slawek/vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: slawek:81059760667d8bd0ea96949744142984a557bc82
Branches Tags
slawek:main
..
compare: slawek:a033498d45869a00b40f74f2f162efb8a384d001
Branches Tags
slawek:main

3 Commits
8105976066 ... a033498d45

Author SHA1 Message Date
Slawomir Koszewski
a033498d45 Added vault init, destroy, start and unseal scritps. 2026-01-02 22:44:16 +01:00
Slawomir Koszewski
b116ebab61 Add .gitignore file to exclude configuration, data, log files, and key files 2026-01-02 22:43:37 +01:00
Slawomir Koszewski
decda15318 Add initial Vault configuration file 2026-01-02 22:43:29 +01:00
7 changed files with 73 additions and 0 deletions
Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
config
data
log
**/*.key

7
bin/vault-clear Executable file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash
set -e
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
rm -rf $REPO_ROOT/{config,data,log}

20
bin/vault-init Executable file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/env bash
set -e
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
GPG_KEY_ID="slawek@koszewscy.waw.pl"
GPG_PUB_KEY_FILE="$REPO_ROOT/slawek.key"
if [[ ! -f "$GPG_PUB_KEY_FILE" ]]; then
gpg --export "$GPG_KEY_ID" > "$GPG_PUB_KEY_FILE"
fi
# Initialize the Vault and store the initialization output in a JSON file
# The single unseal key and the root token will be PGP-encrypted using the provided GPG public key
VAULT_ADDR='http://127.0.0.1:8200' vault operator init \
-key-shares=1 \
-key-threshold=1 \
-pgp-keys="$GPG_PUB_KEY_FILE" \
-root-token-pgp-key="$GPG_PUB_KEY_FILE" \
-format=json > $REPO_ROOT/config/vault-init.json

12
bin/vault-start Executable file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -e
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
mkdir -p $REPO_ROOT/{config,data,log}
sed -e "s|{{VAULT_DATA_DIR}}|$REPO_ROOT/data|g" \
-e "s|{{VAULT_LOG_DIR}}|$REPO_ROOT/log|g" \
$REPO_ROOT/vault.hcl > $REPO_ROOT/config/vault.hcl
vault server -config=$REPO_ROOT/config/vault.hcl -log-file=$REPO_ROOT/log/vault.log

9
bin/vault-unseal Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -e
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
UNSEAL_KEY_ENC=$(jq -r .unseal_keys_b64[0] $REPO_ROOT/config/vault-init.json)
vault operator unseal $(echo "$UNSEAL_KEY_ENC" | base64 -d | gpg -qd)
VAULT_ADDR='http://127.0.0.1:8200'

10
set-env Normal file
View File

@@ -0,0 +1,10 @@
# Check, if we have been sourced
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
echo "This script must be sourced, not executed!" >&2
exit 1
fi
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN=$(jq -r .root_token config/vault-init.json | base64 -d | gpg -qd)

11
vault.hcl Normal file
View File

@@ -0,0 +1,11 @@
ui = true
disable_mlock = true
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
storage "file" {
path = "{{VAULT_DATA_DIR}}"
}