This Ansible role performs a basic Vault installation, including filesystem structure and example configuration.

It can also bootstrap a minimal development or evaluation server or HA Consul-backed cluster in a Vagrant and VirtualBox based environment. See README_VAGRANT.md and the associated Vagrantfile for more details about the developer mode setup.

This role requires FreeBSD, or a Debian or RHEL based Linux distribution. It might work with other software versions, but does work with the following specific software and versions:

• Ansible: 2.4.2.0
• Vault: 0.9.1
• Debian: 8
• FreeBSD 11
• Ubuntu 16.04

Sorry, there is no planned support at the moment for Windows.

The role defines variables in defaults/main.yml:

• version to install
  • Can be overridden with VAULT_VERSION environment variable
• Default value: 0.9.1

• Set this to true when installing Vault Enterprise; this is not currently possible as a "remote only" install method
  • Can be overridden with VAULT_ENTERPRISE environment variable
• Default value: false

• package filename
• Default value: "vault_{{ vault_version }}_linux_amd64.zip"

• package filename
• Default value: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"

• Package download URL
• Default value: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"

• SHA summaries URL
• Default value: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"

• SHA summaries filename (included for convenience not for modification)
• Default value: "vault_{{ vault_version }}_SHA256SUMS"

• SHA summaries filename (included for convenience not for modification)
• Default value: "vault-enterprise_{{ vault_version }}_SHA256SUMS"

• Binary installation path
• Default value: /usr/local/bin

• Configuration file path
• Default value: /etc/vault.d

• Data path
• Default value: /var/vault

• Log path - (not yet implemented)
• Default value: /var/log/vault

• PID file location
• Default value: /var/run/vault

• Should this role manage the vault user?
• Default value: true

• OS user name
• Default value: vault

• OS group name
• Default value: bin

• Inventory group name
• Default value: vault_instances

• Cluster name label
• Default value: dc1

• Datacenter label
• Default value: dc1

• host:port value for connecting to Consul HA backend
• Default value: 127.0.0.1:8500

• Name of Vault's Consul K/V root path
• Default value: vault

• Name of the Vault service to register in Consul
• Default value: vault

• ACL token for accessing Consul
• Default value: none

• Log level
  • Supported values: trace, debug, info, warn, err
• Default value: info

• Log to syslog (not yet impemented)
• Default value: true

• Network interface
  • Can be overridden with VAULT_IFACE environment variable
• Default value: eth1

• Primary network interface address to use
• Default value: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"

• HA Client Redirect address
• Default value: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"

• TCP port number to on which to listen
• Default value: 8200

• Short node name
• Default value: "{{ inventory_hostname_short }}"

• Configures the maximum possible lease duration for tokens and secrets.
• Default value: 768h (32 days)

• Configures the default lease duration for tokens and secrets.
• Default value: 768h (32 days)

• Main configuration file name (full path)
• Default value: "{{ vault_config_path }}/vault_main.hcl"

• Backend template filename
• Default value: backend_consul.j2

• Address for intra-cluster communication
• Default value: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"

• Disable HA clustering
• Default value: false

• Path to TLS certificate and key
• Default value /etc/vault/tls

• Disable TLS
  • Can be overridden with VAULT_TLS_DISABLE environment variable
• Default value: 1

• Vault TLS certificate file path
• Default value: None

• Vault TLS certificate destination (full path)
• Default value: "{{ vault_tls_config_path }}/vault.crt" # /etc/pki/tls/certs/vault.crt

• Vault TLS key file path
• Default value: None

• Vault TLS key destination (full path)
• Default value: "{{ vault_tls_config_path }}/vault.key"

• Minimum acceptable TLS version
  • Can be overridden with VAULT_TLS_MIN_VERSION environment variable
• Default value: tls12

• Comma-separated list of supported ciphersuites
• Default value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

• Prefer server's cipher suite over client cipher suite
  • Can be overridden with VAULT_TLS_PREFER_SERVER_CIPHER_SUITES environment variable
• Default value: false

The consul binary works on most Linux platforms and is not distribution specific. However, some distributions require installation of specific OS packages with different naming, so this role was built with support for popular Linux distributions and defines these variables to deal with the differences across distributions:

• Vault package filename
• Default value: {{ vault_version }}_linux_amd64.zip

• Vault package download URL
• Default value: {{ vault_zip_url }}

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Vault download SHA256 summary
• Default value: SHA256 SUM

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Vault package SHA256 summary
• Default value: SHA256 SUM

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Vault package SHA256 summary
• Default value: SHA256 SUM

• List of OS packages to install
• Default value: list

NOTE: Read these before executing the role to avoid certain frequently encountered issues which are resolved by installing the correct dependencies.

Ansible requires GNU tar and this role performs some local use of the unarchive module, so ensure that your system has gtar installed.

The role depends on python-netaddr so:

pip install netaddr

on the Ansible control host prior to executing the role.

Basic installation is possible using the included site.yml playbook:

ansible-playbook -i hosts site.yml

You can also pass variables in using the --extra-vars option to the ansible-playbook command:

ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui"

Specify a template file with a different backend definition (see templates/backend_consul.j2):

ansible-playbook -i hosts site.yml --extra-vars "vault_backed=backend_file.j2"

You need to make sure that the template file backend_file.j2 is in the role directory for this to work.

See examples/README_VAGRANT.md for details on quick Vagrant deployments under VirtualBox for testing, etc.

The role can install Vault Enterprise based instances.

Place the Vault Enterprise zip archive into {{ role_path }}/files and set vault_enterprise: true or use the VAULT_ENTERPRISE="true" environment variable.

Aditionaly enable or disable the UI with the vault_enterprise_ui option (default true).

BSD

Brian Shumate

Special thanks to the folks listed in CONTRIBUTORS.md for their contributions to this project.