From 7863d542754063c322323bce9e14d5fcdc36aa0b Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Tue, 6 Aug 2024 22:51:16 +1000
Subject: [PATCH] feat: auto-unseal vault every hour

- add cron job to run vault unsealing service hourly
---
 site/profiles/manifests/vault/unseal.pp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/site/profiles/manifests/vault/unseal.pp b/site/profiles/manifests/vault/unseal.pp
index cff32a1..e7fe809 100644
--- a/site/profiles/manifests/vault/unseal.pp
+++ b/site/profiles/manifests/vault/unseal.pp
@@ -34,4 +34,14 @@ class profiles::vault::unseal (
     require   => File['/usr/local/bin/vault-unseal.sh'],
     subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
   }
+
+  # restart the vault-unseal service hourly to ensure vault is unsealled
+  cron { 'restart_vault_unseal':
+    ensure  => 'present',
+    user    => 'root',
+    command => '/bin/systemctl restart vault-unseal',
+    minute  => fqdn_rand(60),
+    hour    => '*',
+    require => Service['vault-unseal'],
+  }
 }