feat: add vault server profile

- add vault module to puppetfile
- define class to manage the install and config of vault
- manage the datavol and raft storage
- manage the unzip and other compression tools
- define custom unseal script and service
- add documentation on initial setup of vault
This commit is contained in:
2024-02-13 22:48:23 +11:00
parent f8b30f335b
commit fe05c86463
12 changed files with 237 additions and 1 deletions
@@ -0,0 +1,3 @@
<% @unseal_keys.each do |key| -%>
<%= key %>
<% end -%>
@@ -0,0 +1,14 @@
[Unit]
Description=Unseal Vault Service
After=vault.service network.target
Requires=vault.service
PartOf=vault.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/vault-unseal.sh
RemainAfterExit=yes
User=root
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,23 @@
#!/bin/bash
# Script to unseal Vault
VAULT_ADDR='<%= @vault_address %>'
UNSEAL_KEYS_FILE='/etc/vault/unseal_keys'
# Check if Vault is sealed
is_sealed=$(curl -s ${VAULT_ADDR}/v1/sys/seal-status | jq -r '.sealed')
if [ "$is_sealed" != "true" ]; then
echo "Vault is already unsealed."
exit 0
fi
# Retrieve unseal keys from plaintext file
unseal_keys=$(cat "$UNSEAL_KEYS_FILE")
# Loop through the unseal keys and use them to unseal Vault
for key in $unseal_keys; do
curl --request PUT --data '{"key": "'$key'"}' $VAULT_ADDR/v1/sys/unseal
done
echo "Vault has been unsealed."