Commit
- Loading branch information
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,27 @@ | ||
--- | ||
ansible_ssh_host: homelab1@artemis.homelab | ||
|
||
vault_agent_enabled: true | ||
vault_role_id: ef476b7b-6dbf-37f2-5a4d-12bb8f2531ca | ||
vault_agent_user: root | ||
vault_agent_group: wheel | ||
vault_agent_templates: | | ||
{% raw %} | ||
template { | ||
contents = <<EOF | ||
{{ with secret "database/creds/homelab" -}} | ||
export TRIPS_DATABASE_URL=postgresql://{{ .Data.username }}:{{ .Data.password }}@db1.home.mattmoriarity.com/trips | ||
export GO_LINKS_DATABASE_URL=postgresql://{{ .Data.username }}:{{ .Data.password }}@db1.home.mattmoriarity.com/go_links | ||
{{ end -}} | ||
export PAPERLESS_TOKEN={{ with secret "kv/paperless/client" }}{{ .Data.data.api_token }}{{ end }} | ||
export TELEGRAM_TOKEN={{ with secret "kv/homebase-bot" }}{{ .Data.data.telegram_token }}{{ end }} | ||
{{ with secret "kv/homelab" -}} | ||
export GITHUB_TOKEN={{ .Data.data.github_token }} | ||
export SECRET_KEY_BASE={{ .Data.data.secret_key_base }} | ||
{{ end }} | ||
EOF | ||
destination = "/opt/.env.sh" | ||
perms = "0600" | ||
command = "/opt/start-homelab" | ||
} | ||
{% endraw %} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
consul_template_enable="YES" | ||
consul_template_syslog_output_enable="YES" | ||
# :hackerman: injects the -r argument to /usr/sbin/daemon so consul-template gets restarted automatically if it dies | ||
consul_template_syslog_output_facility="daemon -r" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/sh | ||
|
||
# Load secrets into the environment | ||
. /opt/.env.sh | ||
|
||
cd /opt/homelab | ||
bin/homelab stop >/dev/null 2>&1 || echo "Homelab app not already running" | ||
|
||
while bin/homelab pid >/dev/null 2>&1; do | ||
echo "Waiting for Homelab app to shutdown" | ||
sleep 1 | ||
done | ||
|
||
bin/homelab daemon |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,7 @@ | ||
vault_server_enabled: false | ||
vault_version: 1.8.2 | ||
|
||
vault_agent_enabled: false | ||
vault_agent_user: vault | ||
vault_agent_group: vault | ||
vault_agent_templates: '' |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
#!/bin/sh | ||
|
||
# PROVIDE: vault-agent | ||
# REQUIRE: DAEMON | ||
# KEYWORD: shutdown | ||
# | ||
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf | ||
# to enable this service: | ||
# | ||
# vault_agent_enable (bool): Set it to YES to enable vault. | ||
# Default is "NO". | ||
# vault_agent_user (user): Set user to run vault. | ||
# Default is "vault". | ||
# vault_agent_group (group): Set group to run vault. | ||
# Default is "vault". | ||
# vault_agent_config (file): Set vault config file. | ||
# Default is "/usr/local/etc/vault-agent.hcl". | ||
# vault_agent_syslog_output_enable (bool): Set to enable syslog output. | ||
# Default is "NO". See daemon(8). | ||
# vault_agent_syslog_output_priority (str): Set syslog priority if syslog enabled. | ||
# Default is "info". See daemon(8). | ||
# vault_agent_syslog_output_facility (str): Set syslog facility if syslog enabled. | ||
# Default is "daemon". See daemon(8). | ||
|
||
. /etc/rc.subr | ||
|
||
name=vault_agent | ||
rcvar=vault_agent_enable | ||
|
||
load_rc_config $name | ||
|
||
: ${vault_agent_enable:="NO"} | ||
: ${vault_agent_user:="vault"} | ||
: ${vault_agent_group:="vault"} | ||
: ${vault_agent_config:="/usr/local/etc/vault-agent.hcl"} | ||
|
||
DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?) | ||
if [ ${DAEMON} -eq 0 ]; then | ||
: ${vault_agent_syslog_output_enable:="NO"} | ||
: ${vault_agent_syslog_output_priority:="info"} | ||
: ${vault_agent_syslog_output_facility:="daemon"} | ||
if checkyesno vault_agent_syslog_output_enable; then | ||
vault_agent_syslog_output_flags="-T ${name}" | ||
|
||
if [ -n "${vault_agent_syslog_output_priority}" ]; then | ||
vault_agent_syslog_output_flags="${vault_agent_syslog_output_flags} -s ${vault_agent_syslog_output_priority}" | ||
fi | ||
|
||
if [ -n "${vault_agent_syslog_output_facility}" ]; then | ||
vault_agent_syslog_output_flags="${vault_agent_syslog_output_flags} -l ${vault_agent_syslog_output_facility}" | ||
fi | ||
fi | ||
else | ||
vault_agent_syslog_output_enable="NO" | ||
vault_agent_syslog_output_flags="" | ||
fi | ||
|
||
pidfile=/var/run/vault-agent.pid | ||
procname="/usr/local/bin/vault" | ||
command="/usr/sbin/daemon" | ||
command_args="-f -t ${name} ${vault_agent_syslog_output_flags} -p ${pidfile} -r /usr/bin/env ${vault_agent_env} ${procname} agent -config=${vault_agent_config}" | ||
|
||
extra_commands="reload monitor" | ||
monitor_cmd=vault_agent_monitor | ||
start_precmd=vault_agent_startprecmd | ||
required_files="$vault_agent_config" | ||
|
||
vault_agent_monitor() | ||
{ | ||
sig_reload=USR1 | ||
run_rc_command "reload" | ||
} | ||
|
||
vault_agent_startprecmd() | ||
{ | ||
if [ ! -e ${pidfile} ]; then | ||
install -o ${vault_agent_user} -g ${vault_agent_group} /dev/null ${pidfile}; | ||
fi | ||
} | ||
|
||
run_rc_command "$1" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
- name: Install Vault | ||
package: | ||
name: vault | ||
state: present | ||
|
||
- name: Install Vault RC script | ||
copy: | ||
src: vault-agent.sh | ||
dest: /usr/local/etc/rc.d/vault-agent | ||
mode: 0755 | ||
owner: root | ||
group: wheel | ||
|
||
- name: Enable Vault agent | ||
template: | ||
src: rc.vault_agent.conf.j2 | ||
dest: /etc/rc.conf.d/vault_agent | ||
mode: 0644 | ||
owner: root | ||
group: wheel | ||
|
||
- name: Install Vault agent configuration | ||
template: | ||
src: vault-agent.hcl.j2 | ||
dest: /usr/local/etc/vault-agent.hcl | ||
mode: 0644 | ||
owner: "{{ vault_agent_user }}" | ||
group: "{{ vault_agent_group }}" | ||
|
||
- name: Write Vault role ID | ||
template: | ||
src: role_id.j2 | ||
dest: /usr/local/etc/vault_role_id | ||
mode: 0644 | ||
owner: "{{ vault_agent_user }}" | ||
group: "{{ vault_agent_group }}" | ||
|
||
- name: Set permissions for secret ID file | ||
file: | ||
state: touch | ||
path: /usr/local/etc/vault_secret_id | ||
mode: 0600 | ||
owner: "{{ vault_agent_user }}" | ||
group: "{{ vault_agent_group }}" | ||
modification_time: preserve | ||
access_time: preserve | ||
|
||
- name: Ensure Vault agent is running and starts at boot | ||
service: | ||
name: vault-agent | ||
enabled: true | ||
state: started |