Skip to content

Instantly share code, notes, and snippets.

@hongkongkiwi

hongkongkiwi/setup_vault.sh

Created July 26, 2020 10:10
Show Gist options
  • Save hongkongkiwi/11527ca4d7a42f45954e826387384c26 to your computer and use it in GitHub Desktop.
Save hongkongkiwi/11527ca4d7a42f45954e826387384c26 to your computer and use it in GitHub Desktop.
Download ZIP
Shell script to download and setup vault on a new machine
Raw
setup_vault.sh
#!/usr/bin/env bash
set -e
get_arch() {
local myArch
unameArch="$(uname -m)";
case "$unameArch" in
armhf)
myArch='arm'
;;
aarch64)
myArch='arm64'
;;
x86_64)
myArch='amd64'
;;
x86)
myArch='386'
;;
*)
return 1;
;;
esac
echo "$myArch"
return 0
}
VAULT_VERSION=${1:-"1.4.3"}
[ -z "$VAULT_VERSION" ] && { echo >&2 "ERROR: No vault version passed!"; exit 1; }
ARCH=`get_arch` || { echo >&2 "ERROR: Unsupported architecture: $unameArch"; exit 1; }
VAULT_GPGKEY="91A6E7F85D05C65630BEF18951852D87348FFC4C"
VAULT_CONFIG_DIR=${2:-"/etc/vault.d"}
VAULT_CONFIG_FILE="${VAULT_CONFIG_DIR}/vault.hcl"
VAULT_SERVICE_FILE="/etc/systemd/system/vault.service"
VAULT_USER="vault"
VAULT_GROUP="vault"
export DEBIAN_FRONTEND=noninteractive
[ -f "${VAULT_CONFIG_FILE}" ] || { echo >&2 "Error ${VAULT_CONFIG_FILE} does not exist!"; exit 1; }
apt update -q
apt -q -y upgrade
apt install -q -y gnupg wget unzip
grep -q "$VAULT_USER" "/etc/passwd" || useradd -ms /bin/bash "$VAULT_USER"
found=''
for server in "hkp://p80.pool.sks-keyservers.net:80" "hkp://keyserver.ubuntu.com:80" "hkp://pgp.mit.edu:80"; do
echo "Fetching GPG key $VAULT_GPGKEY from $server"
gpg --batch --keyserver "$server" --recv-keys "$VAULT_GPGKEY"
found=yes
break
done
test -z "$found" && { echo >&2 "error: failed to fetch GPG key $VAULT_GPGKEY"; exit 1; }
echo "Downloading vault $VAULT_VERSION"
[ -d "/tmp/build" ] && rm -Rf "/tmp/build"
mkdir -p "/tmp/build"
mkdir -p "/usr/local/bin"
cd "/tmp/build"
wget -q "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${ARCH}.zip"
wget -q "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS"
wget -q "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig"
gpg --batch --verify "vault_${VAULT_VERSION}_SHA256SUMS.sig" "vault_${VAULT_VERSION}_SHA256SUMS"
grep "vault_${VAULT_VERSION}_linux_${ARCH}.zip" "vault_${VAULT_VERSION}_SHA256SUMS" | sha256sum -c
unzip -qo -d "/usr/local/bin" "vault_${VAULT_VERSION}_linux_${ARCH}.zip"
echo "Creating Systemd config"
mkdir -p "${VAULT_CONFIG_DIR}"
cat >"$VAULT_SERVICE_FILE" <<EOF
[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=${VAULT_CONFIG_FILE} StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=${VAULT_USER}
Group=${VAULT_GROUP}
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=${VAULT_CONFIG_FILE} ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target
EOF
echo "Releaded systemd with vault config"
systemctl daemon-reload
echo "Added systemd config on boot"
systemctl enable vault
echo "Started Vault via systemd"
systemctl start vault
echo "Cleaning up"
cd "$HOME"
rm -rf "/tmp/build"
gpgconf --kill dirmngr
gpgconf --kill gpg-agent
rm -rf /root/.gnupg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment