48 lines
1.4 KiB
Puppet
48 lines
1.4 KiB
Puppet
# profiles::vault::unseal
|
|
class profiles::vault::unseal (
|
|
Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
|
|
Variant[
|
|
Stdlib::HTTPSUrl,
|
|
Stdlib::HTTPUrl
|
|
] $vault_address = 'http://127.0.0.1:8200',
|
|
){
|
|
|
|
# deploy the unseal keys file
|
|
file { '/etc/vault/unseal_keys':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => Sensitive(template('profiles/vault/unseal_keys.erb')),
|
|
require => Class['vault'],
|
|
}
|
|
|
|
# deploy the unseal script
|
|
file { '/usr/local/bin/vault-unseal.sh':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0750',
|
|
content => template('profiles/vault/vault_unseal.sh.erb'),
|
|
}
|
|
|
|
# create systemd service unit
|
|
systemd::unit_file { 'vault-unseal.service':
|
|
content => template('profiles/vault/vault-unseal.service.erb'),
|
|
active => true,
|
|
enable => true,
|
|
require => File['/usr/local/bin/vault-unseal.sh'],
|
|
subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
|
|
}
|
|
|
|
# restart the vault-unseal service hourly to ensure vault is unsealled
|
|
cron { 'restart_vault_unseal':
|
|
ensure => 'present',
|
|
user => 'root',
|
|
command => '/bin/systemctl restart vault-unseal',
|
|
minute => fqdn_rand(60),
|
|
hour => '*',
|
|
require => Service['vault-unseal.service'],
|
|
}
|
|
}
|