summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog3
-rwxr-xr-xaccounts1
-rwxr-xr-xbin-security/vault-bin/BUILD1
-rwxr-xr-xbin-security/vault-bin/DEPENDS3
-rwxr-xr-xbin-security/vault-bin/DETAILS31
-rwxr-xr-xbin-security/vault-bin/FINAL4
-rw-r--r--bin-security/vault-bin/HISTORY3
-rwxr-xr-xbin-security/vault-bin/INSTALL19
-rwxr-xr-xbin-security/vault-bin/PRE_BUILD4
-rw-r--r--bin-security/vault-bin/files/vault.hcl18
-rwxr-xr-xbin-security/vault-bin/init.d/vault29
-rw-r--r--bin-security/vault-bin/init.d/vault.conf3
-rwxr-xr-xgroups1
13 files changed, 119 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index e8072ae..86a5d49 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,8 @@
* bin-net/consul-bin: new spell, service discovery and configuration tool
* bin-utils/consul-template-bin: new spell, template rendering and
notifications with Consul
- * accounts, groups: added account data for consul-bin and
+ * bin-security/vault-bin: new spell, tool for managing secrets
+ * accounts, groups: added account data for consul-bin, vault-bin and
consul-template-bin spells
2021-06-04 Treeve Jelbert <treeve@sourcemage.org>
diff --git a/accounts b/accounts
index c013d98..63f1bbd 100755
--- a/accounts
+++ b/accounts
@@ -7,3 +7,4 @@ ontopia:39:36
tomcat7:40:35
consul:217:217
consul-template:218:218
+vault:219:219
diff --git a/bin-security/vault-bin/BUILD b/bin-security/vault-bin/BUILD
new file mode 100755
index 0000000..43597bb
--- /dev/null
+++ b/bin-security/vault-bin/BUILD
@@ -0,0 +1 @@
+create_account vault
diff --git a/bin-security/vault-bin/DEPENDS b/bin-security/vault-bin/DEPENDS
new file mode 100755
index 0000000..ec62c6d
--- /dev/null
+++ b/bin-security/vault-bin/DEPENDS
@@ -0,0 +1,3 @@
+depends unzip &&
+# for syslog logging
+depends util-linux
diff --git a/bin-security/vault-bin/DETAILS b/bin-security/vault-bin/DETAILS
new file mode 100755
index 0000000..b2fc01a
--- /dev/null
+++ b/bin-security/vault-bin/DETAILS
@@ -0,0 +1,31 @@
+ SPELL=vault-bin
+ SPELLX=${SPELL/-bin/}
+ VERSION=1.7.3
+if [[ "${SMGL_COMPAT_ARCHS[1]}" == "x86_64" || "${SMGL_COMPAT_ARCHS[1]}" == "em64t" ]]; then
+ ARCH=amd64
+ SOURCE_HASH=sha256:8453132a93b755c0a89dd4b2f1a99bd4af06f8167b81917f117080839031e03f:UPSTREAM_HASH
+else
+ ARCH=386
+ SOURCE_HASH=sha256:bc68f2e611097e08f1d6c045a787036383085b51b85073c8f0a78ae5dc5f8b0b:UPSTREAM_HASH
+fi
+ SOURCE=${SPELLX}_${VERSION}_linux_${ARCH}.zip
+ SOURCE_URL[0]=https://releases.hashicorp.com/${SPELLX}/${VERSION}/${SOURCE}
+SOURCE_DIRECTORY="${BUILD_DIRECTORY}/${SPELL}-${VERSION}"
+ GATHER_DOCS=off
+ WEB_SITE=https://www.vaultproject.io/
+ ENTERED=20210701
+ LICENSE[0]=MPL
+ SHORT="tool for managing secrets"
+cat << EOF
+Vault is a tool for securely accessing secrets. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, certificates,
+and more. Vault provides a unified interface to any secret, while providing
+tight access control and recording a detailed audit log.
+
+A modern system requires access to a multitude of secrets: database credentials,
+API keys for external services, credentials for service-oriented architecture
+communication, etc. Understanding who is accessing what secrets is already very
+difficult and platform-specific. Adding on key rolling, secure storage, and
+detailed audit logs is almost impossible without a custom solution. This is
+where Vault steps in.
+EOF
diff --git a/bin-security/vault-bin/FINAL b/bin-security/vault-bin/FINAL
new file mode 100755
index 0000000..1571059
--- /dev/null
+++ b/bin-security/vault-bin/FINAL
@@ -0,0 +1,4 @@
+# binaries require /lib64
+if [ ! -d "${INSTALL_ROOT}/lib64" ]; then
+ ln -vsf "${TRACK_ROOT}/lib" "${INSTALL_ROOT}/lib64"
+fi
diff --git a/bin-security/vault-bin/HISTORY b/bin-security/vault-bin/HISTORY
new file mode 100644
index 0000000..9ed209f
--- /dev/null
+++ b/bin-security/vault-bin/HISTORY
@@ -0,0 +1,3 @@
+2021-07-01 Vlad Glagolev <stealth@sourcemage.org>
+ * DETAILS, DEPENDS, {PRE_,}BUILD, INSTALL, init.d, files: created
+ spell, version 1.7.3
diff --git a/bin-security/vault-bin/INSTALL b/bin-security/vault-bin/INSTALL
new file mode 100755
index 0000000..e2499a3
--- /dev/null
+++ b/bin-security/vault-bin/INSTALL
@@ -0,0 +1,19 @@
+# /usr/bin is handled by smgl-fhs
+install -vm 755 vault "${INSTALL_ROOT}/usr/bin" &&
+
+local config_dir="${INSTALL_ROOT}/etc/${SPELLX}.d" &&
+local data_dir="${INSTALL_ROOT}/var/lib/${SPELLX}" &&
+
+if [ ! -d "${config_dir}" ]; then
+ install -vm 750 -o root -g vault -d "${config_dir}"
+fi &&
+
+if [ ! -d "${data_dir}" ]; then
+ install -vm 750 -o vault -g vault -d "${data_dir}"
+fi &&
+
+install_config_file "${SPELL_DIRECTORY}/files/vault.hcl" \
+ "${config_dir}/vault.hcl" &&
+
+chown root:vault "${config_dir}/vault.hcl" &&
+chmod 0640 "${config_dir}/vault.hcl"
diff --git a/bin-security/vault-bin/PRE_BUILD b/bin-security/vault-bin/PRE_BUILD
new file mode 100755
index 0000000..5416781
--- /dev/null
+++ b/bin-security/vault-bin/PRE_BUILD
@@ -0,0 +1,4 @@
+mk_source_dir "${SOURCE_DIRECTORY}" &&
+cd "${SOURCE_DIRECTORY}" &&
+
+unpack_file ''
diff --git a/bin-security/vault-bin/files/vault.hcl b/bin-security/vault-bin/files/vault.hcl
new file mode 100644
index 0000000..20227b8
--- /dev/null
+++ b/bin-security/vault-bin/files/vault.hcl
@@ -0,0 +1,18 @@
+api_addr = "http://127.0.0.1:8200"
+cluster_addr = "http://127.0.0.1:8201"
+#cluster_name = "vault"
+disable_mlock = "true"
+log_level = "Info"
+plugin_directory = "/var/lib/vault/plugins/"
+ui = "true"
+
+listener "tcp" {
+ address = "127.0.0.1:8200"
+ cluster_address = "127.0.0.1:8201"
+ tls_disable = "true"
+}
+
+storage "raft" {
+ path = "/var/lib/vault/storage/"
+ #node_id = "hostname"
+}
diff --git a/bin-security/vault-bin/init.d/vault b/bin-security/vault-bin/init.d/vault
new file mode 100755
index 0000000..a974806
--- /dev/null
+++ b/bin-security/vault-bin/init.d/vault
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+. /etc/sysconfig/vault
+
+PROGRAM=/usr/bin/vault
+ARGS="server -config=/etc/vault.d $VAULT_ARGS"
+RUNLEVEL=3
+NEEDS="+network"
+
+start() {
+ echo "Starting $NAME..."
+
+ TIMEOUT=3
+
+ su vault -s /bin/sh -c "set -o pipefail; $PROGRAM $ARGS 2>&1 | logger -ip daemon.info -t vault" &
+ ppid=$!
+
+ sleep $TIMEOUT && pgrep -P $ppid > /dev/null || wait $ppid
+
+ evaluate_retval
+}
+
+stop() {
+ echo "Stopping $NAME..."
+
+ killproc "vault server" SIGINT
+}
+
+. /etc/init.d/smgl_init
diff --git a/bin-security/vault-bin/init.d/vault.conf b/bin-security/vault-bin/init.d/vault.conf
new file mode 100644
index 0000000..6a3b9fd
--- /dev/null
+++ b/bin-security/vault-bin/init.d/vault.conf
@@ -0,0 +1,3 @@
+# For the arguments and description see ``vault server --help''
+
+VAULT_ARGS=""
diff --git a/groups b/groups
index acb0e4b..6874ef3 100755
--- a/groups
+++ b/groups
@@ -4,3 +4,4 @@ tomcat:35:
ontopia:36:
consul:217:
consul-template:218:
+vault:219:
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 14:29:11 +0000