dictvm/vault-configs.txt

## vault-configs.txt
  - path: /etc/consul.d/consul.json
    content: |
      {
        "acl_datacenter":"${region}",
        "datacenter": "${region}",
        "log_level": "INFO",
        "server": false,
        "leave_on_terminate": true,
        "encrypt":"${consul_encrypt_key}",
        "data_dir":"/var/lib/consul",
        "telemetry": {
          "statsd_address": "127.0.0.1:9125"
        }
      }
  - path: /etc/consul.d/tls.json
    content: |
      {
        "ca_file": "/etc/consul.d/CA.crt",
        "cert_file": "/etc/consul.d/Consul.crt",
        "key_file": "/etc/consul.d/Consul.key",
        "verify_incoming": false,
        "verify_incoming_rpc": true,
        "verify_outgoing": true
      }
  - path: /etc/profile.d/vault.sh
    content: |
      #!/bin/bash
      export VAULT_ADDR='http://127.0.0.1:8300'
  - path: /etc/vault.d/config.hcl
    content: |
      storage "consul" {
        address = "localhost:8500" # local agent
        redirect_addr = "https://consul.whatever.cloud:443"
        path    = "vault"
      }

      listener "tcp" {
        address     = "0.0.0.0:8200"
        cluster_address = "0.0.0.0:8201"
        tls_cert_file = "/etc/vault.d/Vault.crt"
        tls_key_file = "/etc/vault.d/Vault.key"
      }

      listener "tcp" {
        address     = "0.0.0.0:8300" # local vault cli/api access
        tls_disable = 1
      }

      telemetry {
        statsd_address = "127.0.0.1:9125"
        disable_hostname = true
      }

      disable_mlock = "true"
  - path: /etc/systemd/system/vault.service
    content: |
      [Unit]
      Description=Vault service
      Requires=network-online.target
      After=network-online.target consul-agent.service

      [Service]
      User=vault
      Group=vault
      PrivateDevices=yes
      PrivateTmp=yes
      ProtectSystem=full
      ProtectHome=read-only
      SecureBits=keep-caps
      Capabilities=CAP_IPC_LOCK+ep
      CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
      NoNewPrivileges=yes
      ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/config.hcl
      KillSignal=SIGINT
      TimeoutStopSec=30s
      Restart=on-failure
      StartLimitInterval=60s
      StartLimitBurst=3

      [Install]
      WantedBy=multi-user.target
  - path: /etc/systemd/system/consul-agent.service
    content: |
      [Unit]
      Description=Consul service discovery agent
      Requires=network-online.target
      After=network.target

      [Service]
      User=consul
      Group=consul
      Restart=on-failure
      Environment=GOMAXPROCS=2
      ExecStartPre=/usr/local/bin/consul validate /etc/consul.d
      ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d -retry-join 'provider=aws tag_key=App tag_value=consul'
      ExecReload=/bin/kill -s HUP $MAINPID
      KillSignal=SIGINT
      TimeoutStopSec=5

      [Install]
      WantedBy=multi-user.target
	- path: /etc/consul.d/consul.json
	content: \|
	{
	"acl_datacenter":"${region}",
	"datacenter": "${region}",
	"log_level": "INFO",
	"server": false,
	"leave_on_terminate": true,
	"encrypt":"${consul_encrypt_key}",
	"data_dir":"/var/lib/consul",
	"telemetry": {
	"statsd_address": "127.0.0.1:9125"
	}
	}
	- path: /etc/consul.d/tls.json
	content: \|
	{
	"ca_file": "/etc/consul.d/CA.crt",
	"cert_file": "/etc/consul.d/Consul.crt",
	"key_file": "/etc/consul.d/Consul.key",
	"verify_incoming": false,
	"verify_incoming_rpc": true,
	"verify_outgoing": true
	}
	- path: /etc/profile.d/vault.sh
	content: \|
	#!/bin/bash
	export VAULT_ADDR='http://127.0.0.1:8300'
	- path: /etc/vault.d/config.hcl
	content: \|
	storage "consul" {
	address = "localhost:8500" # local agent
	redirect_addr = "https://consul.whatever.cloud:443"
	path = "vault"
	}

	listener "tcp" {
	address = "0.0.0.0:8200"
	cluster_address = "0.0.0.0:8201"
	tls_cert_file = "/etc/vault.d/Vault.crt"
	tls_key_file = "/etc/vault.d/Vault.key"
	}

	listener "tcp" {
	address = "0.0.0.0:8300" # local vault cli/api access
	tls_disable = 1
	}

	telemetry {
	statsd_address = "127.0.0.1:9125"
	disable_hostname = true
	}

	disable_mlock = "true"
	- path: /etc/systemd/system/vault.service
	content: \|
	[Unit]
	Description=Vault service
	Requires=network-online.target
	After=network-online.target consul-agent.service

	[Service]
	User=vault
	Group=vault
	PrivateDevices=yes
	PrivateTmp=yes
	ProtectSystem=full
	ProtectHome=read-only
	SecureBits=keep-caps
	Capabilities=CAP_IPC_LOCK+ep
	CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
	NoNewPrivileges=yes
	ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/config.hcl
	KillSignal=SIGINT
	TimeoutStopSec=30s
	Restart=on-failure
	StartLimitInterval=60s
	StartLimitBurst=3

	[Install]
	WantedBy=multi-user.target
	- path: /etc/systemd/system/consul-agent.service
	content: \|
	[Unit]
	Description=Consul service discovery agent
	Requires=network-online.target
	After=network.target

	[Service]
	User=consul
	Group=consul
	Restart=on-failure
	Environment=GOMAXPROCS=2
	ExecStartPre=/usr/local/bin/consul validate /etc/consul.d
	ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d -retry-join 'provider=aws tag_key=App tag_value=consul'
	ExecReload=/bin/kill -s HUP $MAINPID
	KillSignal=SIGINT
	TimeoutStopSec=5

	[Install]
	WantedBy=multi-user.target