4 files changed, 57 insertions, 12 deletions

diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index f6281101f..0fb45f37c 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -5,12 +5,13 @@ etcd_peer_port: 2380
 etcd_peers_group: etcd
 etcd_url_scheme: http
 etcd_peer_url_scheme: http
-etcd_ca_file: /etc/etcd/ca.crt
-etcd_cert_file: /etc/etcd/client.crt
-etcd_key_file: /etc/etcd/client.key
-etcd_peer_ca_file: /etc/etcd/ca.crt
-etcd_peer_cert_file: /etc/etcd/peer.crt
-etcd_peer_key_file: /etc/etcd/peer.key
+etcd_conf_dir: /etc/etcd
+etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
+etcd_key_file: "{{ etcd_conf_dir }}/server.key"
+etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
+etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
+etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
 
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
@@ -21,6 +22,8 @@ etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostn
 etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
 
 etcd_data_dir: /var/lib/etcd/
+
+os_firewall_use_firewalld: False
 os_firewall_allow:
 - service: etcd
   port: "{{etcd_client_port}}/tcp"
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index f952f84be..82b1a62b8 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -15,3 +15,5 @@ galaxy_info:
   categories:
   - cloud
   - system
+dependencies:
+- { role: os_firewall }
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 8ed803119..62e29324c 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,6 +1,38 @@
 ---
 - name: Install etcd
-  yum: pkg=etcd state=present disable_gpg_check=yes
+  yum: pkg=etcd state=present
+
+- name: Validate permissions on the config dir
+  file:
+    path: "{{ etcd_conf_dir }}"
+    state: directory
+    owner: etcd
+    group: etcd
+    mode: 0700
+
+- name: Validate permissions on certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_ca_file }}"
+  - "{{ etcd_cert_file }}"
+  - "{{ etcd_key_file }}"
+
+- name: Validate permissions on peer certificate files
+  file:
+    path: "{{ item }}"
+    mode: 0600
+    group: etcd
+    owner: etcd
+  when: etcd_peer_url_scheme == 'https'
+  with_items:
+  - "{{ etcd_peer_ca_file }}"
+  - "{{ etcd_peer_cert_file }}"
+  - "{{ etcd_peer_key_file }}"
 
 - name: Write etcd global config file
   template:
@@ -14,3 +46,5 @@
     name: etcd
     state: started
     enabled: yes
+
+- pause: seconds=10
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2
index 5723b5089..801be2c97 100644
--- a/roles/etcd/templates/etcd.conf.j2
+++ b/roles/etcd/templates/etcd.conf.j2
@@ -8,31 +8,37 @@
 {% endfor -%}
 {% endmacro -%}
 
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 ETCD_NAME={{ inventory_hostname }}
+ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
+{% else %}
+ETCD_NAME=default
+{% endif %}
 ETCD_DATA_DIR={{ etcd_data_dir }}
 #ETCD_SNAPSHOT_COUNTER="10000"
 #ETCD_HEARTBEAT_INTERVAL="100"
 #ETCD_ELECTION_TIMEOUT="1000"
-ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
 #ETCD_MAX_SNAPSHOTS="5"
 #ETCD_MAX_WALS="5"
 #ETCD_CORS=""
-#
+
+{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
 #[cluster]
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
 ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
 ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
 ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
-ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
 #ETCD_DISCOVERY=""
 #ETCD_DISCOVERY_SRV=""
 #ETCD_DISCOVERY_FALLBACK="proxy"
 #ETCD_DISCOVERY_PROXY=""
-#
+{% endif %}
+ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
+
 #[proxy]
 #ETCD_PROXY="off"
-#
+
 #[security]
 {% if etcd_url_scheme == 'https' -%}
 ETCD_CA_FILE={{ etcd_ca_file }}