Initial vault agent configuration

.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "enabledMcpjsonServers": [
+    "context7",
+    "sequential-thinking",
+    "playwright",
+    "cloudflare"
+  ]
+}

.mcp.json

@@ -0,0 +1 @@
+/home/kaffa/.mcp.json

agent.hcl

@@ -0,0 +1,31 @@
+pid_file = "/home/kaffa/vault/pidfile"
+
+vault {
+  address = "https://vault.anvil.it.com"
+}
+
+auto_auth {
+  method "approle" {
+    config = {
+      role_id_file_path = "/home/kaffa/vault/config/role-id"
+      secret_id_file_path = "/home/kaffa/vault/config/secret-id"
+      remove_secret_id_file_after_reading = false
+    }
+  }
+
+  sink "file" {
+    config = {
+      path = "/home/kaffa/vault/vault-token"
+      mode = 0644
+    }
+  }
+}
+
+cache {
+  use_auto_auth_token = true
+}
+
+listener "tcp" {
+  address = "127.0.0.1:8007"
+  tls_disable = true
+}

config/role-id

@@ -0,0 +1 @@
+157548e1-5dd3-7cdc-2da4-5c9fdd92d39e

config/secret-id

@@ -0,0 +1 @@
+2f56852f-f5b1-3fbc-44c0-6517b2e081a0

start-agent.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Start Vault Agent for system authentication
+vault agent -config=/home/kaffa/vault/agent.hcl

system-admin-policy.hcl

@@ -0,0 +1,18 @@
+# Policy for system with broader access
+path "secret/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/metadata/*" {
+  capabilities = ["list"]
+}
+
+# Allow token renewal
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+
+# Allow token lookup
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}

system-app-policy.hcl

@@ -0,0 +1,18 @@
+# Policy for system application
+path "secret/data/app/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "secret/metadata/app/*" {
+  capabilities = ["list"]
+}
+
+# Allow token renewal
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+
+# Allow token lookup
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}

vault-agent-simple.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Vault Agent
+Documentation=https://vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault/agent.hcl
+
+[Service]
+Type=exec
+User=kaffa
+Group=kaffa
+Environment=VAULT_SKIP_VERIFY=true
+Environment=HOME=/var/lib/vault
+ExecStart=/usr/bin/vault agent -config=/etc/vault/agent.hcl
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

vault-agent.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Vault Agent
+Documentation=https://vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault/agent.hcl
+
+[Service]
+Type=notify
+User=kaffa
+Group=kaffa
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+Environment=VAULT_SKIP_VERIFY=true
+Environment=HOME=/var/lib/vault
+ExecStart=/usr/bin/vault agent -config=/etc/vault/agent.hcl
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitInterval=60s
+StartLimitBurst=3
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target

vault-env.fish

@@ -0,0 +1,31 @@
+# Vault environment configuration for fish shell
+
+# Vault server address
+set -gx VAULT_ADDR "https://vault.anvil.it.com"
+
+# Use token from systemd service
+set -gx VAULT_TOKEN (cat /var/lib/vault/vault-token 2>/dev/null; or echo "")
+
+# Skip TLS verification if needed
+set -gx VAULT_SKIP_VERIFY true
+
+# Vault functions
+function vault-status
+    echo "Vault Address: $VAULT_ADDR"
+    set token_ttl (vault token lookup -format=json 2>/dev/null | jq -r '.data.ttl // "Invalid/Expired"')
+    echo "Token Status: $token_ttl"
+    if systemctl is-active vault-agent >/dev/null
+        echo "Agent Status: Running"
+    else
+        echo "Agent Status: Not Running"
+    end
+end
+
+function vault-refresh-token
+    set -gx VAULT_TOKEN (cat /var/lib/vault/vault-token 2>/dev/null; or echo "")
+    echo "Token refreshed from agent"
+end
+
+# Aliases
+alias vs='vault-status'
+alias vr='vault-refresh-token'

vault-env.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+# Vault environment configuration for bash/zsh
+
+# Vault server address
+export VAULT_ADDR="https://vault.anvil.it.com"
+
+# Use token from systemd service
+export VAULT_TOKEN=$(cat /var/lib/vault/vault-token 2>/dev/null || echo "")
+
+# Skip TLS verification if needed
+export VAULT_SKIP_VERIFY=true
+
+# Vault functions
+vault-status() {
+    echo "Vault Address: $VAULT_ADDR"
+    echo "Token Status: $(vault token lookup -format=json 2>/dev/null | jq -r '.data.ttl // "Invalid/Expired"')"
+    systemctl is-active vault-agent >/dev/null && echo "Agent Status: Running" || echo "Agent Status: Not Running"
+}
+
+vault-refresh-token() {
+    export VAULT_TOKEN=$(cat /var/lib/vault/vault-token 2>/dev/null || echo "")
+    echo "Token refreshed from agent"
+}
+
+alias vs='vault-status'
+alias vr='vault-refresh-token'

vault-token

@@ -0,0 +1 @@
+hvs.CAESIKu3VyY8HD8tZ1Po4vj_Lf5CwSeMIdUpJ-TcFUpMWJ53Gh4KHGh2cy43Q1Q2bmJOOGI0N3R6UG1RQkpodGpuaUY