Skip to content

Instantly share code, notes, and snippets.

The purpose of this document is to provide consideration to security, operational and support tasks and conditions of a production-ready / mission-critical Vault deployment.
This is a living document, please feel free to suggest changes and have someone take a review and approve. You might also want to see this doc from Julia that was done for pre-renewal health checking.
Infrastructure Security
Are servers provisioned via a build/codified pipeline?
Can staff login (SSH/Console/etc) to individual servers?
Is all traffic in/out of server encrypted?
Is the cluster subnet firewalled from other network resources?
If a server is destroyed/lost, are logs and events available post-mortem?
Is root token creation restricted? Monitored?
@mikegreen
mikegreen / gist:968a0b9f6f00943b4864fce5285ecd55
Created November 4, 2021 19:56
Read Vault PKI config and tune
$ vault secrets list --detailed
Path Plugin Accessor Default TTL Max TTL Force No Cache Replication Seal Wrap External Entropy Access Options Description UUID
---- ------ -------- ----------- ------- -------------- ----------- --------- ----------------------- ------- ----------- ----
cubbyhole/ cubbyhole cubbyhole_fcbf5e6d n/a n/a false local false false map[] per-token private secret storage 11a09df9-8ef6-bf26-2cc1-d4c6424c4780
database/ database database_c7158e73 system system fal
@mikegreen
mikegreen / custom-vault.py
Last active September 27, 2021 20:24
DataDog Vault Status Checker
# drafty custom-vault.py
# needs a corresponding /etc/datadog-agent/conf.d/custom-vault.yaml with `instances: [{}]` only
# see https://datadoghq.dev/integrations-core/base/api/#datadog_checks.base.checks.base.AgentCheck.count
# https://github.com/DataDog/integrations-core/tree/master/vault/datadog_checks/vault
import requests
# the following try/except block will make the custom check compatible with any Agent version
try:
# first, try to import the base class from new versions of the Agent...
# This should be run as root
# this creates a self-signed certificate with the IP addresses as IP SANS
# Todo - see if we want to roll this into https://github.com/hashicorp/linux-packaging/blob/master/products/vault/scripts/postinst
# dump interfaces to file to work with
ifconfig > ifconfig.txt
# Get number of IPs returned, excluding the ip6 loopback for now
grep "inet" ifconfig.txt | grep -v "::1" | awk -F' ' '{print $2}' | wc -l
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
provider "aws" {
@mikegreen
mikegreen / docker-compose.yml
Last active February 24, 2021 15:47
Valheim docker
# started/using https://github.com/mbround18/valheim-docker
:/opt/docker-configs/valheim-server$ cat docker-compose.yml
version: "3"
services:
valheim:
image: mbround18/valheim:latest
restart: unless-stopped
ports:
- 2456:2456/udp
### Keybase proof
I hereby claim:
* I am mikegreen on github.
* I am mikegreen13 (https://keybase.io/mikegreen13) on keybase.
* I have a public key ASCaP9tqP5U_C0bqZ3xj1G2koYY0uMvuxojlIMyEbQOI2wo
To claim this, I am signing this object:
@mikegreen
mikegreen / pol-check-ex.json
Created August 20, 2020 18:44
TFE Sentinel Policy Check Output sample
{
"data": {
"id": "polchk-K7hoj4fHrp17TZw9",
"type": "policy-checks",
"attributes": {
"result": {
"result": true,
"passed": 2,
"total-failed": 0,
"hard-failed": 0,
@mikegreen
mikegreen / sendTempHumidStathat.py
Created July 6, 2020 18:27
Send dht22 temp and humidity to Stathat
import time
import adafruit_dht
import board
from datetime import datetime
from stathat import StatHat
stathat = StatHat()
stathatKey = "[email protected]"
@mikegreen
mikegreen / sendVoltsStathat.py
Created July 6, 2020 18:12
Send ardunio voltage sensor to Stathat
import RPi.GPIO as gpio
import smbus
import time
import sys
import struct
from datetime import datetime
from stathat import StatHat
stathat = StatHat()