debian: add open-vault config files
All the ancillary configuration files around maintainer scripts, systemd, sysusers, and user overrides
This commit is contained in:
Paul Stemmet
parent
2ffa95fb7e
commit
1c47ea6618
GPG Key ID:
EDEA539F594E7E75
|
|
@ -0,0 +1,14 @@
|
||||||
|
# Any additional options to pass to 'vault server'
|
||||||
|
#
|
||||||
|
# For more, see: `vault server --help`
|
||||||
|
VAULT_FLAGS=
|
||||||
|
|
||||||
|
# Consider setting these, if you're in a containerized
|
||||||
|
# environment.
|
||||||
|
#
|
||||||
|
# Go does not handle cgroup based limits well, for either
|
||||||
|
# CPU or MEM.
|
||||||
|
#
|
||||||
|
# For more, see: https://pkg.go.dev/runtime
|
||||||
|
#GOMAXPROCS=
|
||||||
|
#GOMEMLIMIT=
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
etc/vault.d
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
lib/systemd/system/vault.service lib/systemd/system/open-vault.service
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
setcap cap_ipc_lock=+ep /usr/bin/vault
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
@ -0,0 +1,39 @@
|
||||||
|
[Unit]
|
||||||
|
Description=A tool for managing secrets
|
||||||
|
Documentation=https://developer.hashicorp.com/vault/docs/v1.14.x
|
||||||
|
StartLimitIntervalSec=60
|
||||||
|
StartLimitBurst=10
|
||||||
|
After=network.target network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
User=vault
|
||||||
|
Group=vault
|
||||||
|
EnvironmentFile=/etc/default/vault
|
||||||
|
ExecStart=/bin/vault server ${VAULT_FLAGS} -config=/etc/vault.d/
|
||||||
|
ExecReload=/bin/kill --signal HUP $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
KillSignal=SIGINT
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5
|
||||||
|
TimeoutStopSec=30
|
||||||
|
|
||||||
|
# Service files / dirs
|
||||||
|
RuntimeDirectory=vault
|
||||||
|
StateDirectory=vault
|
||||||
|
ConfigurationDirectory=vault.d
|
||||||
|
|
||||||
|
# Service limits, hardening
|
||||||
|
LimitNOFILE=65536
|
||||||
|
LimitMEMLOCK=infinity
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=read-only
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
SecureBits=keep-caps
|
||||||
|
AmbientCapabilities=CAP_IPC_LOCK
|
||||||
|
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
u vault 972 - /var/lib/vault
|
||||||
Loading…
Reference in New Issue