Set up vault agent for homelab jail

ansible/artemis.yml

@@ -16,6 +16,7 @@
     - role: pkg
     - role: logging
     - role: dns
+    - role: vault
 
 - hosts: metrics1, paperless1, dns, code1, ci1
   become: true

ansible/group_vars/pis.yml

@@ -2,3 +2,4 @@ ansible_user: ubuntu
 root_group: root
 ansible_python_interpreter: /usr/bin/python3
 consul_mode: server
+vault_server_enabled: true

ansible/host_vars/homelab1.yml

@@ -1,2 +1,27 @@
 ---
 ansible_ssh_host: homelab1@artemis.homelab
+
+vault_agent_enabled: true
+vault_role_id: ef476b7b-6dbf-37f2-5a4d-12bb8f2531ca
+vault_agent_user: root
+vault_agent_group: wheel
+vault_agent_templates: |
+  {% raw %}
+  template {
+    contents = <<EOF
+  {{ with secret "database/creds/homelab" -}}
+  export TRIPS_DATABASE_URL=postgresql://{{ .Data.username }}:{{ .Data.password }}@db1.home.mattmoriarity.com/trips
+  export GO_LINKS_DATABASE_URL=postgresql://{{ .Data.username }}:{{ .Data.password }}@db1.home.mattmoriarity.com/go_links
+  {{ end -}}
+  export PAPERLESS_TOKEN={{ with secret "kv/paperless/client" }}{{ .Data.data.api_token }}{{ end }}
+  export TELEGRAM_TOKEN={{ with secret "kv/homebase-bot" }}{{ .Data.data.telegram_token }}{{ end }}
+  {{ with secret "kv/homelab" -}}
+  export GITHUB_TOKEN={{ .Data.data.github_token }}
+  export SECRET_KEY_BASE={{ .Data.data.secret_key_base }}
+  {{ end }}
+  EOF
+    destination = "/opt/.env.sh"
+    perms = "0600"
+    command = "/opt/start-homelab"
+  }
+  {% endraw %}

ansible/roles/consul-template/files/consul_template

@@ -1,2 +1,4 @@
 consul_template_enable="YES"
 consul_template_syslog_output_enable="YES"
+# :hackerman: injects the -r argument to /usr/sbin/daemon so consul-template gets restarted automatically if it dies
+consul_template_syslog_output_facility="daemon -r"

ansible/roles/homelab/files/deploy-homelab.sh

@@ -6,5 +6,5 @@ fi
 
 cd /opt/homelab
 tar xzvf /shared/homelab/homelab.tar.gz
-bin/homelab restart
+../start-homelab
 rm /shared/homelab/homelab.tar.gz

ansible/roles/homelab/files/start-homelab.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Load secrets into the environment
+. /opt/.env.sh
+
+cd /opt/homelab
+bin/homelab stop >/dev/null 2>&1 || echo "Homelab app not already running"
+
+while bin/homelab pid >/dev/null 2>&1; do
+        echo "Waiting for Homelab app to shutdown"
+        sleep 1
+done
+
+bin/homelab daemon

ansible/roles/homelab/tasks/main.yml

@@ -19,3 +19,11 @@
     mode: 0755
     owner: root
     group: wheel
+
+- name: Install start-homelab script
+  copy:
+    src: start-homelab.sh
+    dest: /opt/start-homelab
+    mode: 0755
+    owner: root
+    group: wheel

ansible/roles/vault/defaults/main.yml

@@ -1 +1,7 @@
+vault_server_enabled: false
 vault_version: 1.8.2
+
+vault_agent_enabled: false
+vault_agent_user: vault
+vault_agent_group: vault
+vault_agent_templates: ''

ansible/roles/vault/files/vault-agent.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+
+# PROVIDE: vault-agent
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# vault_agent_enable (bool):	Set it to YES to enable vault.
+#			Default is "NO".
+# vault_agent_user (user):	Set user to run vault.
+#			Default is "vault".
+# vault_agent_group (group):	Set group to run vault.
+#			Default is "vault".
+# vault_agent_config (file):	Set vault config file.
+#			Default is "/usr/local/etc/vault-agent.hcl".
+# vault_agent_syslog_output_enable (bool):	Set to enable syslog output.
+#					Default is "NO". See daemon(8).
+# vault_agent_syslog_output_priority (str):	Set syslog priority if syslog enabled.
+#					Default is "info". See daemon(8).
+# vault_agent_syslog_output_facility (str):	Set syslog facility if syslog enabled.
+#					Default is "daemon". See daemon(8).
+
+. /etc/rc.subr
+
+name=vault_agent
+rcvar=vault_agent_enable
+
+load_rc_config $name
+
+: ${vault_agent_enable:="NO"}
+: ${vault_agent_user:="vault"}
+: ${vault_agent_group:="vault"}
+: ${vault_agent_config:="/usr/local/etc/vault-agent.hcl"}
+
+DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?)
+if [ ${DAEMON} -eq 0 ]; then
+        : ${vault_agent_syslog_output_enable:="NO"}
+        : ${vault_agent_syslog_output_priority:="info"}
+        : ${vault_agent_syslog_output_facility:="daemon"}
+        if checkyesno vault_agent_syslog_output_enable; then
+                vault_agent_syslog_output_flags="-T ${name}"
+
+                if [ -n "${vault_agent_syslog_output_priority}" ]; then
+                        vault_agent_syslog_output_flags="${vault_agent_syslog_output_flags} -s ${vault_agent_syslog_output_priority}"
+                fi
+
+                if [ -n "${vault_agent_syslog_output_facility}" ]; then
+                        vault_agent_syslog_output_flags="${vault_agent_syslog_output_flags} -l ${vault_agent_syslog_output_facility}"
+                fi
+        fi
+else
+        vault_agent_syslog_output_enable="NO"
+        vault_agent_syslog_output_flags=""
+fi
+
+pidfile=/var/run/vault-agent.pid
+procname="/usr/local/bin/vault"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} ${vault_agent_syslog_output_flags} -p ${pidfile} -r /usr/bin/env ${vault_agent_env} ${procname} agent -config=${vault_agent_config}"
+
+extra_commands="reload monitor"
+monitor_cmd=vault_agent_monitor
+start_precmd=vault_agent_startprecmd
+required_files="$vault_agent_config"
+
+vault_agent_monitor()
+{
+	sig_reload=USR1
+	run_rc_command "reload"
+}
+
+vault_agent_startprecmd()
+{
+        if [ ! -e ${pidfile} ]; then
+                install -o ${vault_agent_user} -g ${vault_agent_group} /dev/null ${pidfile};
+        fi
+}
+
+run_rc_command "$1"

ansible/roles/vault/tasks/agent.yml

@@ -0,0 +1,52 @@
+- name: Install Vault
+  package:
+    name: vault
+    state: present
+
+- name: Install Vault RC script
+  copy:
+    src: vault-agent.sh
+    dest: /usr/local/etc/rc.d/vault-agent
+    mode: 0755
+    owner: root
+    group: wheel
+
+- name: Enable Vault agent
+  template:
+    src: rc.vault_agent.conf.j2
+    dest: /etc/rc.conf.d/vault_agent
+    mode: 0644
+    owner: root
+    group: wheel
+
+- name: Install Vault agent configuration
+  template:
+    src: vault-agent.hcl.j2
+    dest: /usr/local/etc/vault-agent.hcl
+    mode: 0644
+    owner: "{{ vault_agent_user }}"
+    group: "{{ vault_agent_group }}"
+
+- name: Write Vault role ID
+  template:
+    src: role_id.j2
+    dest: /usr/local/etc/vault_role_id
+    mode: 0644
+    owner: "{{ vault_agent_user }}"
+    group: "{{ vault_agent_group }}"
+
+- name: Set permissions for secret ID file
+  file:
+    state: touch
+    path: /usr/local/etc/vault_secret_id
+    mode: 0600
+    owner: "{{ vault_agent_user }}"
+    group: "{{ vault_agent_group }}"
+    modification_time: preserve
+    access_time: preserve
+
+- name: Ensure Vault agent is running and starts at boot
+  service:
+    name: vault-agent
+    enabled: true
+    state: started