commit 2006e74c66a8587b63500dca6e2e3ee2bf61afdc
parent 3a49aa2cffbd48236ccc7329ca32e01aa9f32ac3
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Sun, 21 Aug 2022 03:22:08 +0200
feat: auto-unsealing
Diffstat:
5 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/hashi-pi.json b/hashi-pi.json
@@ -22,13 +22,16 @@
"vault_arch": "arm64",
"vault_tls_ca_cert": "./tls/vault/ca/vault_ca.pem",
"vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
- "vault_tls_subj_alt_name": "IP:127.0.0.1"
+ "vault_tls_subj_alt_name": "IP:127.0.0.1",
+ "vault_transit_server": null,
+ "vault_transit_token": null
},
"sensitive-variables": [
"consul_encrypt",
"consul_tls_server_key",
"consul_tls_client_key",
- "consul_tls_cli_key"
+ "consul_tls_cli_key",
+ "vault_transit_token"
],
"builders": [{
"type": "arm",
@@ -148,7 +151,9 @@
"VAULT_ARCH={{ user `vault_arch` }}",
"VAULT_TLS_CA_CERT=/tmp/vault_ca.pem",
"VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
- "VAULT_TLS_SUBJ_ALT_NAME={{ user `vault_tls_subj_alt_name` }}"
+ "VAULT_TLS_SUBJ_ALT_NAME={{ user `vault_tls_subj_alt_name` }}",
+ "VAULT_TRANSIT_SERVER={{ user `vault_transit_server` }}",
+ "VAULT_TRANSIT_TOKEN={{ user `vault_transit_token` }}"
]
}
]
diff --git a/hosts/pi0.json b/hosts/pi0.json
@@ -7,5 +7,7 @@
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\"",
+ "vault_transit_server": "",
+ "vault_transit_token": ""
}
diff --git a/hosts/pi1.json b/hosts/pi1.json
@@ -7,5 +7,7 @@
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\"",
+ "vault_transit_server": "",
+ "vault_transit_token": ""
}
diff --git a/hosts/pi2.json b/hosts/pi2.json
@@ -7,5 +7,7 @@
"consul_encrypt": "",
"consul_tls_ca": "./tls/consul/consul-agent-ca.pem",
"consul_tls_certs": "./tls/consul/certs/",
- "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\""
+ "consul_retry_join": "\"pi0.lan\", \"pi1.lan\", \"pi2.lan\"",
+ "vault_transit_server": "",
+ "vault_transit_token": ""
}
diff --git a/vault.sh b/vault.sh
@@ -99,6 +99,15 @@ storage "consul" {
tls_cert_file = "/opt/consul/tls/dc1-client-consul.pem"
tls_key_file = "/opt/consul/tls/dc1-client-consul-key.pem"
}
+
+seal "transit" {
+ address = "$VAULT_TRANSIT_SERVER"
+ token = "$VAULT_TRANSIT_TOKEN"
+ disable_renewal = "false"
+ key_name = "autounseal"
+ mount_path = "transit/"
+ tls_skip_verify = "true"
+}
EOF
chmod 640 /etc/vault.d/vault.hcl
