hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | README
commit 81c6c9c9476a7c015b09ef2198e29895586fb2f2
parent c62fe4a76298087edef2df5f970e4d3c31a440c2
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Sun,  4 Jun 2023 12:47:49 +0200

feat: use HC distribution pkgs

Diffstat:

Mbootstrap.sh | 9++++++++-


Mconsul.sh | 42+-----------------------------------------


Mhashi-pi.json | 25++++++++-----------------


Dhashicorp.asc | 122-------------------------------------------------------------------------------


Mnomad.sh | 52+---------------------------------------------------


Mvault.sh | 66++++--------------------------------------------------------------


6 files changed, 22 insertions(+), 294 deletions(-)

diff --git a/bootstrap.sh b/bootstrap.sh
@@ -25,9 +25,16 @@ chmod +x /tmp/resizerootfs
 mv /tmp/resizerootfs /usr/sbin/
 systemctl enable resizerootfs.service
 
+# Add HashiCorp repository
+wget -O- https://apt.releases.hashicorp.com/gpg \
+ | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
+ | tee /etc/apt/sources.list.d/hashicorp.list
+
 # Install packages
 apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get install -y jq podman cloud-init
+DEBIAN_FRONTEND=noninteractive apt-get install -y jq podman cloud-init \
+ "consul=${CONSUL_VERSION}-1" "vault=${VAULT_VERSION}-1" "nomad=${NOMAD_VERSION}-1"
 
 # Configure insecure local registry
 cat << EOF > /etc/containers/registries.conf
diff --git a/consul.sh b/consul.sh
@@ -7,26 +7,8 @@
 # set -o nounset
 set -o xtrace
 
-CONSUL_URL="https://releases.hashicorp.com/consul"
-
 cd "/home/${USERNAME}"
 
-# Download Consul binary and checksums
-curl -sS -O "${CONSUL_URL}/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_${CONSUL_ARCH}.zip"
-curl -sS -O "${CONSUL_URL}/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_SHA256SUMS"
-curl -sS -O "${CONSUL_URL}/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_SHA256SUMS.sig"
-
-# Verify signature and zip archive
-gpg --import "hashicorp.asc"
-gpg --verify  "consul_${CONSUL_VERSION}_SHA256SUMS.sig" "consul_${CONSUL_VERSION}_SHA256SUMS"
-sha256sum -c "consul_${CONSUL_VERSION}_SHA256SUMS" --ignore-missing
-
-# Install binary
-unzip "consul_${CONSUL_VERSION}_linux_${CONSUL_ARCH}.zip"
-chown root: consul
-mv consul /usr/local/bin/
-consul --version
-
 # Move uploaded tls files
 mkdir -p /opt/consul/tls
 mv /tmp/tls/* /opt/consul/tls/
@@ -43,6 +25,7 @@ chmod 644 /opt/consul/tls/consul-agent-ca.pem
 
 # Create Consul config files
 mkdir -p /etc/consul.d
+rm -rf /etc/consul.d/*
 
 cat << EOF > /etc/consul.d/consul.hcl
 datacenter = "dc1"
@@ -103,29 +86,6 @@ tls {
 }
 EOF
 
-# Configure systemd service unit
-cat << EOF > /etc/systemd/system/consul.service 
-[Unit]
-Description="HashiCorp Consul - A service mesh solution"
-Documentation=https://www.consul.io/
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty=/etc/consul.d/consul.hcl
-
-[Service]
-Type=notify
-User=consul
-Group=consul
-ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/
-ExecReload=/usr/local/bin/consul reload
-KillMode=process
-Restart=on-failure
-LimitNOFILE=65536
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
 systemctl enable consul
 
 # Configure .bashrc
diff --git a/hashi-pi.json b/hashi-pi.json
@@ -8,23 +8,21 @@
     "flash_device_path": null,
     "img_size": "3G",
     "consul_version": "1.15.2",
-    "consul_arch": "arm64",
     "consul_encrypt": null,
     "consul_tls_ca": null,
     "consul_tls_certs": null,
     "consul_retry_join": "\"HashiPi0\", \"HashiPi1\", \"HashiPi2\"",
     "nomad_version": "1.5.5",
-    "nomad_arch": "arm64",
     "nomad_nfs_server": "",
     "nomad_nfs_mount": "",
     "nomad_nfs_target": "",
     "vault_version": "1.13.2",
-    "vault_arch": "arm64",
     "vault_tls_ca_cert": "./tls/vault/ca/vault_ca.pem",
     "vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
     "vault_tls_subj_alt_name": "IP:127.0.0.1",
     "vault_transit_server": null,
-    "vault_transit_token": null
+    "vault_transit_token": null,
+    "cilium_version": "1.13.2"
   },
   "sensitive-variables": [
     "consul_encrypt",
@@ -83,15 +81,13 @@
       "environment_vars": [
         "HOSTNAME={{ user `hostname` }}",
         "USERNAME={{ user `username` }}",
-        "AUTHORIZED_KEYS={{ user `authorized_keys` }}"
+        "AUTHORIZED_KEYS={{ user `authorized_keys` }}",
+        "NOMAD_VERSION={{ user `nomad_version` }}",
+        "CONSUL_VERSION={{ user `consul_version` }}",
+        "VAULT_VERSION={{ user `vault_version` }}"
       ]
     },
     {
-      "type": "file",
-      "source": "hashicorp.asc",
-      "destination": "/home/{{ user `username` }}/hashicorp.asc"
-    },
-    {
       "type": "shell",
       "inline": ["mkdir /tmp/tls"]
     },
@@ -111,8 +107,6 @@
       "remote_folder": "/home/{{ user `username` }}",
       "environment_vars": [
         "USERNAME={{ user `username` }}",
-        "CONSUL_VERSION={{ user `consul_version` }}",
-        "CONSUL_ARCH={{ user `consul_arch` }}",
         "CONSUL_ENCRYPT={{ user `consul_encrypt` }}",
         "CONSUL_RETRY_JOIN={{ user `consul_retry_join` }}"
       ]
@@ -123,11 +117,10 @@
       "remote_folder": "/home/{{ user `username` }}",
       "environment_vars": [
         "USERNAME={{ user `username` }}",
-        "NOMAD_VERSION={{ user `nomad_version` }}",
-        "NOMAD_ARCH={{ user `nomad_arch` }}",
         "NFS_SERVER={{ user `nomad_nfs_server` }}",
         "NFS_MOUNT={{ user `nomad_nfs_mount` }}",
-        "NFS_MOUNT_TARGET={{ user `nomad_nfs_target` }}"
+        "NFS_MOUNT_TARGET={{ user `nomad_nfs_target` }}",
+        "CILIUM_VERSION={{ user `cilium_version` }}"
       ]
     },
     {
@@ -147,8 +140,6 @@
       "environment_vars": [
         "USERNAME={{ user `username` }}",
         "HOSTNAME={{ user `hostname` }}",
-        "VAULT_VERSION={{ user `vault_version` }}",
-        "VAULT_ARCH={{ user `vault_arch` }}",
         "VAULT_TLS_CA_CERT=/tmp/vault_ca.pem",
         "VAULT_TLS_CA_KEY=/tmp/vault_ca.key",
         "VAULT_TLS_SUBJ_ALT_NAME={{ user `vault_tls_subj_alt_name` }}",
diff --git a/hashicorp.asc b/hashicorp.asc
@@ -1,122 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGB9+xkBEACabYZOWKmgZsHTdRDiyPJxhbuUiKX65GUWkyRMJKi/1dviVxOX
-PG6hBPtF48IFnVgxKpIb7G6NjBousAV+CuLlv5yqFKpOZEGC6sBV+Gx8Vu1CICpl
-Zm+HpQPcIzwBpN+Ar4l/exCG/f/MZq/oxGgH+TyRF3XcYDjG8dbJCpHO5nQ5Cy9h
-QIp3/Bh09kET6lk+4QlofNgHKVT2epV8iK1cXlbQe2tZtfCUtxk+pxvU0UHXp+AB
-0xc3/gIhjZp/dePmCOyQyGPJbp5bpO4UeAJ6frqhexmNlaw9Z897ltZmRLGq1p4a
-RnWL8FPkBz9SCSKXS8uNyV5oMNVn4G1obCkc106iWuKBTibffYQzq5TG8FYVJKrh
-RwWB6piacEB8hl20IIWSxIM3J9tT7CPSnk5RYYCTRHgA5OOrqZhC7JefudrP8n+M
-pxkDgNORDu7GCfAuisrf7dXYjLsxG4tu22DBJJC0c/IpRpXDnOuJN1Q5e/3VUKKW
-mypNumuQpP5lc1ZFG64TRzb1HR6oIdHfbrVQfdiQXpvdcFx+Fl57WuUraXRV6qfb
-4ZmKHX1JEwM/7tu21QE4F1dz0jroLSricZxfaCTHHWNfvGJoZ30/MZUrpSC0IfB3
-iQutxbZrwIlTBt+fGLtm3vDtwMFNWM+Rb1lrOxEQd2eijdxhvBOHtlIcswARAQAB
-tERIYXNoaUNvcnAgU2VjdXJpdHkgKGhhc2hpY29ycC5jb20vc2VjdXJpdHkpIDxz
-ZWN1cml0eUBoYXNoaWNvcnAuY29tPokCVAQTAQoAPhYhBMh0AR8KtAURDQIQVTQ2
-XZRy10aPBQJgffsZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
-EDQ2XZRy10aPtpcP/0PhJKiHtC1zREpRTrjGizoyk4Sl2SXpBZYhkdrG++abo6zs
-buaAG7kgWWChVXBo5E20L7dbstFK7OjVs7vAg/OLgO9dPD8n2M19rpqSbbvKYWvp
-0NSgvFTT7lbyDhtPj0/bzpkZEhmvQaDWGBsbDdb2dBHGitCXhGMpdP0BuuPWEix+
-QnUMaPwU51q9GM2guL45Tgks9EKNnpDR6ZdCeWcqo1IDmklloidxT8aKL21UOb8t
-cD+Bg8iPaAr73bW7Jh8TdcV6s6DBFub+xPJEB/0bVPmq3ZHs5B4NItroZ3r+h3ke
-VDoSOSIZLl6JtVooOJ2la9ZuMqxchO3mrXLlXxVCo6cGcSuOmOdQSz4OhQE5zBxx
-LuzA5ASIjASSeNZaRnffLIHmht17BPslgNPtm6ufyOk02P5XXwa69UCjA3RYrA2P
-QNNC+OWZ8qQLnzGldqE4MnRNAxRxV6cFNzv14ooKf7+k686LdZrP/3fQu2p3k5rY
-0xQUXKh1uwMUMtGR867ZBYaxYvwqDrg9XB7xi3N6aNyNQ+r7zI2lt65lzwG1v9hg
-FG2AHrDlBkQi/t3wiTS3JOo/GCT8BjN0nJh0lGaRFtQv2cXOQGVRW8+V/9IpqEJ1
-qQreftdBFWxvH7VJq2mSOXUJyRsoUrjkUuIivaA9Ocdipk2CkP8bpuGz7ZF4uQIN
-BGB9+xkBEACoklYsfvWRCjOwS8TOKBTfl8myuP9V9uBNbyHufzNETbhYeT33Cj0M
-GCNd9GdoaknzBQLbQVSQogA+spqVvQPz1MND18GIdtmr0BXENiZE7SRvu76jNqLp
-KxYALoK2Pc3yK0JGD30HcIIgx+lOofrVPA2dfVPTj1wXvm0rbSGA4Wd4Ng3d2AoR
-G/wZDAQ7sdZi1A9hhfugTFZwfqR3XAYCk+PUeoFrkJ0O7wngaon+6x2GJVedVPOs
-2x/XOR4l9ytFP3o+5ILhVnsK+ESVD9AQz2fhDEU6RhvzaqtHe+sQccR3oVLoGcat
-ma5rbfzH0Fhj0JtkbP7WreQf9udYgXxVJKXLQFQgel34egEGG+NlbGSPG+qHOZtY
-4uWdlDSvmo+1P95P4VG/EBteqyBbDDGDGiMs6lAMg2cULrwOsbxWjsWka8y2IN3z
-1stlIJFvW2kggU+bKnQ+sNQnclq3wzCJjeDBfucR3a5WRojDtGoJP6Fc3luUtS7V
-5TAdOx4dhaMFU9+01OoH8ZdTRiHZ1K7RFeAIslSyd4iA/xkhOhHq89F4ECQf3Bt4
-ZhGsXDTaA/VgHmf3AULbrC94O7HNqOvTWzwGiWHLfcxXQsr+ijIEQvh6rHKmJK8R
-9NMHqc3L18eMO6bqrzEHW0Xoiu9W8Yj+WuB3IKdhclT3w0pO4Pj8gQARAQABiQI8
-BBgBCgAmFiEEyHQBHwq0BRENAhBVNDZdlHLXRo8FAmB9+xkCGwwFCQlmAYAACgkQ
-NDZdlHLXRo9ZnA/7BmdpQLeTjEiXEJyW46efxlV1f6THn9U50GWcE9tebxCXgmQf
-u+Uju4hreltx6GDi/zbVVV3HCa0yaJ4JVvA4LBULJVe3ym6tXXSYaOfMdkiK6P1v
-JgfpBQ/b/mWB0yuWTUtWx18BQQwlNEQWcGe8n1lBbYsH9g7QkacRNb8tKUrUbWlQ
-QsU8wuFgly22m+Va1nO2N5C/eE/ZEHyN15jEQ+QwgQgPrK2wThcOMyNMQX/VNEr1
-Y3bI2wHfZFjotmek3d7ZfP2VjyDudnmCPQ5xjezWpKbN1kvjO3as2yhcVKfnvQI5
-P5Frj19NgMIGAp7X6pF5Csr4FX/Vw316+AFJd9Ibhfud79HAylvFydpcYbvZpScl
-7zgtgaXMCVtthe3GsG4gO7IdxxEBZ/Fm4NLnmbzCIWOsPMx/FxH06a539xFq/1E2
-1nYFjiKg8a5JFmYU/4mV9MQs4bP/3ip9byi10V+fEIfp5cEEmfNeVeW5E7J8PqG9
-t4rLJ8FR4yJgQUa2gs2SNYsjWQuwS/MJvAv4fDKlkQjQmYRAOp1SszAnyaplvri4
-ncmfDsf0r65/sd6S40g5lHH8LIbGxcOIN6kwthSTPWX89r42CbY8GzjTkaeejNKx
-v1aCrO58wAtursO1DiXCvBY7+NdafMRnoHwBk50iPqrVkNA8fv+auRyB2/G5Ag0E
-YH3+JQEQALivllTjMolxUW2OxrXb+a2Pt6vjCBsiJzrUj0Pa63U+lT9jldbCCfgP
-wDpcDuO1O05Q8k1MoYZ6HddjWnqKG7S3eqkV5c3ct3amAXp513QDKZUfIDylOmhU
-qvxjEgvGjdRjz6kECFGYr6Vnj/p6AwWv4/FBRFlrq7cnQgPynbIH4hrWvewp3Tqw
-GVgqm5RRofuAugi8iZQVlAiQZJo88yaztAQ/7VsXBiHTn61ugQ8bKdAsr8w/ZZU5
-HScHLqRolcYg0cKN91c0EbJq9k1LUC//CakPB9mhi5+aUVUGusIM8ECShUEgSTCi
-KQiJUPZ2CFbbPE9L5o9xoPCxjXoX+r7L/WyoCPTeoS3YRUMEnWKvc42Yxz3meRb+
-BmaqgbheNmzOah5nMwPupJYmHrjWPkX7oyyHxLSFw4dtoP2j6Z7GdRXKa2dUYdk2
-x3JYKocrDoPHh3Q0TAZujtpdjFi1BS8pbxYFb3hHmGSdvz7T7KcqP7ChC7k2RAKO
-GiG7QQe4NX3sSMgweYpl4OwvQOn73t5CVWYp/gIBNZGsU3Pto8g27vHeWyH9mKr4
-cSepDhw+/X8FGRNdxNfpLKm7Vc0Sm9Sof8TRFrBTqX+vIQupYHRi5QQCuYaV6OVr
-ITeegNK3So4m39d6ajCR9QxRbmjnx9UcnSYYDmIB6fpBuwT0ogNtABEBAAGJBHIE
-GAEKACYCGwIWIQTIdAEfCrQFEQ0CEFU0Nl2UctdGjwUCYH4bgAUJAeFQ2wJAwXQg
-BBkBCgAdFiEEs2y6kaLAcwxDX8KAsLRBCXaFtnYFAmB9/iUACgkQsLRBCXaFtnYX
-BhAAlxejyFXoQwyGo9U+2g9N6LUb/tNtH29RHYxy4A3/ZUY7d/FMkArmh4+dfjf0
-p9MJz98Zkps20kaYP+2YzYmaizO6OA6RIddcEXQDRCPHmLts3097mJ/skx9qLAf6
-rh9J7jWeSqWO6VW6Mlx8j9m7sm3Ae1OsjOx/m7lGZOhY4UYfY627+Jf7WQ5103Qs
-lgQ09es/vhTCx0g34SYEmMW15Tc3eCjQ21b1MeJD/V26npeakV8iCZ1kHZHawPq/
-aCCuYEcCeQOOteTWvl7HXaHMhHIx7jjOd8XX9V+UxsGz2WCIxX/j7EEEc7CAxwAN
-nWp9jXeLfxYfjrUB7XQZsGCd4EHHzUyCf7iRJL7OJ3tz5Z+rOlNjSgci+ycHEccL
-YeFAEV+Fz+sj7q4cFAferkr7imY1XEI0Ji5P8p/uRYw/n8uUf7LrLw5TzHmZsTSC
-UaiL4llRzkDC6cVhYfqQWUXDd/r385OkE4oalNNE+n+txNRx92rpvXWZ5qFYfv7E
-95fltvpXc0iOugPMzyof3lwo3Xi4WZKc1CC/jEviKTQhfn3WZukuF5lbz3V1PQfI
-xFsYe9WYQmp25XGgezjXzp89C/OIcYsVB1KJAKihgbYdHyUN4fRCmOszmOUwEAKR
-3k5j4X8V5bk08sA69NVXPn2ofxyk3YYOMYWW8ouObnXoS8QJEDQ2XZRy10aPMpsQ
-AIbwX21erVqUDMPn1uONP6o4NBEq4MwG7d+fT85rc1U0RfeKBwjucAE/iStZDQoM
-ZKWvGhFR+uoyg1LrXNKuSPB82unh2bpvj4zEnJsJadiwtShTKDsikhrfFEK3aCK8
-Zuhpiu3jxMFDhpFzlxsSwaCcGJqcdwGhWUx0ZAVD2X71UCFoOXPjF9fNnpy80YNp
-flPjj2RnOZbJyBIM0sWIVMd8F44qkTASf8K5Qb47WFN5tSpePq7OCm7s8u+lYZGK
-wR18K7VliundR+5a8XAOyUXOL5UsDaQCK4Lj4lRaeFXunXl3DJ4E+7BKzZhReJL6
-EugV5eaGonA52TWtFdB8p+79wPUeI3KcdPmQ9Ll5Zi/jBemY4bzasmgKzNeMtwWP
-fk6WgrvBwptqohw71HDymGxFUnUP7XYYjic2sVKhv9AevMGycVgwWBiWroDCQ9Ja
-btKfxHhI2p+g+rcywmBobWJbZsujTNjhtme+kNn1mhJsD3bKPjKQfAxaTskBLb0V
-wgV21891TS1Dq9kdPLwoS4XNpYg2LLB4p9hmeG3fu9+OmqwY5oKXsHiWc43dei9Y
-yxZ1AAUOIaIdPkq+YG/PhlGE4YcQZ4RPpltAr0HfGgZhmXWigbGS+66pUj+Ojysc
-j0K5tCVxVu0fhhFpOlHv0LWaxCbnkgkQH9jfMEJkAWMOuQINBGCAXCYBEADW6RNr
-ZVGNXvHVBqSiOWaxl1XOiEoiHPt50Aijt25yXbG+0kHIFSoR+1g6Lh20JTCChgfQ
-kGGjzQvEuG1HTw07YhsvLc0pkjNMfu6gJqFox/ogc53mz69OxXauzUQ/TZ27GDVp
-UBu+EhDKt1s3OtA6Bjz/csop/Um7gT0+ivHyvJ/jGdnPEZv8tNuSE/Uo+hn/Q9hg
-8SbveZzo3C+U4KcabCESEFl8Gq6aRi9vAfa65oxD5jKaIz7cy+pwb0lizqlW7H9t
-Qlr3dBfdIcdzgR55hTFC5/XrcwJ6/nHVH/xGskEasnfCQX8RYKMuy0UADJy72TkZ
-bYaCx+XXIcVB8GTOmJVoAhrTSSVLAZspfCnjwnSxisDn3ZzsYrq3cV6sU8b+QlIX
-7VAjurE+5cZiVlaxgCjyhKqlGgmonnReWOBacCgL/UvuwMmMp5TTLmiLXLT7uxeG
-ojEyoCk4sMrqrU1jevHyGlDJH9Taux15GILDwnYFfAvPF9WCid4UZ4Ouwjcaxfys
-3LxNiZIlUsXNKwS3mhiMRL4TRsbs4k4QE+LIMOsauIvcvm8/frydvQ/kUwIhVTH8
-0XGOH909bYtJvY3fudK7ShIwm7ZFTduBJUG473E/Fn3VkhTmBX6+PjOC50HR/Hyb
-waRCzfDruMe3TAcE/tSP5CUOb9C7+P+hPzQcDwARAQABiQRyBBgBCgAmFiEEyHQB
-Hwq0BRENAhBVNDZdlHLXRo8FAmCAXCYCGwIFCQlmAYACQAkQNDZdlHLXRo/BdCAE
-GQEKAB0WIQQ3TsdbSFkTYEqDHMfIIMbVzSerhwUCYIBcJgAKCRDIIMbVzSerh0Xw
-D/9ghnUsoNCu1OulcoJdHboMazJvDt/znttdQSnULBVElgM5zk0Uyv87zFBzuCyQ
-JWL3bWesQ2uFx5fRWEPDEfWVdDrjpQGb1OCCQyz1QlNPV/1M1/xhKGS9EeXrL8Dw
-F6KTGkRwn1yXiP4BGgfeFIQHmJcKXEZ9HkrpNb8mcexkROv4aIPAwn+IaE+NHVtt
-IBnufMXLyfpkWJQtJa9elh9PMLlHHnuvnYLvuAoOkhuvs7fXDMpfFZ01C+QSv1dz
-Hm52GSStERQzZ51w4c0rYDneYDniC/sQT1x3dP5Xf6wzO+EhRMabkvoTbMqPsTEP
-xyWr2pNtTBYp7pfQjsHxhJpQF0xjGN9C39z7f3gJG8IJhnPeulUqEZjhRFyVZQ6/
-siUeq7vu4+dM/JQL+i7KKe7Lp9UMrG6NLMH+ltaoD3+lVm8fdTUxS5MNPoA/I8cK
-1OWTJHkrp7V/XaY7mUtvQn5V1yET5b4bogz4nME6WLiFMd+7x73gB+YJ6MGYNuO8
-e/NFK67MfHbk1/AiPTAJ6s5uHRQIkZcBPG7y5PpfcHpIlwPYCDGYlTajZXblyKrw
-BttVnYKvKsnlysv11glSg0DphGxQJbXzWpvBNyhMNH5dffcfvd3eXJAxnD81GD2z
-ZAriMJ4Av2TfeqQ2nxd2ddn0jX4WVHtAvLXfCgLM2Gveho4jD/9sZ6PZz/rEeTvt
-h88t50qPcBa4bb25X0B5FO3TeK2LL3VKLuEp5lgdcHVonrcdqZFobN1CgGJua8TW
-SprIkh+8ATZ/FXQTi01NzLhHXT1IQzSpFaZw0gb2f5ruXwvTPpfXzQrs2omY+7s7
-fkCwGPesvpSXPKn9v8uhUwD7NGW/Dm+jUM+QtC/FqzX7+/Q+OuEPjClUh1cqopCZ
-EvAI3HjnavGrYuU6DgQdjyGT/UDbuwbCXqHxHojVVkISGzCTGpmBcQYQqhcFRedJ
-yJlu6PSXlA7+8Ajh52oiMJ3ez4xSssFgUQAyOB16432tm4erpGmCyakkoRmMUn3p
-wx+QIppxRlsHznhcCQKR3tcblUqH3vq5i4/ZAihusMCa0YrShtxfdSb13oKX+pFr
-aZXvxyZlCa5qoQQBV1sowmPL1N2j3dR9TVpdTyCFQSv4KeiExmowtLIjeCppRBEK
-eeYHJnlfkyKXPhxTVVO6H+dU4nVu0ASQZ07KiQjbI+zTpPKFLPp3/0sPRJM57r1+
-aTS71iR7nZNZ1f8LZV2OvGE6fJVtgJ1J4Nu02K54uuIhU3tg1+7Xt+IqwRc9rbVr
-pHH/hFCYBPW2D2dxB+k2pQlg5NI+TpsXj5Zun8kRw5RtVb+dLuiH/xmxArIee8Jq
-ZF5q4h4I33PSGDdSvGXn9UMY5Isjpg==
-=7pIB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/nomad.sh b/nomad.sh
@@ -7,8 +7,6 @@
 # set -o nounset
 set -o xtrace
 
-NOMAD_URL="https://releases.hashicorp.com/nomad"
-
 cd "/home/${USERNAME}"
 
 # Install podman driver for Nomad
@@ -19,33 +17,12 @@ unzip "nomad-driver-podman_${NOMAD_PODMAN_DRIVER_VERSION}_linux_arm64.zip"
 mkdir -p /opt/nomad/plugins/
 mv nomad-driver-podman /opt/nomad/plugins/
 
-# Download Nomad binary and checksums
-curl -sS -O "${NOMAD_URL}/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_${NOMAD_ARCH}.zip"
-curl -sS -O "${NOMAD_URL}/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS"
-curl -sS -O "${NOMAD_URL}/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS.sig"
-
-# Verify signature and zip archive
-gpg --import "hashicorp.asc"
-gpg --verify  "nomad_${NOMAD_VERSION}_SHA256SUMS.sig" "nomad_${NOMAD_VERSION}_SHA256SUMS"
-sha256sum -c "nomad_${NOMAD_VERSION}_SHA256SUMS" --ignore-missing
-
-# Extract binary
-unzip "nomad_${NOMAD_VERSION}_linux_${NOMAD_ARCH}.zip"
-
-# Fix ownership and install binary
-chown root: nomad
-chmod 0755 nomad
-mv nomad /usr/local/bin/
-
-# Check version
-nomad --version
-
 # Create Nomad data directory
 mkdir -p /opt/nomad
 
 # Create Nomads config files
 mkdir -p /etc/nomad.d
-chmod 700 /etc/nomad.d
+rm -rf /etc/nomad.d/*
 
 cat << EOF > /etc/nomad.d/nomad.hcl
 datacenter = "dc1"
@@ -145,32 +122,6 @@ autopilot {
 }
 EOF
 
-# Configure systemd service unit
-cat << EOF > /etc/systemd/system/nomad.service 
-[Unit]
-Description=Nomad
-Documentation=https://nomadproject.io/docs/
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-EnvironmentFile=/etc/nomad.d/nomad.env
-ExecReload=/bin/kill -HUP 
-ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
-KillMode=process
-KillSignal=SIGINT
-LimitNOFILE=infinity
-LimitNPROC=infinity
-Restart=on-failure
-RestartSec=2
-StartLimitBurst=3
-StartLimitIntervalSec=10
-TasksMax=infinity
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
 # Add VAULT_TOKEN placeholder, replace w/ real token
 # https://www.nomadproject.io/docs/integrations/vault-integration
 echo "VAULT_TOKEN=changeme" > /etc/nomad.d/nomad.env
@@ -222,7 +173,6 @@ keyfile: /var/lib/cilium/consul-tls/dc1-server-consul-key.pem
 EOF
 
 # Run Cilium as privileged container on the node
-CILIUM_VERSION=1.13.2
 cat << EOF > /etc/systemd/system/cilium.service
 [Unit]
 Description=Cilium Agent
diff --git a/vault.sh b/vault.sh
@@ -7,33 +7,16 @@
 # set -o nounset
 set -o xtrace
 
-VAULT_URL="https://releases.hashicorp.com/vault"
-
 cd "/home/${USERNAME}"
 
-# Download Vault binary and checksums
-curl -sS -O "${VAULT_URL}/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip"
-curl -sS -O "${VAULT_URL}/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS"
-curl -sS -O "${VAULT_URL}/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig"
-
-# Verify signature and zip archive
-gpg --import "hashicorp.asc"
-gpg --verify  "vault_${VAULT_VERSION}_SHA256SUMS.sig" "vault_${VAULT_VERSION}_SHA256SUMS"
-sha256sum -c "vault_${VAULT_VERSION}_SHA256SUMS" --ignore-missing
-
-# Install binary
-unzip "vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip"
-chown root: vault
-mv vault /usr/local/bin/
-vault --version
-
 # Create Vault config directories
+mkdir -p /etc/vault.d
+rm -rf /etc/vault.d/*
 mkdir -p /etc/vault.d/tls
+# The vault systemd service requires this env file, can be empty
+touch /etc/vault.d/vault.env
 cd /etc/vault.d/tls
 
-# Vault system user
-useradd --system --home /etc/vault.d --shell /bin/false vault 
-
 # Specify CSR parameters for server key
 VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"}
 SERVER_CONFIG="
@@ -68,9 +51,6 @@ cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem"
 mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/
 update-ca-certificates
 
-# Allow usage of mlock syscall without root
-setcap cap_ipc_lock=+ep /usr/local/bin/vault
-
 cat << EOF > /etc/vault.d/vault.hcl
 ui = true
 
@@ -117,44 +97,6 @@ EOF
 
 chmod 640 /etc/vault.d/vault.hcl
 
-# Configure systemd service unit
-cat << EOF > /etc/systemd/system/vault.service
-[Unit]
-Description="HashiCorp Vault - A tool for managing secrets"
-Documentation=https://www.vaultproject.io/docs/
-Requires=network-online.target
-After=network-online.target
-ConditionFileNotEmpty=/etc/vault.d/vault.hcl
-StartLimitIntervalSec=60
-StartLimitBurst=3
-
-[Service]
-Type=notify
-EnvironmentFile=-/etc/vault.d/vault.env
-User=vault
-Group=vault
-ProtectSystem=full
-ProtectHome=read-only
-PrivateTmp=yes
-PrivateDevices=yes
-SecureBits=keep-caps
-AmbientCapabilities=CAP_IPC_LOCK
-CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
-NoNewPrivileges=yes
-ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
-ExecReload=/bin/kill --signal HUP \$MAINPID
-KillMode=process
-KillSignal=SIGINT
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=30
-LimitNOFILE=65536
-LimitMEMLOCK=infinity
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
 systemctl enable vault
 
 # Configure .bashrc