Alex Henning Johannessen ahjohannessen

## vault-agent-pki
### Configure variables
These variables will be used for this snippet. Please substitute accordingly.
```bash
export RootCAName="root_ca"
export InterCAName="inter_ca"
export CommonName="hashidemos.io"
export InterCommonName="inter.hashidemos.io"
export Root_CA_ttl="730h"
export Inter_CA_ttl="350h"
export Cert_ttl="8h"

## yubikey+gpupgp+ssh_howto.md

      
              1 file
            
          
              7 forks
            
          
              7 comments
            
          
              52 stars
            
          
                xirkus
                / yubikey+gpupgp+ssh_howto.md
            
            
              Last active
              March 10, 2024 13:17
            
              
                Security Adventures 1. How to get yubikey+gpg+ssh+gitbhub working on MacOS
              
          
    I've spent the day trying to get this setup working with GitHub and given the number of gotcha's I encountered, it seemed like a good idea to document how I finally got this working with as few hacks as possible. There's a lot of documentation out there (some of it old and misleading) and committing here for posterity will help me remember this when I inevitably need to do this again.
Rationale

Passwords are simply not enough these days. Regardless of the company, breaches (and the associated Personally Identifiable Information harvested) are a matter of not if, but when. There are a number of things you can do to protect yourself, but being on the tin-foil-hat side of paranoia, means there are a few Commandents that I adhere to (and recommend for other folks)[Insert link to Fight Club Rules for the Secure Internet].
That being said, if you use 2-factor authentication and have committed to using a hardware token such as the Yubikey, then you're already ahead of the curve. The problem is that wh

  
## vault_raft_bu_restore_example.sh
# 2020-06-23
# this shows creating a Vault instance running integrated storage/raft,
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

# not meant to be a live script to run!
# this uses the vault_config.hcl from https://gist.github.com/mikegreen/c2df5eea2283f0dbc5f3a5d3650536fd

## self-signed-cert-with-own-ca.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                mmastoras
                / self-signed-cert-with-own-ca.md
            
            
              Last active
              October 9, 2021 17:24
            
          
    Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096

  
## sortmerge.scala
import fs2.{Chunk, Stream, Pull}
import cats.collections.Heap

import cats.implicits._

object SortMerge {
  def sortMerge[F[_], A: Ordering](streams: List[Stream[F, A]]): Stream[F, A] = {
    implicit val ord: cats.Order[Stream.StepLeg[F, A]] =
      new cats.Order[Stream.StepLeg[F, A]] {
        val ordA = implicitly[Ordering[A]]

## minio-nomad.hcl
job "minio" {
  datacenters = ["dc1"]
  type        = "service"

  group "minio1" {
    ephemeral_disk {
      size    = 10000
      sticky  = true
      migrate = false
    }

## Main.sc
import cats.instances.either._
import Transducer.run
import UserRegistration._

object Main extends App {

  private val commands = List(GDPRDeletion, StartRegistration, StartRegistration, ConfirmAccount, GDPRDeletion)

  run(userRegistration)(commands).foreach(println)
  // OUTPUT

## example-vault-admin-policy.hcl
# Allow managing leases
path "sys/leases/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]

## groupBy.scala
 // Grows with the number of distinct `K`
  def partitions[F[_], A, K](selector: A => F[K])(implicit F: Effect[F], ec: ExecutionContext)  : Pipe[F, A, (K, Stream[F, A])] = in =>
  Stream.eval(async.refOf[F, Map[K, Queue[F, Option[A]]]](Map.empty)).flatMap { st =>
    val cleanup = {
      import alleycats.std.all._
      st.get.flatMap(_.traverse_(_.enqueue1(None)))
    }

    (in ++ Stream.eval_(cleanup)).evalMap { el =>
      (selector(el), st.get).mapN { (key, queues) =>

## vault-token-role-via-api.sh
# start vault in dev mode
VAULT_UI=true vault server -dev -dev-root-token-id="password"

# write some secrets for our example usage
curl --request POST \
     --silent \
     --header "X-Vault-Token: password" \
     --header "Content-Type: application/json" \
     --data '{ "options": { "cas": 0 }, "data": { "username": "administrator", "password": "hunter2" } }' \
     http://127.0.0.1:8200/v1/secret/data/dev | jq '.'
	### Configure variables
	These variables will be used for this snippet. Please substitute accordingly.
	```bash
	export RootCAName="root_ca"
	export InterCAName="inter_ca"
	export CommonName="hashidemos.io"
	export InterCommonName="inter.hashidemos.io"
	export Root_CA_ttl="730h"
	export Inter_CA_ttl="350h"
	export Cert_ttl="8h"
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	# not meant to be a live script to run!
	# this uses the vault_config.hcl from https://gist.github.com/mikegreen/c2df5eea2283f0dbc5f3a5d3650536fd
	import fs2.{Chunk, Stream, Pull}
	import cats.collections.Heap

	import cats.implicits._

	object SortMerge {
	def sortMerge[F[_], A: Ordering](streams: List[Stream[F, A]]): Stream[F, A] = {
	implicit val ord: cats.Order[Stream.StepLeg[F, A]] =
	new cats.Order[Stream.StepLeg[F, A]] {
	val ordA = implicitly[Ordering[A]]
	job "minio" {
	datacenters = ["dc1"]
	type = "service"

	group "minio1" {
	ephemeral_disk {
	size = 10000
	sticky = true
	migrate = false
	}
	import cats.instances.either._
	import Transducer.run
	import UserRegistration._

	object Main extends App {

	private val commands = List(GDPRDeletion, StartRegistration, StartRegistration, ConfirmAccount, GDPRDeletion)

	run(userRegistration)(commands).foreach(println)
	// OUTPUT
	# Allow managing leases
	path "sys/leases/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	# Manage auth methods broadly across Vault
	path "auth/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	// Grows with the number of distinct `K`
	def partitions[F[_], A, K](selector: A => F[K])(implicit F: Effect[F], ec: ExecutionContext) : Pipe[F, A, (K, Stream[F, A])] = in =>
	Stream.eval(async.refOf[F, Map[K, Queue[F, Option[A]]]](Map.empty)).flatMap { st =>
	val cleanup = {
	import alleycats.std.all._
	st.get.flatMap(_.traverse_(_.enqueue1(None)))
	}

	(in ++ Stream.eval_(cleanup)).evalMap { el =>
	(selector(el), st.get).mapN { (key, queues) =>
	# start vault in dev mode
	VAULT_UI=true vault server -dev -dev-root-token-id="password"

	# write some secrets for our example usage
	curl --request POST \
	--silent \
	--header "X-Vault-Token: password" \
	--header "Content-Type: application/json" \
	--data '{ "options": { "cas": 0 }, "data": { "username": "administrator", "password": "hunter2" } }' \
	http://127.0.0.1:8200/v1/secret/data/dev \| jq '.'