diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rwxr-xr-x | accounts | 1 | ||||
-rwxr-xr-x | bin-security/vault-bin/BUILD | 1 | ||||
-rwxr-xr-x | bin-security/vault-bin/DEPENDS | 3 | ||||
-rwxr-xr-x | bin-security/vault-bin/DETAILS | 31 | ||||
-rwxr-xr-x | bin-security/vault-bin/FINAL | 4 | ||||
-rw-r--r-- | bin-security/vault-bin/HISTORY | 3 | ||||
-rwxr-xr-x | bin-security/vault-bin/INSTALL | 19 | ||||
-rwxr-xr-x | bin-security/vault-bin/PRE_BUILD | 4 | ||||
-rw-r--r-- | bin-security/vault-bin/files/vault.hcl | 18 | ||||
-rwxr-xr-x | bin-security/vault-bin/init.d/vault | 29 | ||||
-rw-r--r-- | bin-security/vault-bin/init.d/vault.conf | 3 | ||||
-rwxr-xr-x | groups | 1 |
13 files changed, 119 insertions, 1 deletions
@@ -2,7 +2,8 @@ * bin-net/consul-bin: new spell, service discovery and configuration tool * bin-utils/consul-template-bin: new spell, template rendering and notifications with Consul - * accounts, groups: added account data for consul-bin and + * bin-security/vault-bin: new spell, tool for managing secrets + * accounts, groups: added account data for consul-bin, vault-bin and consul-template-bin spells 2021-06-04 Treeve Jelbert <treeve@sourcemage.org> @@ -7,3 +7,4 @@ ontopia:39:36 tomcat7:40:35 consul:217:217 consul-template:218:218 +vault:219:219 diff --git a/bin-security/vault-bin/BUILD b/bin-security/vault-bin/BUILD new file mode 100755 index 0000000..43597bb --- /dev/null +++ b/bin-security/vault-bin/BUILD @@ -0,0 +1 @@ +create_account vault diff --git a/bin-security/vault-bin/DEPENDS b/bin-security/vault-bin/DEPENDS new file mode 100755 index 0000000..ec62c6d --- /dev/null +++ b/bin-security/vault-bin/DEPENDS @@ -0,0 +1,3 @@ +depends unzip && +# for syslog logging +depends util-linux diff --git a/bin-security/vault-bin/DETAILS b/bin-security/vault-bin/DETAILS new file mode 100755 index 0000000..b2fc01a --- /dev/null +++ b/bin-security/vault-bin/DETAILS @@ -0,0 +1,31 @@ + SPELL=vault-bin + SPELLX=${SPELL/-bin/} + VERSION=1.7.3 +if [[ "${SMGL_COMPAT_ARCHS[1]}" == "x86_64" || "${SMGL_COMPAT_ARCHS[1]}" == "em64t" ]]; then + ARCH=amd64 + SOURCE_HASH=sha256:8453132a93b755c0a89dd4b2f1a99bd4af06f8167b81917f117080839031e03f:UPSTREAM_HASH +else + ARCH=386 + SOURCE_HASH=sha256:bc68f2e611097e08f1d6c045a787036383085b51b85073c8f0a78ae5dc5f8b0b:UPSTREAM_HASH +fi + SOURCE=${SPELLX}_${VERSION}_linux_${ARCH}.zip + SOURCE_URL[0]=https://releases.hashicorp.com/${SPELLX}/${VERSION}/${SOURCE} +SOURCE_DIRECTORY="${BUILD_DIRECTORY}/${SPELL}-${VERSION}" + GATHER_DOCS=off + WEB_SITE=https://www.vaultproject.io/ + ENTERED=20210701 + LICENSE[0]=MPL + SHORT="tool for managing secrets" +cat << EOF +Vault is a tool for securely accessing secrets. A secret is anything that you +want to tightly control access to, such as API keys, passwords, certificates, +and more. Vault provides a unified interface to any secret, while providing +tight access control and recording a detailed audit log. + +A modern system requires access to a multitude of secrets: database credentials, +API keys for external services, credentials for service-oriented architecture +communication, etc. Understanding who is accessing what secrets is already very +difficult and platform-specific. Adding on key rolling, secure storage, and +detailed audit logs is almost impossible without a custom solution. This is +where Vault steps in. +EOF diff --git a/bin-security/vault-bin/FINAL b/bin-security/vault-bin/FINAL new file mode 100755 index 0000000..1571059 --- /dev/null +++ b/bin-security/vault-bin/FINAL @@ -0,0 +1,4 @@ +# binaries require /lib64 +if [ ! -d "${INSTALL_ROOT}/lib64" ]; then + ln -vsf "${TRACK_ROOT}/lib" "${INSTALL_ROOT}/lib64" +fi diff --git a/bin-security/vault-bin/HISTORY b/bin-security/vault-bin/HISTORY new file mode 100644 index 0000000..9ed209f --- /dev/null +++ b/bin-security/vault-bin/HISTORY @@ -0,0 +1,3 @@ +2021-07-01 Vlad Glagolev <stealth@sourcemage.org> + * DETAILS, DEPENDS, {PRE_,}BUILD, INSTALL, init.d, files: created + spell, version 1.7.3 diff --git a/bin-security/vault-bin/INSTALL b/bin-security/vault-bin/INSTALL new file mode 100755 index 0000000..e2499a3 --- /dev/null +++ b/bin-security/vault-bin/INSTALL @@ -0,0 +1,19 @@ +# /usr/bin is handled by smgl-fhs +install -vm 755 vault "${INSTALL_ROOT}/usr/bin" && + +local config_dir="${INSTALL_ROOT}/etc/${SPELLX}.d" && +local data_dir="${INSTALL_ROOT}/var/lib/${SPELLX}" && + +if [ ! -d "${config_dir}" ]; then + install -vm 750 -o root -g vault -d "${config_dir}" +fi && + +if [ ! -d "${data_dir}" ]; then + install -vm 750 -o vault -g vault -d "${data_dir}" +fi && + +install_config_file "${SPELL_DIRECTORY}/files/vault.hcl" \ + "${config_dir}/vault.hcl" && + +chown root:vault "${config_dir}/vault.hcl" && +chmod 0640 "${config_dir}/vault.hcl" diff --git a/bin-security/vault-bin/PRE_BUILD b/bin-security/vault-bin/PRE_BUILD new file mode 100755 index 0000000..5416781 --- /dev/null +++ b/bin-security/vault-bin/PRE_BUILD @@ -0,0 +1,4 @@ +mk_source_dir "${SOURCE_DIRECTORY}" && +cd "${SOURCE_DIRECTORY}" && + +unpack_file '' diff --git a/bin-security/vault-bin/files/vault.hcl b/bin-security/vault-bin/files/vault.hcl new file mode 100644 index 0000000..20227b8 --- /dev/null +++ b/bin-security/vault-bin/files/vault.hcl @@ -0,0 +1,18 @@ +api_addr = "http://127.0.0.1:8200" +cluster_addr = "http://127.0.0.1:8201" +#cluster_name = "vault" +disable_mlock = "true" +log_level = "Info" +plugin_directory = "/var/lib/vault/plugins/" +ui = "true" + +listener "tcp" { + address = "127.0.0.1:8200" + cluster_address = "127.0.0.1:8201" + tls_disable = "true" +} + +storage "raft" { + path = "/var/lib/vault/storage/" + #node_id = "hostname" +} diff --git a/bin-security/vault-bin/init.d/vault b/bin-security/vault-bin/init.d/vault new file mode 100755 index 0000000..a974806 --- /dev/null +++ b/bin-security/vault-bin/init.d/vault @@ -0,0 +1,29 @@ +#!/bin/bash + +. /etc/sysconfig/vault + +PROGRAM=/usr/bin/vault +ARGS="server -config=/etc/vault.d $VAULT_ARGS" +RUNLEVEL=3 +NEEDS="+network" + +start() { + echo "Starting $NAME..." + + TIMEOUT=3 + + su vault -s /bin/sh -c "set -o pipefail; $PROGRAM $ARGS 2>&1 | logger -ip daemon.info -t vault" & + ppid=$! + + sleep $TIMEOUT && pgrep -P $ppid > /dev/null || wait $ppid + + evaluate_retval +} + +stop() { + echo "Stopping $NAME..." + + killproc "vault server" SIGINT +} + +. /etc/init.d/smgl_init diff --git a/bin-security/vault-bin/init.d/vault.conf b/bin-security/vault-bin/init.d/vault.conf new file mode 100644 index 0000000..6a3b9fd --- /dev/null +++ b/bin-security/vault-bin/init.d/vault.conf @@ -0,0 +1,3 @@ +# For the arguments and description see ``vault server --help'' + +VAULT_ARGS="" @@ -4,3 +4,4 @@ tomcat:35: ontopia:36: consul:217: consul-template:218: +vault:219: |