debian: add open-vault config files
All the ancillary configuration files around maintainer scripts, systemd, sysusers, and user overrides
This commit is contained in:
parent
2ffa95fb7e
commit
1c47ea6618
|
@ -0,0 +1,14 @@
|
|||
# Any additional options to pass to 'vault server'
|
||||
#
|
||||
# For more, see: `vault server --help`
|
||||
VAULT_FLAGS=
|
||||
|
||||
# Consider setting these, if you're in a containerized
|
||||
# environment.
|
||||
#
|
||||
# Go does not handle cgroup based limits well, for either
|
||||
# CPU or MEM.
|
||||
#
|
||||
# For more, see: https://pkg.go.dev/runtime
|
||||
#GOMAXPROCS=
|
||||
#GOMEMLIMIT=
|
|
@ -0,0 +1 @@
|
|||
etc/vault.d
|
|
@ -0,0 +1 @@
|
|||
lib/systemd/system/vault.service lib/systemd/system/open-vault.service
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
setcap cap_ipc_lock=+ep /usr/bin/vault
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,39 @@
|
|||
[Unit]
|
||||
Description=A tool for managing secrets
|
||||
Documentation=https://developer.hashicorp.com/vault/docs/v1.14.x
|
||||
StartLimitIntervalSec=60
|
||||
StartLimitBurst=10
|
||||
After=network.target network-online.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
User=vault
|
||||
Group=vault
|
||||
EnvironmentFile=/etc/default/vault
|
||||
ExecStart=/bin/vault server ${VAULT_FLAGS} -config=/etc/vault.d/
|
||||
ExecReload=/bin/kill --signal HUP $MAINPID
|
||||
KillMode=process
|
||||
KillSignal=SIGINT
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
TimeoutStopSec=30
|
||||
|
||||
# Service files / dirs
|
||||
RuntimeDirectory=vault
|
||||
StateDirectory=vault
|
||||
ConfigurationDirectory=vault.d
|
||||
|
||||
# Service limits, hardening
|
||||
LimitNOFILE=65536
|
||||
LimitMEMLOCK=infinity
|
||||
ProtectSystem=full
|
||||
ProtectHome=read-only
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
SecureBits=keep-caps
|
||||
AmbientCapabilities=CAP_IPC_LOCK
|
||||
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
|
||||
NoNewPrivileges=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1 @@
|
|||
u vault 972 - /var/lib/vault
|
Loading…
Reference in New Issue