diff --git a/bin/vault-clear b/bin/vault-clear new file mode 100755 index 0000000..3880147 --- /dev/null +++ b/bin/vault-clear @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -e + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)" + +rm -rf $REPO_ROOT/{config,data,log} diff --git a/bin/vault-init b/bin/vault-init new file mode 100755 index 0000000..1df0e2f --- /dev/null +++ b/bin/vault-init @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -e + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)" +GPG_KEY_ID="slawek@koszewscy.waw.pl" +GPG_PUB_KEY_FILE="$REPO_ROOT/slawek.key" + +if [[ ! -f "$GPG_PUB_KEY_FILE" ]]; then + gpg --export "$GPG_KEY_ID" > "$GPG_PUB_KEY_FILE" +fi + +# Initialize the Vault and store the initialization output in a JSON file +# The single unseal key and the root token will be PGP-encrypted using the provided GPG public key +VAULT_ADDR='http://127.0.0.1:8200' vault operator init \ + -key-shares=1 \ + -key-threshold=1 \ + -pgp-keys="$GPG_PUB_KEY_FILE" \ + -root-token-pgp-key="$GPG_PUB_KEY_FILE" \ + -format=json > $REPO_ROOT/config/vault-init.json diff --git a/bin/vault-start b/bin/vault-start new file mode 100755 index 0000000..ef02295 --- /dev/null +++ b/bin/vault-start @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +set -e + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)" + +mkdir -p $REPO_ROOT/{config,data,log} +sed -e "s|{{VAULT_DATA_DIR}}|$REPO_ROOT/data|g" \ + -e "s|{{VAULT_LOG_DIR}}|$REPO_ROOT/log|g" \ + $REPO_ROOT/vault.hcl > $REPO_ROOT/config/vault.hcl + +vault server -config=$REPO_ROOT/config/vault.hcl -log-file=$REPO_ROOT/log/vault.log diff --git a/bin/vault-unseal b/bin/vault-unseal new file mode 100755 index 0000000..bf85509 --- /dev/null +++ b/bin/vault-unseal @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -e + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)" + +UNSEAL_KEY_ENC=$(jq -r .unseal_keys_b64[0] $REPO_ROOT/config/vault-init.json) +vault operator unseal $(echo "$UNSEAL_KEY_ENC" | base64 -d | gpg -qd) +VAULT_ADDR='http://127.0.0.1:8200' diff --git a/set-env b/set-env new file mode 100644 index 0000000..4d511fb --- /dev/null +++ b/set-env @@ -0,0 +1,10 @@ +# Check, if we have been sourced +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + echo "This script must be sourced, not executed!" >&2 + exit 1 +fi + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +export VAULT_ADDR='http://127.0.0.1:8200' +export VAULT_TOKEN=$(jq -r .root_token config/vault-init.json | base64 -d | gpg -qd)