Skip to content

Instantly share code, notes, and snippets.

View tbeyer567's full-sized avatar

Tim Beyer tbeyer567

  • Portland, OR
View GitHub Profile
@tbeyer567
tbeyer567 / eng-kv-policy.hcl
Created October 21, 2021 20:44
path "engineering/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
@tbeyer567
tbeyer567 / eng-kv-policy.hcl
Created October 21, 2021 20:46
path "engineering/*" {
capabilities = ["create", "read", "update", "delete", "list"
}
path "support/*" {
capabilities = ["deny"]
}
@tbeyer567
tbeyer567 / gist:2582fbeb92b54ce02f55f596dd016b06
Last active October 24, 2021 19:47
# Enable userpass auth method
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
resource "vault_generic_endpoint" "admin" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/admin"
ignore_absent_fields = true
@tbeyer567
tbeyer567 / example site.yml
Created November 29, 2021 17:10
- hosts: all
become: true
remote_user:
roles:
- ansible-role-vault
@tbeyer567
tbeyer567 / ansible-systemd-overrides.txt
Created November 29, 2021 19:58
- name: Create systemd overrides directory
ansible.builtin.file:
path: /etc/systemd/system/vault.service.d
state: directory
owner: root
group: root
mode: '0755'
- name: Create systemd overrides file
ansible.builtin.copy:
@tbeyer567
tbeyer567 / gist:d671132ba3e32920a80d878138bfc3e8
Created January 10, 2022 21:24
/var/log/vault/audit.log {
rotate 30
daily
# Do not execute rotate if the log file is empty.
notifempty
missingok
compress
# Set compress on next rotate cycl to prevent entry loss when performing compression.
delaycompress
postrotate
@tbeyer567
tbeyer567 / vault logrotate
Created January 31, 2022 16:30
/var/log/vault/vault-audit.log {
rotate 30
daily
# Do not execute rotate if the log file is empty.
notifempty
missingok
compress
# Set compress on next rotate cycl to prevent entry loss when performing compression.
delaycompress
postrotate
@tbeyer567
tbeyer567 / systemd unit file
Created March 21, 2022 17:32
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ vault_config_file }}
StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
@tbeyer567
tbeyer567 / vault.hcl
Created March 21, 2022 18:01
listener "tcp" {
address = "[::]:8200"
tls_cert_file = "/etc/vault.d/tls/cert.pem"
tls_key_file = "/etc/vault.d/tls/key.pem"
tls_require_and_verify_client_cert = false
tls_disable_client_certs = true
}
storage "raft" {
@tbeyer567
tbeyer567 / vault install script
Last active July 14, 2022 18:54
#!/usr/bin/env bash
set -euxo pipefail
export VAULT_NODE_ID="GIEGTIVLP18994C"
export VAULT_NODE_IP_ADDR="10.27.84.13"
echo "Installing Vault Enterpise"
sudo cp /tmp/vault /usr/bin/