From 03ff0b74dd3466115db500d0f2139f9da108de2d Mon Sep 17 00:00:00 2001 From: Baptiste Date: Thu, 2 Jan 2025 18:30:35 +0100 Subject: [PATCH 1/4] justfile fix (nymous), add group, fix storage location, symlink --- justfile | 1 + roles/vault_agent/defaults/main.yml | 11 ++++++++++ roles/vault_agent/tasks/main.yml | 21 ++++++++++++++++++- .../templates/retrieving_cert.tmpl.j2 | 8 +++---- 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/justfile b/justfile index 162b3ea..4d6bdae 100644 --- a/justfile +++ b/justfile @@ -33,6 +33,7 @@ vault username: # Setup a virtualenv and install dependencies [group('tooling')] venv: + #!/usr/bin/env bash [[ -d .venv ]] || (python -m venv .venv --prompt rezoleo-ansible-playbooks && {{venv_bin}}/pip install -r requirements.txt) # Run ansible-lint diff --git a/roles/vault_agent/defaults/main.yml b/roles/vault_agent/defaults/main.yml index 372ef11..0d2220f 100644 --- a/roles/vault_agent/defaults/main.yml +++ b/roles/vault_agent/defaults/main.yml @@ -1,3 +1,14 @@ vault_agent_working_directory: /root/vault_agent_certificates vault_agent_vault_version: 1.18.2 + +vault_agent_certificate_directory: "/var/lib/vault_certificates" + +# vault_agent_service_reload_command: +# vault_agent_group_name: "vault-certs" +# vault_agent_users: +# - user1 +# - user2 +# - user3 +# vault_agent_links: +# - (privkey|chain|full-chain|cert): /path/to/symlink diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index d5eb9d3..f4f844f 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -89,13 +89,24 @@ owner: root group: root +- name: Create read-acces group + ansible.builtin.group: + name: "{{ vault_agent_group_name }}" + +- name: Add users to the created group + ansible.builtin.user: + name: "{{ item }}" + groups: "{{ vault_agent_group_name }}" + append: true + loop: "{{ vault_agent_users }}" + - name: Create directory for certificates ansible.builtin.file: state: directory dest: "{{ vault_agent_certificate_directory }}" mode: '0755' owner: root - group: root + group: "{{ vault_agent_group_name }}" - name: Start vault-agent-certificates service ansible.builtin.systemd: @@ -103,3 +114,11 @@ state: started enabled: true daemon_reload: true + +- name: Add symbolic links + ansible.builtin.file: + src: "{{ vault_agent_certificate_directory }}/{{ item.keys() | list | first }}.pem" # TODO: attention à / si déjà dans la variable + dest: "{{ item.values() | list | first }}" # Path in value + state: link + force: true + loop: "{{ vault_agent_links }}" diff --git a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 index a2815de..0b17b53 100644 --- a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 +++ b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 @@ -1,8 +1,8 @@ {{with secret "secret/certificat-web"}} -{{ index .Data.data "privkey.pem" | writeToFile "<>/privkey.pem" "" "" "0400" }} -{{ index .Data.data "chain.pem" | writeToFile "<>/chain.pem" "" "" "0400" }} -{{ index .Data.data "cert.pem" | writeToFile "<>/cert.pem" "" "" "0400" }} -{{ index .Data.data "fullchain.pem" | writeToFile "<>/fullchain.pem" "" "" "0400" }} +{{ index .Data.data "privkey.pem" | writeToFile "<>/privkey.pem" "" "<>" "0440" }} +{{ index .Data.data "chain.pem" | writeToFile "<>/chain.pem" "" "<>" "0440" }} +{{ index .Data.data "cert.pem" | writeToFile "<>/cert.pem" "" "<>" "0440" }} +{{ index .Data.data "fullchain.pem" | writeToFile "<>/fullchain.pem" "" "<>" "0440" }} {{ index .Data.data "privkey.pem" }} {{ index .Data.data "chain.pem" }} {{ index .Data.data "cert.pem" }} From 4a1728431d2be12ddde1746021f3b119b73495d1 Mon Sep 17 00:00:00 2001 From: Baptiste Date: Thu, 2 Jan 2025 18:48:33 +0100 Subject: [PATCH 2/4] Check if symlink dirs exist --- roles/vault_agent/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index f4f844f..6713c11 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -115,6 +115,17 @@ enabled: true daemon_reload: true +- name: Create symlink directories + ansible.builtin.file: + state: directory + dest: "{{ vault_directory }}" + mode: '0755' + owner: root + group: "{{ vault_agent_group_name }}" + loop: "{{ vault_agent_links }}" + vars: + vault_directory: "{{ (item.values() | list | first).split('/')[:-1] | join('/') }}" # {{ path.split('/')[:-1] | join('/') }} + - name: Add symbolic links ansible.builtin.file: src: "{{ vault_agent_certificate_directory }}/{{ item.keys() | list | first }}.pem" # TODO: attention à / si déjà dans la variable From 8ab2438e6f5bdddeb4f1edd4b10c831b5c8ce475 Mon Sep 17 00:00:00 2001 From: Baptiste Date: Thu, 2 Jan 2025 23:33:09 +0100 Subject: [PATCH 3/4] Let other roles manage symlink and users in cert group --- roles/vault_agent/defaults/main.yml | 6 ------ roles/vault_agent/tasks/main.yml | 26 -------------------------- 2 files changed, 32 deletions(-) diff --git a/roles/vault_agent/defaults/main.yml b/roles/vault_agent/defaults/main.yml index 0d2220f..4f12301 100644 --- a/roles/vault_agent/defaults/main.yml +++ b/roles/vault_agent/defaults/main.yml @@ -6,9 +6,3 @@ vault_agent_certificate_directory: "/var/lib/vault_certificates" # vault_agent_service_reload_command: # vault_agent_group_name: "vault-certs" -# vault_agent_users: -# - user1 -# - user2 -# - user3 -# vault_agent_links: -# - (privkey|chain|full-chain|cert): /path/to/symlink diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index 6713c11..45f0346 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -93,13 +93,6 @@ ansible.builtin.group: name: "{{ vault_agent_group_name }}" -- name: Add users to the created group - ansible.builtin.user: - name: "{{ item }}" - groups: "{{ vault_agent_group_name }}" - append: true - loop: "{{ vault_agent_users }}" - - name: Create directory for certificates ansible.builtin.file: state: directory @@ -114,22 +107,3 @@ state: started enabled: true daemon_reload: true - -- name: Create symlink directories - ansible.builtin.file: - state: directory - dest: "{{ vault_directory }}" - mode: '0755' - owner: root - group: "{{ vault_agent_group_name }}" - loop: "{{ vault_agent_links }}" - vars: - vault_directory: "{{ (item.values() | list | first).split('/')[:-1] | join('/') }}" # {{ path.split('/')[:-1] | join('/') }} - -- name: Add symbolic links - ansible.builtin.file: - src: "{{ vault_agent_certificate_directory }}/{{ item.keys() | list | first }}.pem" # TODO: attention à / si déjà dans la variable - dest: "{{ item.values() | list | first }}" # Path in value - state: link - force: true - loop: "{{ vault_agent_links }}" From 47e271d8f7cab59e177bde51dd87177ef6fa1719 Mon Sep 17 00:00:00 2001 From: Baptiste Date: Thu, 2 Jan 2025 23:46:08 +0100 Subject: [PATCH 4/4] Add comments in defaults main file --- roles/vault_agent/defaults/main.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/vault_agent/defaults/main.yml b/roles/vault_agent/defaults/main.yml index 4f12301..5dfe6f2 100644 --- a/roles/vault_agent/defaults/main.yml +++ b/roles/vault_agent/defaults/main.yml @@ -1,8 +1,17 @@ +# Location of approle files vault_agent_working_directory: /root/vault_agent_certificates +# Version of vault agent vault_agent_vault_version: 1.18.2 -vault_agent_certificate_directory: "/var/lib/vault_certificates" +# Location where the certificate will be stored +vault_agent_certificate_directory: "/var/lib/vault_agent_certificates" +# Name of the group that is allowed to read certificate +vault_agent_group_name: "vault-certs" + +# Command to execute after certificate update # vault_agent_service_reload_command: -# vault_agent_group_name: "vault-certs" +# - systemctl +# - restart +# - mon_super_service