hashipi

Raspberry Pi home lab with Nomad and OpenBao
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | Pull requests |Archive | README

openbao.sh (2830B)

      1 #!/usr/bin/env bash
      2 #
      3 # Packer shell provisioner for OpenBao on Raspberry Pi
      4 # https://openbao.org/docs/install
      5 
      6 # set -o errexit
      7 # set -o nounset
      8 set -o xtrace
      9 
     10 cd "/home/${USERNAME}"
     11 
     12 # Create bao config directories
     13 mkdir -p /etc/openbao
     14 rm -rf /etc/openbao/*
     15 mkdir -p /etc/openbao/tls
     16 # The bao systemd service requires this env file, can be empty
     17 touch /etc/openbao/openbao.env
     18 
     19 # Symlink self-signed certs of Openbao installer
     20 ln -s /opt/openbao/tls/tls.key "/etc/openbao/tls/$HOSTNAME.key"
     21 ln -s /opt/openbao/tls/tls.crt "/etc/openbao/tls/$HOSTNAME.pem"
     22 
     23 cat << EOF > /etc/openbao/openbao.hcl
     24 ui = true
     25 
     26 listener "tcp" {
     27   address       = "0.0.0.0:8200"
     28   tls_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     29   tls_key_file  = "/etc/openbao/tls/$HOSTNAME.key"
     30   tls_disable_client_certs = true
     31 }
     32 
     33 # HA advertisement addresses
     34 #
     35 # https://openbao.org/docs/configuration/#high-availability-parameters
     36 # https://openbao.org/docs/concepts/ha#client-redirection
     37 #
     38 # API_ADDR for client redirection (fallback, if request forwarding is
     39 # disabled). Uses go-sockaddr template to fetch the actual ip for an interface
     40 api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"$BAO_INTERFACE\" | attr \"address\" }}:8200"
     41 # CLUSTER_ADDR: Vault listens for server-to-server cluster requests
     42 cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"$BAO_INTERFACE\" | attr \"address\" }}:8201"
     43 
     44 storage "raft" {
     45   path = "/opt/openbao/data"
     46   node_id = "$HOSTNAME"
     47 
     48   retry_join {
     49     leader_api_addr = "https://pi0:8200"
     50     leader_tls_servername = "vault.in0rdr.ch"
     51     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     52   } 
     53   retry_join {
     54     leader_api_addr = "https://pi2:8200"
     55     leader_tls_servername = "vault.in0rdr.ch"
     56     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     57   } 
     58   retry_join {
     59     leader_api_addr = "https://pi4:8200"
     60     leader_tls_servername = "vault.in0rdr.ch"
     61     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     62   } 
     63   retry_join {
     64     leader_api_addr = "https://intel0:8200"
     65     leader_tls_servername = "vault.in0rdr.ch"
     66     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     67   }
     68 }
     69 
     70 seal "transit" {
     71   address = "$VAULT_TRANSIT_SERVER"
     72   disable_renewal = "false"
     73   key_name = "autounseal"
     74   mount_path = "transit/"
     75   tls_skip_verify = "true"
     76 }
     77 EOF
     78 
     79 echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/openbao/openbao.env
     80 
     81 chmod 640 /etc/openbao/openbao.hcl
     82 
     83 # only enable openbao on the Nomad servers
     84 if [[ "$NOMAD_SERVER" = true ]]; then
     85  systemctl enable openbao
     86 fi
     87 
     88 # Configure .bashrc
     89 cat << EOF >> "/home/${USERNAME}/.bashrc"
     90 
     91 complete -C /usr/bin/bao boa
     92 export VAULT_ADDR="https://$HOSTNAME:8200"
     93 export VAULT_SKIP_VERIFY=true
     94 EOF
     95 
     96 # Change ownership for config directory 
     97 chown -R openbao: /etc/openbao/
     98 
     99 echo 0