hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | Pull requests |Archive | README

openbao.sh (2642B)

      1 #!/usr/bin/env bash
      2 #
      3 # Packer shell provisioner for OpenBao on Raspberry Pi
      4 # https://openbao.org/docs/install
      5 
      6 # set -o errexit
      7 # set -o nounset
      8 set -o xtrace
      9 
     10 cd "/home/${USERNAME}"
     11 
     12 # Create bao config directories
     13 mkdir -p /etc/openbao
     14 rm -rf /etc/openbao/*
     15 mkdir -p /etc/openbao/tls
     16 # The bao systemd service requires this env file, can be empty
     17 touch /etc/openbao/openbao.env
     18 
     19 # Symlink self-signed certs of Openbao installer
     20 ln -s /opt/openbao/tls/tls.key "/etc/openbao/tls/$HOSTNAME.key"
     21 ln -s /opt/openbao/tls/tls.crt "/etc/openbao/tls/$HOSTNAME.pem"
     22 
     23 cat << EOF > /etc/openbao/openbao.hcl
     24 ui = true
     25 
     26 listener "tcp" {
     27   address       = "0.0.0.0:8200"
     28   tls_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     29   tls_key_file  = "/etc/openbao/tls/$HOSTNAME.key"
     30   tls_disable_client_certs = true
     31 }
     32 
     33 # HA advertisement addresses
     34 #
     35 # https://openbao.org/docs/configuration/#high-availability-parameters
     36 # https://openbao.org/docs/concepts/ha#client-redirection
     37 #
     38 # API_ADDR for client redirection (fallback, if request forwarding is
     39 # disabled). Uses go-sockaddr template to fetch the actual ip for an interface
     40 api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200"
     41 # CLUSTER_ADDR: Vault listens for server-to-server cluster requests
     42 cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201"
     43 
     44 storage "raft" {
     45   path = "/opt/openbao/data"
     46   node_id = "$HOSTNAME"
     47 
     48   retry_join {
     49     leader_api_addr = "https://pi0:8200"
     50     leader_tls_servername = "vault.in0rdr.ch"
     51     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     52   } 
     53   retry_join {
     54     leader_api_addr = "https://pi2:8200"
     55     leader_tls_servername = "vault.in0rdr.ch"
     56     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     57   } 
     58   retry_join {
     59     leader_api_addr = "https://pi4:8200"
     60     leader_tls_servername = "vault.in0rdr.ch"
     61     leader_ca_cert_file = "/etc/openbao/tls/$HOSTNAME.pem"
     62   } 
     63 }
     64 
     65 seal "transit" {
     66   address = "$VAULT_TRANSIT_SERVER"
     67   disable_renewal = "false"
     68   key_name = "autounseal"
     69   mount_path = "transit/"
     70   tls_skip_verify = "true"
     71 }
     72 EOF
     73 
     74 echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/openbao/openbao.env
     75 
     76 chmod 640 /etc/openbao/openbao.hcl
     77 
     78 # only enable openbao on the Nomad servers
     79 if [[ "$NOMAD_SERVER" = true ]]; then
     80  systemctl enable openbao
     81 fi
     82 
     83 # Configure .bashrc
     84 cat << EOF >> "/home/${USERNAME}/.bashrc"
     85 
     86 complete -C /usr/bin/bao boa
     87 export VAULT_ADDR="https://$HOSTNAME:8200"
     88 export VAULT_SKIP_VERIFY=true
     89 EOF
     90 
     91 # Change ownership for config directory 
     92 chown -R openbao: /etc/openbao/
     93 
     94 echo 0