Last active
January 20, 2023 00:15
-
-
Save fvoges/af46dd219dd1ed2a476d75b8fa503bda to your computer and use it in GitHub Desktop.
Basic Vault setup steps to test replication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo apt update && sudo apt install gpg jq certbot | |
| wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null | |
| gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint | |
| echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
| sudo apt update && sudo apt install vault-enterprise | |
| cat > /etc/vault.d/vault.hcl <<EOF | |
| ui = true | |
| storage "raft" { | |
| path = "/opt/vault/data" | |
| node_id = "$(hostname -s)" | |
| } | |
| cluster_addr = "http://$(hostname -s).voges.uk:8201" | |
| api_addr = "https://$(hostname -s).voges.uk:8200" | |
| listener "tcp" { | |
| address = "0.0.0.0:8200" | |
| tls_cert_file = "/opt/vault/tls/tls.crt" | |
| tls_key_file = "/opt/vault/tls/tls.key" | |
| tls_disable_client_certs = true | |
| } | |
| license_path = "/etc/vault.d/vault.hclic" | |
| EOF | |
| cat > /etc/letsencrypt/renewal-hooks/deploy/vault.sh <<"EOF" | |
| #!/bin/bash | |
| echo "Letsencrypt renewal hook running..." | |
| echo "RENEWED_DOMAINS=$RENEWED_DOMAINS" | |
| echo "RENEWED_LINEAGE=$RENEWED_LINEAGE" | |
| if grep --quiet "$(hostname -s).voges.uk" <<< "$RENEWED_DOMAINS"; then | |
| cat $RENEWED_LINEAGE/privkey.pem > /opt/vault/tls/tls.key | |
| cat $RENEWED_LINEAGE/fullchain.pem > /opt/vault/tls/tls.crt | |
| systemctl restart vault | |
| echo "Vault certificate updated and Vault service restarted" | |
| fi | |
| EOF | |
| chmod +x /etc/letsencrypt/renewal-hooks/deploy/vault.sh | |
| certbot certonly --standalone --preferred-challenges http -d $(hostname -s).voges.uk --agree-tos -m [email protected] -n | |
| export VAULT_ADDR="https://localhost:8200" | |
| export VAULT_SKIP_VERIFY="1" | |
| vault operator init -key-shares=1 -key-threshold=1 -format=json |tee ~/.vault-init.json | |
| vault operator unseal $(cat ~/.vault-init.json |jq -r .unseal_keys_hex[]) | |
| vault login $(cat ~/.vault-init.json |jq -r .root_token) | |
| certbot renew --force-renewal | |
| systemctl stop vault | |
| rm -rf /opt/vault/data/* | |
| systemctl start vault |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment