Torjus Håkestad
0700033c0a
Replace sops-nix secrets with OpenBao vault secrets across all hosts. Hardcode root password hash, add extractKey option to vault-secrets module, update Terraform with secrets/policies for all hosts, and create AppRole provisioning playbook. Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01 Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
79 lines
2.3 KiB
YAML
79 lines
2.3 KiB
YAML
---
|
|
# Provision OpenBao AppRole credentials to an existing host
|
|
# Usage: nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=ha1
|
|
# Requires: BAO_ADDR and BAO_TOKEN environment variables set
|
|
|
|
- name: Fetch AppRole credentials from OpenBao
|
|
hosts: localhost
|
|
connection: local
|
|
gather_facts: false
|
|
|
|
vars:
|
|
vault_addr: "{{ lookup('env', 'BAO_ADDR') | default('https://vault01.home.2rjus.net:8200', true) }}"
|
|
domain: "home.2rjus.net"
|
|
|
|
tasks:
|
|
- name: Validate hostname is provided
|
|
ansible.builtin.fail:
|
|
msg: "hostname variable is required. Use: -e hostname=<name>"
|
|
when: hostname is not defined
|
|
|
|
- name: Get role-id for host
|
|
ansible.builtin.command:
|
|
cmd: "bao read -field=role_id auth/approle/role/{{ hostname }}/role-id"
|
|
environment:
|
|
BAO_ADDR: "{{ vault_addr }}"
|
|
BAO_SKIP_VERIFY: "1"
|
|
register: role_id_result
|
|
changed_when: false
|
|
|
|
- name: Generate secret-id for host
|
|
ansible.builtin.command:
|
|
cmd: "bao write -field=secret_id -f auth/approle/role/{{ hostname }}/secret-id"
|
|
environment:
|
|
BAO_ADDR: "{{ vault_addr }}"
|
|
BAO_SKIP_VERIFY: "1"
|
|
register: secret_id_result
|
|
changed_when: true
|
|
|
|
- name: Add target host to inventory
|
|
ansible.builtin.add_host:
|
|
name: "{{ hostname }}.{{ domain }}"
|
|
groups: vault_target
|
|
ansible_user: root
|
|
vault_role_id: "{{ role_id_result.stdout }}"
|
|
vault_secret_id: "{{ secret_id_result.stdout }}"
|
|
|
|
- name: Deploy AppRole credentials to host
|
|
hosts: vault_target
|
|
gather_facts: false
|
|
|
|
tasks:
|
|
- name: Create AppRole directory
|
|
ansible.builtin.file:
|
|
path: /var/lib/vault/approle
|
|
state: directory
|
|
mode: "0700"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Write role-id
|
|
ansible.builtin.copy:
|
|
content: "{{ vault_role_id }}"
|
|
dest: /var/lib/vault/approle/role-id
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Write secret-id
|
|
ansible.builtin.copy:
|
|
content: "{{ vault_secret_id }}"
|
|
dest: /var/lib/vault/approle/secret-id
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Display success
|
|
ansible.builtin.debug:
|
|
msg: "AppRole credentials provisioned to {{ inventory_hostname }}"
|