feat: add vault server profile
- add vault module to puppetfile - define class to manage the install and config of vault - manage the datavol and raft storage - manage the unzip and other compression tools - define custom unseal script and service - add documentation on initial setup of vault
This commit is contained in:
@@ -0,0 +1,37 @@
|
||||
# profiles::vault::unseal
|
||||
class profiles::vault::unseal (
|
||||
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
|
||||
Variant[
|
||||
Stdlib::HTTPSUrl,
|
||||
Stdlib::HTTPUrl
|
||||
] $vault_address = 'http://127.0.0.1:8200',
|
||||
){
|
||||
|
||||
# deploy the unseal keys file
|
||||
file { '/etc/vault/unseal_keys':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
|
||||
require => Class['vault'],
|
||||
}
|
||||
|
||||
# deploy the unseal script
|
||||
file { '/usr/local/bin/vault-unseal.sh':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0750',
|
||||
content => template('profiles/vault/vault_unseal.sh.erb'),
|
||||
}
|
||||
|
||||
# create systemd service unit
|
||||
systemd::unit_file { 'vault-unseal.service':
|
||||
content => template('profiles/vault/vault-unseal.service.erb'),
|
||||
active => true,
|
||||
enable => true,
|
||||
require => File['/usr/local/bin/vault-unseal.sh'],
|
||||
subscribe => Service['vault'],
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user