debops.hashicorp default variables

APT package management

hashicorp__base_packages

List of APT packages required by the role to function.

hashicorp__base_packages: [ 'rsync', 'openssl', 'ca-certificates', 'unzip' ]
hashicorp__packages

List of additional APT packages to install on hosts managed by the role.

hashicorp__packages: []
hashicorp__dependent_packages

List of APT packages to install requested by other Ansible roles.

hashicorp__dependent_packages: []

HashiCorp user account

hashicorp__user

Name of the system account which will perform signature and archive verification.

hashicorp__user: 'hashicorp'
hashicorp__group

Name of the primary system group of the HashiCorp account.

hashicorp__group: 'hashicorp'
hashicorp__home

Path to the home directory of the HashiCorp account.

hashicorp__home: '{{ (ansible_local.fhs.home | d("/var/local"))
                     + "/" + hashicorp__user }}'
hashicorp__comment

The GECOS string set for the HashiCorp account.

hashicorp__comment: 'HashiCorp Application Manager'
hashicorp__shell

The default shell of the HashiCorp account.

hashicorp__shell: '/usr/sbin/nologin'

OpenPGP key and keyserver

See debops.hashicorp security considerations for details about how the role uses the HashiCorp company OpenPGP keys.

hashicorp__gpg_key_id

The OpenPGP key fingerprint of the HashiCorp company.

hashicorp__gpg_key_id: 'C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F'
hashicorp__keyserver

URL of the OpenPGP keyserver used to obtain the HashiCorp OpenPGP key.

hashicorp__keyserver: '{{ ansible_local.keyring.keyserver|d("hkp://keyserver.ubuntu.com") }}'

HashiCorp Application lists

hashicorp__applications

List of HashiCorp applications that should be installed on a given host. To find out what applications are supported, check the names of the keys in the hashicorp__default_version_map dictionary.

hashicorp__applications: []
hashicorp__dependent_applications

List of HashiCorp applications that are requested by other Ansible roles using dependent variables.

hashicorp__dependent_applications: []

HashiCorp application versions

hashicorp__default_version_map

YAML dictionary which maps the HashiCorp application names to their versions. This is the main dictionary and shouldn't be modified by the user if possible.

hashicorp__default_version_map:
  'atlas-upload-cli':  '0.2.0'
  'consul':            '0.8.3'
  'consul-replicate':  '0.3.1'
  'consul-template':   '0.18.3'
  'docker-base':       '0.0.4'
  'docker-basetool':   '0.0.3'
  'envconsul':         '0.6.2'
  'nomad':             '0.5.6'
  'otto':              '0.2.0'
  'packer':            '1.0.0'
  'serf':              '0.8.1'
  'terraform':         '0.9.5'
  'vault':             '0.7.2'
  'vault-ssh-helper':  '0.1.3'

  # The applications below have incompatible release formats:
  #'vagrant':          '1.9.5'
hashicorp__version_map

An additional YAML dictionary which defines mapping between HashiCorp applications and their versions. This dictionary should be used to override the default version if necessary.

hashicorp__version_map: {}
hashicorp__combined_version_map

The YAML dictionary used by the role to lookup specific versions of HashiCorp applications to install.

hashicorp__combined_version_map: '{{ hashicorp__default_version_map
                                     | combine(hashicorp__version_map) }}'

Archive binary overrides

hashicorp__default_binary_map

Some of the HashiCorp applications use different location or name of binaries in their archives. This YAML dictionary is used to override the default binary name(s) to the correct ones when necessary. Paths are relative to the specific archive directory.

hashicorp__default_binary_map:
  'atlas-upload-cli': 'atlas-upload'
  'docker-base':      [ 'bin/dumb-init', 'bin/gosu' ]
hashicorp__binary_map

Custom YAML dictionary with binary name overrides. This variable can be used by the user when necessary.

hashicorp__binary_map: {}
hashicorp__combined_binary_map

The YAML dictionary variable used by the role to override paths to the specific archive binaries.

hashicorp__combined_binary_map: '{{ hashicorp__default_binary_map
                                    | combine(hashicorp__binary_map) }}'

Base directory paths

hashicorp__src

Base path to the directory with HashiCorp binary archives, their hash signatures and OpenPGP signatures.

hashicorp__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                    + "/" + hashicorp__user + "/" +
                     (hashicorp__base_url.split("://")|last | split("/") | first) }}'
hashicorp__lib

Base path to the directory where HashiCorp archives are unpacked after verification.

hashicorp__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
                    + "/" + hashicorp__user }}'
hashicorp__bin

Base path to the directory where HashiCorp application binaries will be installed by the root account.

hashicorp__bin: '{{ ansible_local.fhs.bin | d("/usr/local/bin") }}'

HashiCorp application repositories

hashicorp__base_url

The base URL of the HashiCorp webserver with application releases.

hashicorp__base_url: 'https://releases.hashicorp.com/'
hashicorp__platform

Name of the current OS platform in the format used by the HashiCorp application archive filenames.

hashicorp__platform: '{{ ansible_system | lower }}'
hashicorp__architecture

Key used to lookup current system architecture.

hashicorp__architecture: '{{ ansible_architecture }}'
hashicorp__architecture_map

YAML dictionary that maps the system architecture as used by Ansible to the architecture names used in the HashiCorp archive filenames.

hashicorp__architecture_map:
  'x86_64': 'amd64'
  'i386': '386'
  'armhf': 'arm'
hashicorp__tar_suffix

The filename suffix of the HashiCorp application archive.

hashicorp__tar_suffix: '{{ hashicorp__platform + "_"
                           + hashicorp__architecture_map[hashicorp__architecture]
                           + ".zip" }}'
hashicorp__hash_suffix

The filename suffix of the file which contains SHA256 hashes of the released files.

hashicorp__hash_suffix: 'SHA256SUMS'
hashicorp__sig_suffix

The filename suffix of the file which contains OpenPGP signature of the file with SHA256 hashes, signed by the HashiCorp OpenPGP key.

hashicorp__sig_suffix: '{{ hashicorp__hash_suffix + ".sig" }}'

Consul Web UI configuration

hashicorp__consul_webui

Boolean variable which controls if the Consul Web UI should be installed alongside consul. By default the Web UI files are not installed to allow headless installation.

hashicorp__consul_webui: '{{ ansible_local.hashicorp.consul_webui|d(False) | bool }}'
hashicorp__consul_webui_suffix

The filename suffix of the Consul Web UI archive file.

hashicorp__consul_webui_suffix: 'web_ui.zip'
hashicorp__consul_webui_path

Absolute path where the Consul Web UI files should be installed.

hashicorp__consul_webui_path: '{{ ansible_local.nginx.www|d("/srv/www") + "/consul/sites/public" }}'

Configuration for other Ansible roles

hashicorp__keyring__dependent_gpg_keys

Configuration for the debops.keyring Ansible role.

hashicorp__keyring__dependent_gpg_keys:

  - user: '{{ hashicorp__user }}'
    group: '{{ hashicorp__group }}'
    home: '{{ hashicorp__home }}'
    id: '{{ hashicorp__gpg_key_id }}'
    state: '{{ "present"
               if (hashicorp__applications or hashicorp__dependent_applications)
               else "absent" }}'

    # The old GPG key has been revoked
    # https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
  - user: '{{ hashicorp__user }}'
    id: '91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C'
    state: 'absent'