions.

systohc

This ansible role will synchronize the hardware clock.

Role Variables

systohc Default: true

When true the systemclock is synced to the hardwareclock.

systohc_common

# Fix me

timezone

Ansible role for timezone configuration.

Role Variables

timezone_hwclock Default: UTC

Whether the hardware clock is in UTC or in local timezone. Possible values are local and UTC.

timezone_name Default: UTC

Name of the timezone for the system clock.

trivy

Ansible role for the trivy installation. Trivy is a scanner for vulnerabilities in container images, file systems, and git repositories, as well as for configuration issues and hard-coded secrets.

Role Variables

trivy_package_name Default: trivy

Name from the required package for the trivy installation.

trivy_configure_repository Default: true

The package which is needed for downloading packages via https.

trivy_debian_repository_arch Default: amd64

Architecture from the target system.

trivy_debian_repository_key Default: https://aquasecurity.github.io/trivy-repo/deb/public.key

The url from which you will get the package.

trivy_debian_repository Default: deb [ arch={{ trivy_debian_repository_arch }} ] https://aquasecurity.github.io/trivy-repo/deb {{ ansible_distribution_release }} main

Name of the trivy debian repository.

vault_import

Ansible role for importing secrets to hashicorp vault.

Role Variables

vault_token Default: ""

Token to login to vault.

vault_protocol Default: http

The protocol which will be used to connect to vault.

vault_host Default: vault

Hostname of the vault-server.

vault_port Default: 8200

The Port which vault will use for connections.

vault_url Default: {{ vault_protocol }}://{{ vault_host }}:{{ vault_port }}

Address from the vault server for connections to the server.

vault_secrets_path Default: /opt/configuration/environments/secrets.yml

This path contains the file with the secrets which should imported to vault.

vault_init

This ansible role will configure policies inside the vault-server for the key-value-store (kv).

Role Variables

vault_token Default: ""

Token to login to vault.

vault_protocol Default: http

The protocol which will be used to connect to vault.

vault_host Default: vault

Hostname of the vault-server.

vault_port Default: 8200

The Port which vault will use for connections.

vault_url Default: {{ vault_protocol }}://{{ vault_host }}:{{ vault_port }}

Address from the vault server for connections to the server.

vault_rules_read Default: path "kv/*" {capabilities = ["read"]}

Vault-read-policy. Configures a policy to allow reads from the key-value-store.

vault_rules_write Default: | path "kv/*" { capabilities = ["create", "read", "update", "delete", "list"]}

Vault-write-policy. Configures a policy to allow every action to the key-value-store.

vault_seal

Ansible role to seal the vault-server.

Role Variables

vault_container_name Default: manager_vault_1

The name of the vault-container.

vault_token Default: ""

Token to login to vault.

Warning

This action will completly block any interaction with vault.

vault_unseal

Ansible role to unseal the vault-server.

Role Variables

vault_container_name Default: manager_vault_1

The name of the vault-container.

The algorithm to unseal the vault-server is called shamir. For the unsealing you will need at least three keys:

vault_unseal_key_1

vault_unseal_key_2

vault_unseal_key_3