Added vault init, destroy, start and unseal scritps.

Add .gitignore file to exclude configuration, data, log files, and key files
Add initial Vault configuration file
2026-01-02 22:44:16 +01:00 · 2026-01-02 22:43:37 +01:00 · 2026-01-02 22:43:29 +01:00
7 changed files with 73 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,4 @@
 config
 data
 log
 **/*.key
--- a/bin/vault-clear
+++ b/bin/vault-clear
@@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 set -e
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
 rm -rf $REPO_ROOT/{config,data,log}
--- a/bin/vault-init
+++ b/bin/vault-init
@@ -0,0 +1,20 @@
 #!/usr/bin/env bash
 set -e
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
 GPG_KEY_ID="slawek@koszewscy.waw.pl"
 GPG_PUB_KEY_FILE="$REPO_ROOT/slawek.key"
 if [[ ! -f "$GPG_PUB_KEY_FILE" ]]; then
    gpg --export "$GPG_KEY_ID" > "$GPG_PUB_KEY_FILE"
 fi
 # Initialize the Vault and store the initialization output in a JSON file
 # The single unseal key and the root token will be PGP-encrypted using the provided GPG public key
 VAULT_ADDR='http://127.0.0.1:8200' vault operator init \
    -key-shares=1 \
    -key-threshold=1 \
    -pgp-keys="$GPG_PUB_KEY_FILE" \
    -root-token-pgp-key="$GPG_PUB_KEY_FILE" \
    -format=json > $REPO_ROOT/config/vault-init.json
--- a/bin/vault-start
+++ b/bin/vault-start
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 set -e
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
 mkdir -p $REPO_ROOT/{config,data,log}
 sed -e "s|{{VAULT_DATA_DIR}}|$REPO_ROOT/data|g" \
    -e "s|{{VAULT_LOG_DIR}}|$REPO_ROOT/log|g" \
    $REPO_ROOT/vault.hcl > $REPO_ROOT/config/vault.hcl
 vault server -config=$REPO_ROOT/config/vault.hcl -log-file=$REPO_ROOT/log/vault.log
--- a/bin/vault-unseal
+++ b/bin/vault-unseal
@@ -0,0 +1,9 @@
 #!/usr/bin/env bash
 set -e
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
 UNSEAL_KEY_ENC=$(jq -r .unseal_keys_b64[0] $REPO_ROOT/config/vault-init.json)
 vault operator unseal $(echo "$UNSEAL_KEY_ENC" | base64 -d | gpg -qd)
 VAULT_ADDR='http://127.0.0.1:8200'
--- a/10
+++ b/10
@@ -0,0 +1,10 @@
 # Check, if we have been sourced
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
  echo "This script must be sourced, not executed!" >&2
  exit 1
 fi
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 export VAULT_ADDR='http://127.0.0.1:8200'
 export VAULT_TOKEN=$(jq -r .root_token config/vault-init.json | base64 -d | gpg -qd)
--- a/vault.hcl
+++ b/vault.hcl
@@ -0,0 +1,11 @@
 ui = true
 disable_mlock = true
 listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
 }
 storage "file" {
  path = "{{VAULT_DATA_DIR}}"
 }
Author	SHA1	Message	Date
Slawomir Koszewski	a033498d45	Added vault init, destroy, start and unseal scritps.	2026-01-02 22:44:16 +01:00
Slawomir Koszewski	b116ebab61	Add .gitignore file to exclude configuration, data, log files, and key files	2026-01-02 22:43:37 +01:00
Slawomir Koszewski	decda15318	Add initial Vault configuration file	2026-01-02 22:43:29 +01:00