vault.sh (3811B)
1 #!/usr/bin/env bash 2 # 3 # Packer shell provisioner for HashiCorp Vault on Raspberry Pi 4 # https://learn.hashicorp.com/vault/operations/ops-deployment-guide 5 6 # set -o errexit 7 # set -o nounset 8 set -o xtrace 9 10 cd "/home/${USERNAME}" 11 12 # Create Vault config directories 13 mkdir -p /etc/vault.d 14 rm -rf /etc/vault.d/* 15 mkdir -p /etc/vault.d/tls 16 # The vault systemd service requires this env file, can be empty 17 touch /etc/vault.d/vault.env 18 cd /etc/vault.d/tls 19 20 # Specify CSR parameters for server key 21 VAULT_TLS_SUBJ_ALT_NAME=${VAULT_TLS_SUBJ_ALT_NAME:+", $VAULT_TLS_SUBJ_ALT_NAME"} 22 SERVER_CONFIG=" 23 [ req ] 24 commonName = $HOSTNAME 25 distinguished_name = dn 26 req_extensions = ext 27 [ dn ] 28 CN = Common Name 29 [ ext ] 30 subjectAltName = DNS:$HOSTNAME $VAULT_TLS_SUBJ_ALT_NAME 31 keyUsage=critical,digitalSignature,keyAgreement 32 " 33 # Create new private key and CSR 34 openssl req -config <(echo "$SERVER_CONFIG") -subj "/CN=${HOSTNAME}" -extensions ext -out "${HOSTNAME}.csr" -new -newkey rsa:2048 -nodes -keyout "${HOSTNAME}.key" 35 # Sign the CSR 36 openssl x509 -extfile <(echo "$SERVER_CONFIG") -extensions ext -req -in "${HOSTNAME}.csr" -CA "$VAULT_TLS_CA_CERT" -CAkey "$VAULT_TLS_CA_KEY" -CAcreateserial -out "${HOSTNAME}.pem" -days 365 37 # Show fingerprint 38 openssl x509 -in "${HOSTNAME}.pem" -fingerprint -noout 39 40 # Cleanup CA key 41 rm -rf "$VAULT_TLS_CA_KEY" 42 43 # Change permissions for tls certs 44 chmod 640 *.key 45 chmod 644 *.pem 46 47 # Concatenate CA and server certificate 48 cat "$VAULT_TLS_CA_CERT" >> "${HOSTNAME}.pem" 49 50 # Trust the CA 51 mv "$VAULT_TLS_CA_CERT" /usr/local/share/ca-certificates/ 52 update-ca-certificates 53 54 cat << EOF > /etc/vault.d/vault.hcl 55 ui = true 56 57 listener "tcp" { 58 address = "0.0.0.0:8200" 59 tls_cert_file = "/etc/vault.d/tls/$HOSTNAME.pem" 60 tls_key_file = "/etc/vault.d/tls/$HOSTNAME.key" 61 tls_disable_client_certs = true 62 } 63 64 # HA advertisement addresses 65 # 66 # https://www.vaultproject.io/docs/configuration#high-availability-parameters 67 # https://www.vaultproject.io/docs/concepts/ha#client-redirection 68 # 69 # This uses a go-sockaddr template to fetch the actual ip for an interface. 70 # This is the address registered in the Consul service. If this is not an ip 71 # here, requests to the Consul DNS will also not return an A record (only 72 # CNAME). This leads to problems with Haproxy server-template. 73 # 74 # API_ADDR for client redirection (fallback, if request forwarding is disabled) 75 api_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8200" 76 # CLUSTER_ADDR: Vault listens for server-to-server cluster requests 77 cluster_addr = "https://{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}:8201" 78 79 storage "consul" { 80 address = "https://127.0.0.1:8501" 81 path = "vault/" 82 #token = "tbd" 83 tls_ca_file = "/opt/consul/tls/consul-agent-ca.pem" 84 tls_cert_file = "/opt/consul/tls/dc1-client-consul.pem" 85 tls_key_file = "/opt/consul/tls/dc1-client-consul-key.pem" 86 $(if [[ "$NOMAD_CLIENT" = false ]]; then 87 # This nodes TLS certificate cannot be updated by Nomad jobs, 88 # because it serves as Nomad server exclusively. Don't expose 89 # it to the load balancer by disabling Consul service discovery. 90 echo -e " disable_registration = true\n\r" 91 fi)} 92 93 seal "transit" { 94 address = "$VAULT_TRANSIT_SERVER" 95 disable_renewal = "false" 96 key_name = "autounseal" 97 mount_path = "transit/" 98 tls_skip_verify = "true" 99 } 100 EOF 101 102 echo "VAULT_TOKEN=$VAULT_TRANSIT_TOKEN" > /etc/vault.d/vault.env 103 104 chmod 640 /etc/vault.d/vault.hcl 105 106 systemctl enable vault 107 108 # Configure .bashrc 109 cat << EOF >> "/home/${USERNAME}/.bashrc" 110 111 complete -C /usr/bin/vault vault 112 export VAULT_ADDR="https://$HOSTNAME:8200" 113 export VAULT_SKIP_VERIFY=true 114 EOF 115 116 # Change ownership for config directory 117 chown -R vault: /etc/vault.d/ 118 119 echo 0