From 7b0e2094c68397679e200a86fa142a87b01aee5e Mon Sep 17 00:00:00 2001 From: Christian Rebischke Date: Sun, 3 Dec 2017 00:43:53 +0000 Subject: [PATCH] added vault package --- PKGBUILD | 42 ++++++++++++++++++++++++++++++++++++++++++ vault.hcl | 19 +++++++++++++++++++ vault.install | 29 +++++++++++++++++++++++++++++ vault.service | 22 ++++++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 PKGBUILD create mode 100644 vault.hcl create mode 100644 vault.install create mode 100644 vault.service diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..986a10d --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,42 @@ +# Maintainer : Christian Rebischke +pkgname='vault' +pkgdesc='A tool for managing secrets' +pkgver='0.9.0' +pkgrel='2' +url='https://vaultproject.io/' +license=('MPL') +arch=('x86_64') +makedepends=('go-pie' 'git') +depends=('glibc') +install='vault.install' +backup=('etc/vault.hcl') +_vault_commit='bdac1854478538052ba5b7ec9a9ec688d35a3335' +source=("git+https://github.com/hashicorp/vault#commit=${_vault_commit}" + 'vault.service' + 'vault.hcl') +sha512sums=('SKIP' + '1e67fe594198e42faf81eeb78eaa9904d832a04580c82cd5639b983bab850a01f33f4b43de43b4e3403ee7820236ab49c8b91a26981c47b9a2c6938b4c0b6be3' + '46106cc76151eef2dd5e4b2caa6a96aae4d6ce1ecbf977dcc8667a3f6c829cbea95133622adafcb15cdfaa066ecc94c73c983e7613ee2f6573694981569729fe') + +prepare () { + export GOPATH="${srcdir}" + export PATH="$PATH:$GOPATH/bin" + mkdir -p src/github.com/hashicorp/ + mv ${pkgname} src/github.com/hashicorp/ +} + +build () { + cd src/github.com/hashicorp/${pkgname} + go build -o vault-binary +} + +package () { + cd src/github.com/hashicorp/${pkgname} + install -Dm755 vault-binary "${pkgdir}/usr/bin/vault" + install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" + install -Dm644 "${srcdir}/vault.hcl" "${pkgdir}/etc/vault.hcl" + install -Dm644 "${srcdir}/vault.service" "${pkgdir}/usr/lib/systemd/system/vault.service" + for file in README.md CHANGELOG.md ; do + install -Dm644 "${file}" "${pkgdir}/usr/share/doc/${pkgname}/${file}" + done +} diff --git a/vault.hcl b/vault.hcl new file mode 100644 index 0000000..a612cf1 --- /dev/null +++ b/vault.hcl @@ -0,0 +1,19 @@ +/* + * Vault configuration. See: https://vaultproject.io/docs/config/ + */ + +backend "file" { + path = "/var/lib/vault" +} + +listener "tcp" { + /* + * By default Vault listens on localhost only. + * Make sure to enable TLS support otherwise. + * + * Note that VAULT_ADDR=http://127.0.0.1:8200 must + * be set in the environment in order for the client + * to work because it uses HTTPS by default. + */ + tls_disable = 1 +} diff --git a/vault.install b/vault.install new file mode 100644 index 0000000..b7c6c28 --- /dev/null +++ b/vault.install @@ -0,0 +1,29 @@ +# vim: ft=sh ts=4 sw=4 et + +post_install () { + getent passwd vault > /dev/null || useradd \ + -s /bin/nologin -c 'Vault daemon' -d /var/lib/vault -M -r -U vault + if [[ ! -d /var/lib/vault ]] ; then + mkdir /var/lib/vault + chown vault:vault /var/lib/vault + fi + setcap cap_ipc_lock=+ep /usr/bin/vault +} + +post_upgrade () { + if [[ -d /var/lib/vault ]] ; then + local badperms=false + while read -r path ; do + if [[ $(stat --format=%U:%G "${path}") != vault:vault ]] + then + badperms=true + break + fi + done < <( find /var/lib/vault ) + if ${badperms} ; then + echo 'Bad permissions detected in /var/lib/vault, fixing...' + chown -R vault:vault /var/lib/vault + fi + fi + post_install +} diff --git a/vault.service b/vault.service new file mode 100644 index 0000000..cc884e1 --- /dev/null +++ b/vault.service @@ -0,0 +1,22 @@ +[Unit] +Description=Vault server +Requires=basic.target network.target +After=basic.target network.target + +[Service] +User=vault +Group=vault +PrivateTmp=yes +ProtectSystem=full +ProtectHome=read-only +CapabilityBoundingSet=CAP_IPC_LOCK +Environment=GOMAXPROCS=2 +ExecStart=/bin/vault server -config=/etc/vault/vault.hcl +KillSignal=SIGINT +TimeoutStopSec=30s +Restart=on-failure +StartLimitInterval=60s +StartLimitBurst=3 + +[Install] +WantedBy=multi-user.target