From 7e2b2d7c216aeefe17f9e7bcf15ccb4b0e87bb54 Mon Sep 17 00:00:00 2001
From: Vlad Glagolev
Date: Fri, 2 Jul 2021 05:44:35 +0000
Subject: vault-bin: new spell, tool for managing secrets

---
 ChangeLog                                |  3 ++-
 accounts                                 |  1 +
 bin-security/vault-bin/BUILD             |  1 +
 bin-security/vault-bin/DEPENDS           |  3 +++
 bin-security/vault-bin/DETAILS           | 31 +++++++++++++++++++++++++++++++
 bin-security/vault-bin/FINAL             |  4 ++++
 bin-security/vault-bin/HISTORY           |  3 +++
 bin-security/vault-bin/INSTALL           | 19 +++++++++++++++++++
 bin-security/vault-bin/PRE_BUILD         |  4 ++++
 bin-security/vault-bin/files/vault.hcl   | 18 ++++++++++++++++++
 bin-security/vault-bin/init.d/vault      | 29 +++++++++++++++++++++++++++++
 bin-security/vault-bin/init.d/vault.conf |  3 +++
 groups                                   |  1 +
 13 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100755 bin-security/vault-bin/BUILD
 create mode 100755 bin-security/vault-bin/DEPENDS
 create mode 100755 bin-security/vault-bin/DETAILS
 create mode 100755 bin-security/vault-bin/FINAL
 create mode 100644 bin-security/vault-bin/HISTORY
 create mode 100755 bin-security/vault-bin/INSTALL
 create mode 100755 bin-security/vault-bin/PRE_BUILD
 create mode 100644 bin-security/vault-bin/files/vault.hcl
 create mode 100755 bin-security/vault-bin/init.d/vault
 create mode 100644 bin-security/vault-bin/init.d/vault.conf

diff --git a/ChangeLog b/ChangeLog
index e8072ae..86a5d49 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,8 @@
 	* bin-net/consul-bin: new spell, service discovery and configuration tool
 	* bin-utils/consul-template-bin: new spell, template rendering and
 	  notifications with Consul
-	* accounts, groups: added account data for consul-bin and
+	* bin-security/vault-bin: new spell, tool for managing secrets
+	* accounts, groups: added account data for consul-bin, vault-bin and
 	  consul-template-bin spells
 
 2021-06-04 Treeve Jelbert <treeve@sourcemage.org>
diff --git a/accounts b/accounts
index c013d98..63f1bbd 100755
--- a/accounts
+++ b/accounts
@@ -7,3 +7,4 @@ ontopia:39:36
 tomcat7:40:35
 consul:217:217
 consul-template:218:218
+vault:219:219
diff --git a/bin-security/vault-bin/BUILD b/bin-security/vault-bin/BUILD
new file mode 100755
index 0000000..43597bb
--- /dev/null
+++ b/bin-security/vault-bin/BUILD
@@ -0,0 +1 @@
+create_account vault
diff --git a/bin-security/vault-bin/DEPENDS b/bin-security/vault-bin/DEPENDS
new file mode 100755
index 0000000..ec62c6d
--- /dev/null
+++ b/bin-security/vault-bin/DEPENDS
@@ -0,0 +1,3 @@
+depends unzip &&
+# for syslog logging
+depends util-linux
diff --git a/bin-security/vault-bin/DETAILS b/bin-security/vault-bin/DETAILS
new file mode 100755
index 0000000..b2fc01a
--- /dev/null
+++ b/bin-security/vault-bin/DETAILS
@@ -0,0 +1,31 @@
+           SPELL=vault-bin
+          SPELLX=${SPELL/-bin/}
+         VERSION=1.7.3
+if [[ "${SMGL_COMPAT_ARCHS[1]}" == "x86_64" || "${SMGL_COMPAT_ARCHS[1]}" == "em64t" ]]; then
+            ARCH=amd64
+     SOURCE_HASH=sha256:8453132a93b755c0a89dd4b2f1a99bd4af06f8167b81917f117080839031e03f:UPSTREAM_HASH
+else
+            ARCH=386
+     SOURCE_HASH=sha256:bc68f2e611097e08f1d6c045a787036383085b51b85073c8f0a78ae5dc5f8b0b:UPSTREAM_HASH
+fi
+          SOURCE=${SPELLX}_${VERSION}_linux_${ARCH}.zip
+   SOURCE_URL[0]=https://releases.hashicorp.com/${SPELLX}/${VERSION}/${SOURCE}
+SOURCE_DIRECTORY="${BUILD_DIRECTORY}/${SPELL}-${VERSION}"
+     GATHER_DOCS=off
+        WEB_SITE=https://www.vaultproject.io/
+         ENTERED=20210701
+      LICENSE[0]=MPL
+           SHORT="tool for managing secrets"
+cat << EOF
+Vault is a tool for securely accessing secrets. A secret is anything that you
+want to tightly control access to, such as API keys, passwords, certificates,
+and more. Vault provides a unified interface to any secret, while providing
+tight access control and recording a detailed audit log.
+
+A modern system requires access to a multitude of secrets: database credentials,
+API keys for external services, credentials for service-oriented architecture
+communication, etc. Understanding who is accessing what secrets is already very
+difficult and platform-specific. Adding on key rolling, secure storage, and
+detailed audit logs is almost impossible without a custom solution. This is
+where Vault steps in.
+EOF
diff --git a/bin-security/vault-bin/FINAL b/bin-security/vault-bin/FINAL
new file mode 100755
index 0000000..1571059
--- /dev/null
+++ b/bin-security/vault-bin/FINAL
@@ -0,0 +1,4 @@
+# binaries require /lib64
+if [ ! -d "${INSTALL_ROOT}/lib64" ]; then
+  ln -vsf "${TRACK_ROOT}/lib" "${INSTALL_ROOT}/lib64"
+fi
diff --git a/bin-security/vault-bin/HISTORY b/bin-security/vault-bin/HISTORY
new file mode 100644
index 0000000..9ed209f
--- /dev/null
+++ b/bin-security/vault-bin/HISTORY
@@ -0,0 +1,3 @@
+2021-07-01 Vlad Glagolev <stealth@sourcemage.org>
+	* DETAILS, DEPENDS, {PRE_,}BUILD, INSTALL, init.d, files: created
+	  spell, version 1.7.3
diff --git a/bin-security/vault-bin/INSTALL b/bin-security/vault-bin/INSTALL
new file mode 100755
index 0000000..e2499a3
--- /dev/null
+++ b/bin-security/vault-bin/INSTALL
@@ -0,0 +1,19 @@
+# /usr/bin is handled by smgl-fhs
+install -vm 755 vault "${INSTALL_ROOT}/usr/bin" &&
+
+local config_dir="${INSTALL_ROOT}/etc/${SPELLX}.d" &&
+local data_dir="${INSTALL_ROOT}/var/lib/${SPELLX}" &&
+
+if [ ! -d "${config_dir}" ]; then
+  install -vm 750 -o root -g vault -d "${config_dir}"
+fi &&
+
+if [ ! -d "${data_dir}" ]; then
+  install -vm 750 -o vault -g vault -d "${data_dir}"
+fi &&
+
+install_config_file "${SPELL_DIRECTORY}/files/vault.hcl" \
+                    "${config_dir}/vault.hcl" &&
+
+chown root:vault "${config_dir}/vault.hcl" &&
+chmod 0640 "${config_dir}/vault.hcl"
diff --git a/bin-security/vault-bin/PRE_BUILD b/bin-security/vault-bin/PRE_BUILD
new file mode 100755
index 0000000..5416781
--- /dev/null
+++ b/bin-security/vault-bin/PRE_BUILD
@@ -0,0 +1,4 @@
+mk_source_dir "${SOURCE_DIRECTORY}" &&
+cd "${SOURCE_DIRECTORY}" &&
+
+unpack_file ''
diff --git a/bin-security/vault-bin/files/vault.hcl b/bin-security/vault-bin/files/vault.hcl
new file mode 100644
index 0000000..20227b8
--- /dev/null
+++ b/bin-security/vault-bin/files/vault.hcl
@@ -0,0 +1,18 @@
+api_addr          = "http://127.0.0.1:8200"
+cluster_addr      = "http://127.0.0.1:8201"
+#cluster_name      = "vault"
+disable_mlock     = "true"
+log_level         = "Info"
+plugin_directory  = "/var/lib/vault/plugins/"
+ui                = "true"
+
+listener "tcp" {
+  address         = "127.0.0.1:8200"
+  cluster_address = "127.0.0.1:8201"
+  tls_disable     = "true"
+}
+
+storage "raft" {
+  path            = "/var/lib/vault/storage/"
+  #node_id         = "hostname"
+}
diff --git a/bin-security/vault-bin/init.d/vault b/bin-security/vault-bin/init.d/vault
new file mode 100755
index 0000000..a974806
--- /dev/null
+++ b/bin-security/vault-bin/init.d/vault
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+. /etc/sysconfig/vault
+
+PROGRAM=/usr/bin/vault
+ARGS="server -config=/etc/vault.d $VAULT_ARGS"
+RUNLEVEL=3
+NEEDS="+network"
+
+start() {
+  echo "Starting $NAME..."
+
+  TIMEOUT=3
+
+  su vault -s /bin/sh -c "set -o pipefail; $PROGRAM $ARGS 2>&1 | logger -ip daemon.info -t vault" &
+  ppid=$!
+
+  sleep $TIMEOUT && pgrep -P $ppid > /dev/null || wait $ppid
+
+  evaluate_retval
+}
+
+stop() {
+  echo "Stopping $NAME..."
+
+  killproc "vault server" SIGINT
+}
+
+. /etc/init.d/smgl_init
diff --git a/bin-security/vault-bin/init.d/vault.conf b/bin-security/vault-bin/init.d/vault.conf
new file mode 100644
index 0000000..6a3b9fd
--- /dev/null
+++ b/bin-security/vault-bin/init.d/vault.conf
@@ -0,0 +1,3 @@
+# For the arguments and description see ``vault server --help''
+
+VAULT_ARGS=""
diff --git a/groups b/groups
index acb0e4b..6874ef3 100755
--- a/groups
+++ b/groups
@@ -4,3 +4,4 @@ tomcat:35:
 ontopia:36:
 consul:217:
 consul-template:218:
+vault:219:
-- 
cgit v1.2.3