unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: unkin:d2219a934893d0a87df9233b4d5b08b7974ba0bb
Branches Tags
unkin:develop
unkin:benvin/rke2_upgrade
unkin:benvin/artifactapi_repos
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master
...
compare: unkin:a25883a4e399932ea5e38a9fc34cc8a02c863f69
Branches Tags
unkin:develop
unkin:benvin/rke2_upgrade
unkin:benvin/artifactapi_repos
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master

2 Commits
d2219a9348 ... a25883a4e3

Author SHA1 Message Date
Ben Vincent
a25883a4e3 feat: manage openbao audit devices 
- manage openbao audit devices in the configuration file
 2025-11-20 19:48:37 +11:00
Ben Vincent
bdf29f4957 feat: add audit log for openbao 
- openbao requires audit-log configured in config file
 2025-11-15 21:19:28 +11:00
2 changed files with 7 additions and 8 deletions
Show Stats Expand all files Collapse all files

5
hieradata/roles/infra/storage/vault.yaml
View File

@ -4,6 +4,11 @@ profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
profiles::vault::server::audit_devices:
- file:
audit-file:
options:
file_path: /data/vault/audit.log
vault::package_name: openbao
vault::package_ensure: latest

10
site/profiles/manifests/vault/server.pp
View File

@ -15,7 +15,7 @@ class profiles::vault::server (
Stdlib::Absolutepath $ssl_crt = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/tls/certs/ca-bundle.crt',
Stdlib::Absolutepath $audit_log = '/var/log/vault_audit.log',
Optional[Array[Hash]] $audit_devices = undef,
){
# set a datacentre/cluster name
@ -66,6 +66,7 @@ class profiles::vault::server (
extra_config => {
cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
},
audit => $audit_devices,
listener => [
{
tcp => {
@ -86,13 +87,6 @@ class profiles::vault::server (
]
}
# ensure the vault audit log exists
file { $audit_log:
ensure => 'file',
owner => 'vault',
group => 'vault',
mode => '0600',
}
service { 'vault':
ensure => true,