feat: delete defaultly unused files to reduce attack surface

ansible-community · Dec 12, 2024 · 373141f · 373141f
1 parent f554c65
commit 373141f
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml
@@ -110,3 +110,19 @@
     group: root # Package default
   when: vault_harden_file_perms
 
+- name: Delete vault.env
+  become: true
+  ansible.builtin.file:
+    state: absent
+    path: /etc/vault.d/vault.env
+  when: vault_harden_file_perms
+
+- name: Delete default certs
+  become: true
+  ansible.builtin.file:
+    state: absent
+    path: /opt/vault/tls/{{ item }}
+  with_items:
+    - tls.crt
+    - tls.key
+  when: vault_tls_disable or vault_tls_copy_keys