openbao.sh (3641B)
1 #!/usr/bin/env bash 2 # 3 # Packer shell provisioner for OpenBao on Raspberry Pi 4 # https://openbao.org/docs/install 5 6 # set -o errexit 7 # set -o nounset 8 set -o xtrace 9 10 cd "/home/${USERNAME}" 11 12 # Create bao config directories 13 mkdir -p /etc/openbao 14 rm -rf /etc/openbao/* 15 mkdir -p /etc/openbao/tls 16 # The bao systemd service requires this env file, can be empty 17 touch /etc/openbao/openbao.env 18 cd /etc/openbao/tls 19 20 # Specify CSR parameters for server key 21 VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"} 22 SERVER_CONFIG=" 23 [ req ] 24 commonName = $HOSTNAME 25 distinguished_name = dn 26 req_extensions = ext 27 [ dn ] 28 CN = Common Name 29 [ ext ] 30 subjectAltName = DNS:$HOSTNAME $VAULT_TLS_SUBJ_ALT_NAME 31 keyUsage=critical,digitalSignature,keyAgreement 32 " 33 # Create new private key and CSR 34 openssl req -config <(echo "$SERVER_CONFIG") -subj "/CN=${HOSTNAME}" -extensions ext -out "${HOSTNAME}.csr" -new -newkey rsa:2048 -nodes -keyout "${HOSTNAME}.key" 35 # Sign the CSR 36 openssl x509 -extfile <(echo "$SERVER_CONFIG") -extensions ext -req -in "${HOSTNAME}.csr" -CA "$VAULT_TLS_CA_CERT" -CAkey "$VAULT_TLS_CA_KEY" -CAcreateserial -out "${HOSTNAME}.pem" -days 365 37 # Show fingerprint 38 openssl x509 -in "${HOSTNAME}.pem" -fingerprint -noout 39 40 # Cleanup CA key 41 rm -rf "$VAULT_TLS_CA_KEY" 42 43 # Change permissions for tls certs 44 chmod 640 *.key 45 chmod 644 *.pem 46 47 # Concatenate CA and server certificate 48 cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem" 49 50 # Trust the CA 51 mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/ 52 update-ca-certificates 53 54 cat << EOF > /etc/openbao/openbao.hcl 55 ui = true 56 57 listener "tcp" { 58 address = "0.0.0.0:8200" 59 tls_cert_file = "/etc/openbao/tls/$HOSTNAME.pem" 60 tls_key_file = "/etc/openbao/tls/$HOSTNAME.key" 61 tls_disable_client_certs = true 62 } 63 64 # HA advertisement addresses 65 # 66 # https://openbao.org/docs/configuration/#high-availability-parameters 67 # https://openbao.org/docs/concepts/ha#client-redirection 68 # 69 # API_ADDR for client redirection (fallback, if request forwarding is 70 # disabled). Uses go-sockaddr template to fetch the actual ip for an interface 71 api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200" 72 # CLUSTER_ADDR: Vault listens for server-to-server cluster requests 73 cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201" 74 75 storage "raft" { 76 path = "/opt/openbao/data" 77 node_id = "$HOSTNAME" 78 79 retry_join { 80 leader_api_addr = "https://pi0:8200" 81 leader_tls_servername = "vault.in0rdr.ch" 82 leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem" 83 } 84 retry_join { 85 leader_api_addr = "https://pi2:8200" 86 leader_tls_servername = "vault.in0rdr.ch" 87 leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem" 88 } 89 retry_join { 90 leader_api_addr = "https://pi4:8200" 91 leader_tls_servername = "vault.in0rdr.ch" 92 leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem" 93 } 94 } 95 96 seal "transit" { 97 address = "$VAULT_TRANSIT_SERVER" 98 disable_renewal = "false" 99 key_name = "autounseal" 100 mount_path = "transit/" 101 tls_skip_verify = "true" 102 } 103 EOF 104 105 echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/openbao/openbao.env 106 107 chmod 640 /etc/openbao/openbao.hcl 108 109 # only enable openbao on the Nomad servers 110 if [[ "$NOMAD_SERVER" = true ]]; then 111 systemctl enable openbao 112 fi 113 114 # Configure .bashrc 115 cat << EOF >> "/home/${USERNAME}/.bashrc" 116 117 complete -C /usr/bin/bao boa 118 export VAULT_ADDR="https://$HOSTNAME:8200" 119 export VAULT_SKIP_VERIFY=true 120 EOF 121 122 # Change ownership for config directory 123 chown -R openbao: /etc/openbao/ 124 125 echo 0