debops.hashicorp default variables¶

Sections

APT package management
HashiCorp user account
OpenPGP key and keyserver
HashiCorp Application lists
HashiCorp application versions
Archive binary overrides
Base directory paths
HashiCorp application repositories
Consul Web UI configuration
Configuration for other Ansible roles

APT package management ¶

hashicorp__base_packages¶

List of APT packages required by the role to function.

hashicorp__base_packages: [ 'rsync', 'openssl', 'ca-certificates', 'unzip' ]

hashicorp__packages¶

List of additional APT packages to install on hosts managed by the role.

hashicorp__packages: []

hashicorp__dependent_packages¶

List of APT packages to install requested by other Ansible roles.

hashicorp__dependent_packages: []

HashiCorp user account ¶

hashicorp__user¶

Name of the system account which will perform signature and archive verification.

hashicorp__user: 'hashicorp'

hashicorp__group¶

Name of the primary system group of the HashiCorp account.

hashicorp__group: 'hashicorp'

hashicorp__home¶

Path to the home directory of the HashiCorp account.

hashicorp__home: '{{ (ansible_local.fhs.home | d("/var/local"))
                     + "/" + hashicorp__user }}'

hashicorp__comment¶

The GECOS string set for the HashiCorp account.

hashicorp__comment: 'HashiCorp Application Manager'

hashicorp__shell¶

The default shell of the HashiCorp account.

hashicorp__shell: '/usr/sbin/nologin'

OpenPGP key and keyserver ¶

See debops.hashicorp security considerations for details about how the role uses the HashiCorp company OpenPGP keys.

hashicorp__gpg_key_id¶

The OpenPGP key fingerprint of the HashiCorp company.

hashicorp__gpg_key_id: 'C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F'

hashicorp__keyserver¶

URL of the OpenPGP keyserver used to obtain the HashiCorp OpenPGP key.

hashicorp__keyserver: '{{ ansible_local.keyring.keyserver|d("hkp://keyserver.ubuntu.com") }}'

HashiCorp Application lists ¶

hashicorp__applications¶

List of HashiCorp applications that should be installed on a given host. To find out what applications are supported, check the names of the keys in the hashicorp__default_version_map dictionary.

hashicorp__applications: []

hashicorp__dependent_applications¶

List of HashiCorp applications that are requested by other Ansible roles using dependent variables.

hashicorp__dependent_applications: []

HashiCorp application versions ¶

hashicorp__default_version_map¶

YAML dictionary which maps the HashiCorp application names to their versions. This is the main dictionary and shouldn't be modified by the user if possible.

hashicorp__default_version_map:
  'atlas-upload-cli':  '0.2.0'
  'consul':            '0.8.3'
  'consul-replicate':  '0.3.1'
  'consul-template':   '0.18.3'
  'docker-base':       '0.0.4'
  'docker-basetool':   '0.0.3'
  'envconsul':         '0.6.2'
  'nomad':             '0.5.6'
  'otto':              '0.2.0'
  'packer':            '1.0.0'
  'serf':              '0.8.1'
  'terraform':         '0.9.5'
  'vault':             '0.7.2'
  'vault-ssh-helper':  '0.1.3'

  # The applications below have incompatible release formats:
  #'vagrant':          '1.9.5'

hashicorp__version_map¶

An additional YAML dictionary which defines mapping between HashiCorp applications and their versions. This dictionary should be used to override the default version if necessary.

hashicorp__version_map: {}

hashicorp__combined_version_map¶

The YAML dictionary used by the role to lookup specific versions of HashiCorp applications to install.

hashicorp__combined_version_map: '{{ hashicorp__default_version_map
                                     | combine(hashicorp__version_map) }}'

Some of the HashiCorp applications use different location or name of binaries in their archives. This YAML dictionary is used to override the default binary name(s) to the correct ones when necessary. Paths are relative to the specific archive directory.

hashicorp__default_binary_map:
  'atlas-upload-cli': 'atlas-upload'
  'docker-base':      [ 'bin/dumb-init', 'bin/gosu' ]

hashicorp__binary_map¶

Custom YAML dictionary with binary name overrides. This variable can be used by the user when necessary.

hashicorp__binary_map: {}

hashicorp__combined_binary_map¶

The YAML dictionary variable used by the role to override paths to the specific archive binaries.

hashicorp__combined_binary_map: '{{ hashicorp__default_binary_map
                                    | combine(hashicorp__binary_map) }}'

Base directory paths ¶

hashicorp__src¶

Base path to the directory with HashiCorp binary archives, their hash signatures and OpenPGP signatures.

hashicorp__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                    + "/" + hashicorp__user + "/" +
                     (hashicorp__base_url.split("://")|last | split("/") | first) }}'

hashicorp__lib¶

Base path to the directory where HashiCorp archives are unpacked after verification.

hashicorp__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
                    + "/" + hashicorp__user }}'

hashicorp__bin¶

Base path to the directory where HashiCorp application binaries will be installed by the root account.

hashicorp__bin: '{{ ansible_local.fhs.bin | d("/usr/local/bin") }}'

HashiCorp application repositories ¶

hashicorp__base_url¶

The base URL of the HashiCorp webserver with application releases.

hashicorp__base_url: 'https://releases.hashicorp.com/'

hashicorp__platform¶

Name of the current OS platform in the format used by the HashiCorp application archive filenames.

hashicorp__platform: '{{ ansible_system | lower }}'

hashicorp__architecture¶

Key used to lookup current system architecture.

hashicorp__architecture: '{{ ansible_architecture }}'

hashicorp__architecture_map¶

YAML dictionary that maps the system architecture as used by Ansible to the architecture names used in the HashiCorp archive filenames.

hashicorp__architecture_map:
  'x86_64': 'amd64'
  'i386': '386'
  'armhf': 'arm'

hashicorp__tar_suffix¶

The filename suffix of the HashiCorp application archive.

hashicorp__tar_suffix: '{{ hashicorp__platform + "_"
                           + hashicorp__architecture_map[hashicorp__architecture]
                           + ".zip" }}'

hashicorp__hash_suffix¶

The filename suffix of the file which contains SHA256 hashes of the released files.

hashicorp__hash_suffix: 'SHA256SUMS'

hashicorp__sig_suffix¶

The filename suffix of the file which contains OpenPGP signature of the file with SHA256 hashes, signed by the HashiCorp OpenPGP key.

hashicorp__sig_suffix: '{{ hashicorp__hash_suffix + ".sig" }}'

Consul Web UI configuration ¶

hashicorp__consul_webui¶

Boolean variable which controls if the Consul Web UI should be installed alongside consul. By default the Web UI files are not installed to allow headless installation.

hashicorp__consul_webui: '{{ ansible_local.hashicorp.consul_webui|d(False) | bool }}'

hashicorp__consul_webui_suffix¶

The filename suffix of the Consul Web UI archive file.

hashicorp__consul_webui_suffix: 'web_ui.zip'

hashicorp__consul_webui_path¶

Absolute path where the Consul Web UI files should be installed.

hashicorp__consul_webui_path: '{{ ansible_local.nginx.www|d("/srv/www") + "/consul/sites/public" }}'

Configuration for other Ansible roles ¶

hashicorp__keyring__dependent_gpg_keys¶

Configuration for the debops.keyring Ansible role.

hashicorp__keyring__dependent_gpg_keys:

  - user: '{{ hashicorp__user }}'
    group: '{{ hashicorp__group }}'
    home: '{{ hashicorp__home }}'
    id: '{{ hashicorp__gpg_key_id }}'
    state: '{{ "present"
               if (hashicorp__applications or hashicorp__dependent_applications)
               else "absent" }}'

    # The old GPG key has been revoked
    # https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
  - user: '{{ hashicorp__user }}'
    id: '91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C'
    state: 'absent'