Last active
August 21, 2020 13:51
-
-
Save devops-rob/513c1ce9ec9c236be2ca6c5e99017e37 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| declare -a packages=("wget" "setroubleshoot-server" "selinux-policy-devel" "unzip" "openssl" "openssl-devel") | |
| function packagereqchecker { | |
| for app in "${packages[@]}"; | |
| do | |
| echo $app | |
| if yum list installed $app 2>&1 > /dev/null; | |
| then | |
| echo "$app is already installed" | |
| else | |
| yum install $app -y > /dev/null | |
| fi | |
| done | |
| } | |
| function vault_install { | |
| if vault; then | |
| echo "Vault is already installed" | |
| else | |
| VAULT_VERSION="1.5.0" | |
| wget -O vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip | |
| unzip vault.zip | |
| chown root:root vault | |
| mv vault /usr/local/bin/ | |
| vault -autocomplete-install | |
| complete -C /usr/local/bin/vault vault | |
| sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault | |
| fi | |
| } | |
| function vault_user { | |
| if id "vault" > /dev/null 2>&1; then | |
| echo "vault user already exists" | |
| else | |
| sudo useradd --system --home /etc/vault.d --shell /bin/false vault | |
| fi | |
| } | |
| function vault_systemd_config { | |
| if [ -f /etc/systemd/system/vault.service ]; then | |
| echo "vault service is already configured" | |
| else | |
| sudo touch sudo /etc/systemd/system/vault.service | |
| sudo cat > /etc/systemd/system/vault.service <<EOF | |
| [Unit] | |
| Description="HashiCorp Vault - A tool for managing secrets" | |
| Documentation=https://www.vaultproject.io/docs/ | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionFileNotEmpty=/etc/vault.d/vault.hcl | |
| [Service] | |
| User=vault | |
| Group=vault | |
| ProtectSystem=full | |
| ProtectHome=read-only | |
| PrivateTmp=yes | |
| PrivateDevices=yes | |
| SecureBits=keep-caps | |
| AmbientCapabilities=CAP_IPC_LOCK | |
| Capabilities=CAP_IPC_LOCK+ep | |
| CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK | |
| NoNewPrivileges=yes | |
| ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl | |
| ExecReload=/bin/kill --signal HUP $MAINPID | |
| KillMode=process | |
| KillSignal=SIGINT | |
| Restart=on-failure | |
| RestartSec=5 | |
| TimeoutStopSec=30 | |
| StartLimitIntervalSec=60 | |
| StartLimitBurst=3 | |
| LimitNOFILE=65536 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| systemctl daemon-reload | |
| fi | |
| } | |
| function vault_config { | |
| sudo mkdir -p /etc/vault.d/tls | |
| sudo touch /etc/vault.d/vault.hcl | |
| sudo chown -R vault:vault /etc/vault.d | |
| sudo chmod 644 /etc/vault.d/vault.hcl | |
| } | |
| function consul_systemd_config { | |
| if [ -f /etc/systemd/system/consul.service ]; then | |
| echo "consul service is already configured" | |
| else | |
| sudo touch sudo /etc/systemd/system/consul.service | |
| sudo cat > /etc/systemd/system/consul.service <<EOF | |
| [Unit] | |
| Description=Consul client agent | |
| Requires=network-online.target | |
| After=network-online.target | |
| [Service] | |
| User=consul | |
| Group=consul | |
| PIDFile=/var/run/consul | |
| PermissionsStartOnly=true | |
| ExecStartPre=-/bin/mkdir -p /opt/consul | |
| ExecStartPre=-/bin/chown -R consul:consul /opt/consul | |
| ExecStartPre=-/bin/mkdir -p /var/run/consul | |
| ExecStartPre=/bin/chown -R consul:consul /var/run/consul | |
| ExecStart=/usr/local/bin/consul agent -config-file=/etc/consul.d/consul.hcl -pid-file=/var/run/consul/consul.pid | |
| ExecReload=/bin/kill -HUP $MAINPID | |
| KillMode=process | |
| KillSignal=SIGTERM | |
| Restart=on-failure | |
| RestartSec=42s | |
| LimitNOFILE=65536 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| fi | |
| systemctl daemon-reload | |
| } | |
| function consul_user { | |
| if id "consul" > /dev/null 2>&1; then | |
| echo "consul user already exists" | |
| else | |
| sudo mkdir -p /etc/consul.d/tls | |
| sudo touch /etc/consul.d/consul.hcl | |
| sudo chown -R consul:consul /etc/consul.d | |
| sudo chmod 644 /etc/consul.d/vault.hcl | |
| sudo useradd --system --home /etc/consul.d --shell /bin/false consul | |
| fi | |
| if [ ! -d /opt/consul ]; then | |
| sudo mkdir -p /opt/consul | |
| sudo chown -R consul:consul /opt/consul | |
| sudo chmod -R 644 /opt/consul | |
| fi | |
| } | |
| function consul_agent_installer { | |
| if consul; then | |
| echo "consul is already installed" | |
| else | |
| CONSUL_VERSION="1.6.0" | |
| wget -O consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip | |
| unzip consul.zip | |
| chown root:root consul | |
| mv consul /usr/local/bin/ | |
| consul -autocomplete-install | |
| complete -C /usr/local/bin/consul consul | |
| fi | |
| } | |
| packagereqchecker | |
| vault_install | |
| vault_config | |
| vault_user | |
| vault_systemd_config | |
| consul_agent_installer | |
| consul_systemd_config | |
| consul_user |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment