commit 8cb0384c54d945b0ce84d3dec40b5bd37a06d71b Author: kaffa Date: Thu Sep 11 17:08:03 2025 +0900 Initial vault agent configuration diff --git a/.claude/settings.local.json b/.claude/settings.local.json new file mode 100644 index 0000000..698069e --- /dev/null +++ b/.claude/settings.local.json @@ -0,0 +1,8 @@ +{ + "enabledMcpjsonServers": [ + "context7", + "sequential-thinking", + "playwright", + "cloudflare" + ] +} \ No newline at end of file diff --git a/.mcp.json b/.mcp.json new file mode 120000 index 0000000..4004a49 --- /dev/null +++ b/.mcp.json @@ -0,0 +1 @@ +/home/kaffa/.mcp.json \ No newline at end of file diff --git a/agent.hcl b/agent.hcl new file mode 100644 index 0000000..cdcd2a4 --- /dev/null +++ b/agent.hcl @@ -0,0 +1,31 @@ +pid_file = "/home/kaffa/vault/pidfile" + +vault { + address = "https://vault.anvil.it.com" +} + +auto_auth { + method "approle" { + config = { + role_id_file_path = "/home/kaffa/vault/config/role-id" + secret_id_file_path = "/home/kaffa/vault/config/secret-id" + remove_secret_id_file_after_reading = false + } + } + + sink "file" { + config = { + path = "/home/kaffa/vault/vault-token" + mode = 0644 + } + } +} + +cache { + use_auto_auth_token = true +} + +listener "tcp" { + address = "127.0.0.1:8007" + tls_disable = true +} \ No newline at end of file diff --git a/config/role-id b/config/role-id new file mode 100644 index 0000000..01c2687 --- /dev/null +++ b/config/role-id @@ -0,0 +1 @@ +157548e1-5dd3-7cdc-2da4-5c9fdd92d39e \ No newline at end of file diff --git a/config/secret-id b/config/secret-id new file mode 100644 index 0000000..d36f83c --- /dev/null +++ b/config/secret-id @@ -0,0 +1 @@ +2f56852f-f5b1-3fbc-44c0-6517b2e081a0 \ No newline at end of file diff --git a/start-agent.sh b/start-agent.sh new file mode 100755 index 0000000..bcc14c7 --- /dev/null +++ b/start-agent.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Start Vault Agent for system authentication +vault agent -config=/home/kaffa/vault/agent.hcl \ No newline at end of file diff --git a/system-admin-policy.hcl b/system-admin-policy.hcl new file mode 100644 index 0000000..3967f65 --- /dev/null +++ b/system-admin-policy.hcl @@ -0,0 +1,18 @@ +# Policy for system with broader access +path "secret/data/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "secret/metadata/*" { + capabilities = ["list"] +} + +# Allow token renewal +path "auth/token/renew-self" { + capabilities = ["update"] +} + +# Allow token lookup +path "auth/token/lookup-self" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/system-app-policy.hcl b/system-app-policy.hcl new file mode 100644 index 0000000..1823a37 --- /dev/null +++ b/system-app-policy.hcl @@ -0,0 +1,18 @@ +# Policy for system application +path "secret/data/app/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} + +path "secret/metadata/app/*" { + capabilities = ["list"] +} + +# Allow token renewal +path "auth/token/renew-self" { + capabilities = ["update"] +} + +# Allow token lookup +path "auth/token/lookup-self" { + capabilities = ["read"] +} \ No newline at end of file diff --git a/vault-agent-simple.service b/vault-agent-simple.service new file mode 100644 index 0000000..babe395 --- /dev/null +++ b/vault-agent-simple.service @@ -0,0 +1,22 @@ +[Unit] +Description=Vault Agent +Documentation=https://vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/vault/agent.hcl + +[Service] +Type=exec +User=kaffa +Group=kaffa +Environment=VAULT_SKIP_VERIFY=true +Environment=HOME=/var/lib/vault +ExecStart=/usr/bin/vault agent -config=/etc/vault/agent.hcl +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/vault-agent.service b/vault-agent.service new file mode 100644 index 0000000..bd95f42 --- /dev/null +++ b/vault-agent.service @@ -0,0 +1,34 @@ +[Unit] +Description=Vault Agent +Documentation=https://vaultproject.io/docs/ +Requires=network-online.target +After=network-online.target +ConditionFileNotEmpty=/etc/vault/agent.hcl + +[Service] +Type=notify +User=kaffa +Group=kaffa +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes +Environment=VAULT_SKIP_VERIFY=true +Environment=HOME=/var/lib/vault +ExecStart=/usr/bin/vault agent -config=/etc/vault/agent.hcl +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitInterval=60s +StartLimitBurst=3 +LimitNOFILE=65536 +LimitMEMLOCK=infinity + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/vault-env.fish b/vault-env.fish new file mode 100644 index 0000000..4fb6bfb --- /dev/null +++ b/vault-env.fish @@ -0,0 +1,31 @@ +# Vault environment configuration for fish shell + +# Vault server address +set -gx VAULT_ADDR "https://vault.anvil.it.com" + +# Use token from systemd service +set -gx VAULT_TOKEN (cat /var/lib/vault/vault-token 2>/dev/null; or echo "") + +# Skip TLS verification if needed +set -gx VAULT_SKIP_VERIFY true + +# Vault functions +function vault-status + echo "Vault Address: $VAULT_ADDR" + set token_ttl (vault token lookup -format=json 2>/dev/null | jq -r '.data.ttl // "Invalid/Expired"') + echo "Token Status: $token_ttl" + if systemctl is-active vault-agent >/dev/null + echo "Agent Status: Running" + else + echo "Agent Status: Not Running" + end +end + +function vault-refresh-token + set -gx VAULT_TOKEN (cat /var/lib/vault/vault-token 2>/dev/null; or echo "") + echo "Token refreshed from agent" +end + +# Aliases +alias vs='vault-status' +alias vr='vault-refresh-token' \ No newline at end of file diff --git a/vault-env.sh b/vault-env.sh new file mode 100644 index 0000000..c484c31 --- /dev/null +++ b/vault-env.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Vault environment configuration for bash/zsh + +# Vault server address +export VAULT_ADDR="https://vault.anvil.it.com" + +# Use token from systemd service +export VAULT_TOKEN=$(cat /var/lib/vault/vault-token 2>/dev/null || echo "") + +# Skip TLS verification if needed +export VAULT_SKIP_VERIFY=true + +# Vault functions +vault-status() { + echo "Vault Address: $VAULT_ADDR" + echo "Token Status: $(vault token lookup -format=json 2>/dev/null | jq -r '.data.ttl // "Invalid/Expired"')" + systemctl is-active vault-agent >/dev/null && echo "Agent Status: Running" || echo "Agent Status: Not Running" +} + +vault-refresh-token() { + export VAULT_TOKEN=$(cat /var/lib/vault/vault-token 2>/dev/null || echo "") + echo "Token refreshed from agent" +} + +alias vs='vault-status' +alias vr='vault-refresh-token' \ No newline at end of file diff --git a/vault-token b/vault-token new file mode 100644 index 0000000..1a37962 --- /dev/null +++ b/vault-token @@ -0,0 +1 @@ +hvs.CAESIKu3VyY8HD8tZ1Po4vj_Lf5CwSeMIdUpJ-TcFUpMWJ53Gh4KHGh2cy43Q1Q2bmJOOGI0N3R6UG1RQkpodGpuaUY \ No newline at end of file