jessequinn/Vault.md

## Vault.md

      
    Raw
  

              Vault.md
            
          
    Vault server setup

Personal guide for installing and setting up a Vault server.

Install and update required dependencies.

#!/bin/bash

sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get install -y wget
sudo apt-get install -y unzip
sudo apt-get install -y postgresql postgresql-contrib
sudo apt-get install -y nginx

# Certbot
sudo apt-get install -y software-properties-common
sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get -y update
sudo apt-get install -y python-certbot-nginx 

Fetch vault and install Vault

#!/bin/bash

cd
wget https://releases.hashicorp.com/vault/0.8.1/vault_0.8.1_linux_amd64.zip
unzip vault_*.zip
rm vault_*.zip
sudo chmod +x ./vault
sudo mv vault /usr/local/bin/vault

echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /home/ubuntu/.profile
echo "export VAULT_ADDR=http://127.0.0.1:8200" >> /root/.profile

Edit /etc/postgresql/9.5/main/pg_hba.conf to allow password authentication
Restart postgresql sudo service postgresql restart
Create user and db in postgresql

CREATE DATABASE secrets;
CREATE USER vault WITH PASSWORD 'password';
GRANT ALL PRIVILEGES ON DATABASE secrets TO vault;

Sign in using previous credentials

psql -d secrets -U vault -W

Create vault table

CREATE TABLE vault_kv_store (
  parent_path TEXT COLLATE "C" NOT NULL,
  path        TEXT COLLATE "C",
  key         TEXT COLLATE "C",
  value       BYTEA,
  CONSTRAINT pkey PRIMARY KEY (path, key)
);

CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

Add vault config file /home/ubuntu/config.hcl

storage "postgresql" {
  connection_url = "postgres://vault:password@localhost:5432/secrets"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = "true"
}


Test configuration using sudo vault -config config.hcl


Create systemd unit at /etc/systemd/system/vault.service


[Unit]
Description=Unit that keeps vault server up and running

[Service]
Environment= VAULT_ADDR=http://127.0.0.1:8200
WorkingDirectory=/home/ubuntu
ExecStart=/usr/local/bin/vault server -config /home/ubuntu/config.hcl
Restart=always

[Install]
WantedBy=multi-user.target


Start vault daemon with sudo service vault start & sudo service vault status
Init vault server and store keys securely source ~/.profile & vault init
Remove NGINX default websites with sudo rm /etc/nginx/sites-*/default
Add vault NGINX website at /etc/nginx/sites-available/vault

upstream vault {
    server 127.0.0.1:8200;
    keepalive 64;
}

server {
    listen 80;
    listen [::]:80;

    server_name example.com;

    location / {
        try_files $uri @proxy_to_app;
    }

    location @proxy_to_app {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass   http://vault;
    }
}


Create site symbolic link with sudo ln -s /etc/nginx/sites-available/vault /etc/nginx/sites-enabled/vault
Restart NGINX with sudo service nginx restart
Execute Lets Encrypt's certbot with sudo certbot --nginx
Test your server endpoint by going to http://example.com/v1/sys, should be redirected to HTTPS and see vault response.
List available Firewall application with UFW sudo ufw app list
Allow SSH connection sudo ufw allow OpenSSH
Allow NGINX to handle HTTP connections sudo ufw allow 'Nginx HTTP'
Allow NGINX to handle HTTPS connections sudo ufw allow 'Nginx HTTPS'
Enable Firewall rules with sudo ufw enable
Check firewall status with sudo ufw status
Reboot server
Profit 😎!