tbeyer567 · July 14, 2022 18:54
diff --git a/vault install script b/vault install script
 #!/usr/bin/env bash

 set -euxo pipefail

 export VAULT_NODE_ID="GIEGTIVLP18994C"
 export VAULT_NODE_IP_ADDR="10.27.84.13"

 echo "Installing Vault Enterpise"
 sudo cp /tmp/vault /usr/bin/

 echo "Adding Vault system users"

 create_ids() {
  sudo /usr/sbin/groupadd --force --system ${1}
  if ! getent passwd ${1} >/dev/null ; then
    sudo /usr/sbin/adduser \
      --system \
      --gid ${1} \
      --home /srv/${1} \
      --no-create-home \
      --comment "${1} account" \
      --shell /bin/false \
      ${1}  >/dev/null
  fi
 }

 create_ids vault

 echo "Configuring HashiCorp directories"
 # Second argument specifies user/group for chown, as consul-snapshot does not have a corresponding user
 directory_setup() {
  # create and manage permissions on directories
  sudo mkdir -pm 0750 /etc/${1}.d /var/lib/${1} /var/lib/${1}/data
  sudo mkdir -pm 0700 /etc/${1}.d/tls
  sudo chown -R ${2}:${2} /etc/${1}.d /var/lib/${1}
 }

 directory_setup vault vault

 # Install license file
 sudo cp /tmp/vault.hclic /etc/vault.d/vault.hclic

 echo "Copy systemd services"

 sudo tee /etc/systemd/system/vault.service 1> /dev/null << EOF
 [Unit]
 Description="HashiCorp Vault - A tool for managing secrets"
 Documentation=https://www.vaultproject.io/docs/
 Requires=network-online.target
 After=network-online.target
 ConditionFileNotEmpty=/etc/vault.d/vault.hcl
 [Service]
 User=vault
 Group=vault
 LogLevel=info
 # Sandboxing settings to improve the security of the host by restricting vault privileges and access
 ProtectSystem=true
 ProtectSystem=full
 ProtectHome=read-only
 PrivateTmp=yes
 PrivateDevices=yes
 # Configure the capabilities of the vault process, particularly to lock memory.
 # (support for multiple systemd versions)
 SecureBits=keep-caps
 AmbientCapabilities=CAP_IPC_LOCK
 Capabilities=CAP_IPC_LOCK+ep
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
 # Limit the number of file descriptors to the configured value and prevent memory being swapped to disk
 LimitNOFILE=65536
 LimitMEMLOCK=infinity
 # Prevent vault and any child process from gaining new privileges
 NoNewPrivileges=yes
 ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
 ExecReload=/bin/kill --signal HUP \$MAINPID
 KillMode=process
 KillSignal=SIGINT
 Restart=on-failure
 RestartSec=5
 TimeoutStopSec=30
 StartLimitIntervalSec=60
 StartLimitBurst=3
 [Install]
 WantedBy=multi-user.target
 EOF

 sudo mkdir -p /etc/systemd/system/vault.service.d
 sudo touch /etc/systemd/system/vault.service.d/override.conf

 sudo chmod 0664 /etc/systemd/system/vault.service
 sudo chmod 0750 /etc/systemd/system/vault.service.d
 sudo chmod 0640 /etc/systemd/system/vault.service.d/override.conf

 sudo tee /etc/vault.d/vault.hcl 1> /dev/null << EOF
 ui = true
 license_path = "/etc/vault.d/vault.hclic"
 storage "raft" {
  path    = "/var/lib/vault"
  node_id = "${VAULT_NODE_ID}"
  retry_join = {
    leader_api_addr = "http://10.27.84.13:8200"
  }
  retry_join = {
    leader_api_addr = "http://10.27.84.14:8200"
  }
  retry_join = {
    leader_api_addr = "http://10.27.84.15:8200"
  }
 }
 #seal "pkcs11" {}
 listener "tcp" {
  address     = "${VAULT_NODE_IP_ADDR}:8200"
  # Temporarily disable for initial installation
  tls_disable = true
 }
 api_addr     = "http://${VAULT_NODE_IP_ADDR}:8200"
 cluster_addr = "http://${VAULT_NODE_IP_ADDR}:8201"
 EOF

 sudo chown -R vault:vault /etc/vault.d
	#!/usr/bin/env bash

	set -euxo pipefail

	export VAULT_NODE_ID="GIEGTIVLP18994C"
	export VAULT_NODE_IP_ADDR="10.27.84.13"

	echo "Installing Vault Enterpise"
	sudo cp /tmp/vault /usr/bin/

	echo "Adding Vault system users"

	create_ids() {
	sudo /usr/sbin/groupadd --force --system ${1}
	if ! getent passwd ${1} >/dev/null ; then
	sudo /usr/sbin/adduser \
	--system \
	--gid ${1} \
	--home /srv/${1} \
	--no-create-home \
	--comment "${1} account" \
	--shell /bin/false \
	${1} >/dev/null
	fi
	}

	create_ids vault

	echo "Configuring HashiCorp directories"
	# Second argument specifies user/group for chown, as consul-snapshot does not have a corresponding user
	directory_setup() {
	# create and manage permissions on directories
	sudo mkdir -pm 0750 /etc/${1}.d /var/lib/${1} /var/lib/${1}/data
	sudo mkdir -pm 0700 /etc/${1}.d/tls
	sudo chown -R ${2}:${2} /etc/${1}.d /var/lib/${1}
	}

	directory_setup vault vault

	# Install license file
	sudo cp /tmp/vault.hclic /etc/vault.d/vault.hclic

	echo "Copy systemd services"

	sudo tee /etc/systemd/system/vault.service 1> /dev/null << EOF
	[Unit]
	Description="HashiCorp Vault - A tool for managing secrets"
	Documentation=https://www.vaultproject.io/docs/
	Requires=network-online.target
	After=network-online.target
	ConditionFileNotEmpty=/etc/vault.d/vault.hcl
	[Service]
	User=vault
	Group=vault
	LogLevel=info
	# Sandboxing settings to improve the security of the host by restricting vault privileges and access
	ProtectSystem=true
	ProtectSystem=full
	ProtectHome=read-only
	PrivateTmp=yes
	PrivateDevices=yes
	# Configure the capabilities of the vault process, particularly to lock memory.
	# (support for multiple systemd versions)
	SecureBits=keep-caps
	AmbientCapabilities=CAP_IPC_LOCK
	Capabilities=CAP_IPC_LOCK+ep
	CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
	# Limit the number of file descriptors to the configured value and prevent memory being swapped to disk
	LimitNOFILE=65536
	LimitMEMLOCK=infinity
	# Prevent vault and any child process from gaining new privileges
	NoNewPrivileges=yes
	ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
	ExecReload=/bin/kill --signal HUP \$MAINPID
	KillMode=process
	KillSignal=SIGINT
	Restart=on-failure
	RestartSec=5
	TimeoutStopSec=30
	StartLimitIntervalSec=60
	StartLimitBurst=3
	[Install]
	WantedBy=multi-user.target
	EOF

	sudo mkdir -p /etc/systemd/system/vault.service.d
	sudo touch /etc/systemd/system/vault.service.d/override.conf

	sudo chmod 0664 /etc/systemd/system/vault.service
	sudo chmod 0750 /etc/systemd/system/vault.service.d
	sudo chmod 0640 /etc/systemd/system/vault.service.d/override.conf

	sudo tee /etc/vault.d/vault.hcl 1> /dev/null << EOF
	ui = true
	license_path = "/etc/vault.d/vault.hclic"
	storage "raft" {
	path = "/var/lib/vault"
	node_id = "${VAULT_NODE_ID}"
	retry_join = {
	leader_api_addr = "http://10.27.84.13:8200"
	}
	retry_join = {
	leader_api_addr = "http://10.27.84.14:8200"
	}
	retry_join = {
	leader_api_addr = "http://10.27.84.15:8200"
	}
	}
	#seal "pkcs11" {}
	listener "tcp" {
	address = "${VAULT_NODE_IP_ADDR}:8200"
	# Temporarily disable for initial installation
	tls_disable = true
	}
	api_addr = "http://${VAULT_NODE_IP_ADDR}:8200"
	cluster_addr = "http://${VAULT_NODE_IP_ADDR}:8201"
	EOF

	sudo chown -R vault:vault /etc/vault.d