This is a simple Ansible Role that complements jacobmammoliti/ansible-role-vault, and adds a couple of things:
- Creates a bash profile in
etc/profile.d
to declareVAULT_ADDR
pointing to the local host. - Manages
/var/log/vault
- Configures
logrotate
to rotate Vault's audit log
This Role uses geerlingguy.fluentd
Some of the variables use the same name as jacobmammoliti/ansible-role-vault for simplicity.
- Create
/etc/profile.d/vault_cluster.sh
- default: true
- Use
http
orhttps
for theVAULT_ADDR
URL in the bash profile - Default value: true
- OS user name
- Default value: vault
- OS group name
- Default value: vault
- Directory for the Vault audit logs
- Default value: /var/log/
- Vault audit log file name
- Default value: audit
- Vault audit log file extension
- Default value: log
- Vault audit
logrotate
configuration - Default value: /etc/logrotate.d/vault.conf
- Vault audit log retention (in days)
- Default value: 30
- Install Vault CA cert to the OS trust store
- Default value: false
- If true, it will create a
systemd
unit file override exposing proxy settings as environment variables for the Vault service - Default value: false
- URL to use for the
http_proxy
environment variable - Default value: undefined
- URL to use for the
https_proxy
environment variable. If undefined/empty, it defaults to the value ofvault_proxy_https
- Default value: undefined
- Value to use for the
no_proxy
environment variable - Default value: undefined
The official way to do this is manually, is to run systemctl edit myservice
, which will create an override file for you or let you edit an existing one.
In normal installations this will create a directory /etc/systemd/system/vault.service.d
, and inside that directory create a file whose name ends in .conf
(typically, override.conf
), and in this file you can add to or override any part of the unit shipped by the distribution.
For instance, in a file /etc/systemd/system/vault.service.d/environment.conf
:
[Service]
Environment=http_proxy="https://proxy.example.com"
Environment=https_proxy="https://proxy.example.com"
Environment=no_proxy=".example.com
As discussed in this article, the environment variables for configuring proxies in unix are more a convention than a standard.
There's a lot of "copy & paste" information on the internet, where people say things without quoting an actual source.
This Ansible Role uses the lower case versions of the environment variables, as these seem to be the "proper" ones.
Below, you can see a summary of how these variables work in common situations (shamelessly copied from the article above).
curl | wget | Ruby | Python | Go |
---|---|---|---|---|
http_proxy | Yes | Yes | Yes | Yes |
HTTP_PROXY | No | No | Yes (warning) | Yes (if REQUEST_METHOD not in env) |
https_proxy | Yes | Yes | Yes | Yes |
HTTPS_PROXY | Yes | No | Yes | Yes |
Case precedence | lowercase | lowercase only | lowercase | lowercase |
Comma or space-separated list of hosts/domains to connect directly.
curl | wget | Ruby | Python | Go | |
---|---|---|---|---|---|
no_proxy | Yes | Yes | Yes | Yes | Yes |
NO_PROXY | Yes | No | Yes | Yes | Yes |
Case precedence | lowercase | lowercase only | lowercase | lowercase | Uppercase |
Matches suffixes? | Yes | Yes | Yes | Yes | Yes |
Strips leading . ? |
Yes | No | Yes | Yes | No |
* matches all hosts? |
Yes | No | No | Yes | Yes |
Supports regexes? | No | No | No | No | No |
Supports CIDR blocks? | No | No | Yes | No | Yes |
Detects loopback IPs? | No | No | No | No | Yes |