Created
January 28, 2021 10:38
-
-
Save lichnak/97768e178ad55043147070fa19a046bf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
echo " | |
_ _ _ _ _ _ _ | |
(_)_ __ ___| |_ __ _| | | __ ____ _ _ _| | |_ ___| |__ | |
| | '_ \/ __| __/ _\` | | |____\ \ / / _\` | | | | | __| / __| '_ \ | |
| | | | \__ \ || (_| | | |_____\ V / (_| | |_| | | |_ _\__ \ | | | | |
|_|_| |_|___/\__\__,_|_|_| \_/ \__,_|\__,_|_|\__(_)___/_| |_| | |
" | |
# Script Configuration | |
# parent directory of hashicorp vault (where sealed / encrypted data is stored onto disk) | |
PARENT_DIR=~/hashicorp/ | |
SECRET_SHARES=5 | |
SECRET_THRESHOLD=3 | |
# start region {{ | |
mkdir -p $PARENT_DIR | |
cd $PARENT_DIR | |
mkdir -p vault/data | |
timeout 2 sudo id &> /dev/null && sudo_access=1 || sudo_access=0; | |
if [[ "$sudo_access" -eq 0 ]]; then | |
echo "ERROR ::: This script requires the user to have sudo privilege." | |
elif [[ "$sudo_access" -eq 1 ]]; then | |
echo "SUCCESS ::: User has sudo privilege... Continuing..." | |
echo | |
echo | |
read -p "Number of secret shares [default: 5]: " input | |
input=${input:-5} | |
if [[ $input ]] && [ $input -eq $input 2>/dev/null ] | |
then | |
SECRET_SHARES=$input | |
fi | |
read -p "Number of secret threshold [default: 3]: " input | |
input=${input:-3} | |
if [[ $input ]] && [ $input -eq $input 2>/dev/null ] | |
then | |
SECRET_THRESHOLD=$input | |
fi | |
echo | |
echo | |
if [ $SECRET_THRESHOLD -gt $SECRET_SHARES ]; then | |
echo "WARN ::: SECRET_SHARES is less than SECRET_THRESHOLD" | |
echo "WARN ::: Setting default values for SECRET_SHARES (5) and SECRET_THRESHOLD (3)" | |
SECRET_SHARES=5 | |
SECRET_THRESHOLD=3 | |
fi | |
echo "WARN :::Attempting to install Hashicorp Vault..." | |
if ! command -v vault &> /dev/null | |
then | |
os=$(sed -e 's/"//' -e 's/"//' <<< "$(cut -d "=" -f2 <<< "$(egrep '^(ID)=' /etc/*release)")") | |
if [[ $os =~ "amzn" ]]; then | |
echo "=============================================================" | |
echo "Detected OS: Amazon Linux" | |
echo "=============================================================" | |
sudo yum install -y yum-utils | |
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo | |
sudo yum -y install vault | |
elif [[ $os =~ "ubuntu" ]]; then | |
echo "=============================================================" | |
echo "Detected OS: Ubuntu" | |
echo "=============================================================" | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - | |
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | |
sudo apt-get update && sudo apt-get install -y vault | |
elif [[ $os =~ "centos" ]]; then | |
echo "=============================================================" | |
echo "Detected OS: CentOS" | |
echo "=============================================================" | |
sudo yum install -y yum-utils | |
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo | |
sudo yum -y install vault | |
elif [[ $os =~ "rhel" ]]; then | |
echo "=============================================================" | |
echo "Detected OS: RedHat" | |
echo "=============================================================" | |
sudo yum install -y yum-utils | |
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo | |
sudo yum -y install vault | |
elif [[ $os =~ "fedora" ]]; then | |
echo "=============================================================" | |
echo "Detected OS: Fedora" | |
echo "=============================================================" | |
sudo dnf install -y dnf-plugins-core | |
sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo | |
sudo dnf -y install vault | |
else | |
echo "=============================================================" | |
echo "Please navigate to Hashicorp website and" | |
echo "download the approriate binary." | |
echo "=============================================================" | |
fi | |
if ! command -v vault &> /dev/null | |
then | |
echo "ERROR ::: Failed to install" | |
else | |
echo "SUCCESS ::: Installed Hashicorp Vault" | |
fi | |
else | |
echo "WARN ::: Hashicorp Vault is already installed..." | |
echo "WARN ::: Skipping..." | |
fi | |
echo | |
echo | |
read -p "Create default Hashicorp Vault config (y/n)? " CONT | |
if [ "$CONT" = "y" ]; then | |
echo "ui = true | |
disable_mlock = true | |
storage \"raft\" { | |
path = \"./vault/data\" | |
node_id = \"node1\" | |
} | |
listener \"tcp\" { | |
address = \"0.0.0.0:8200\" | |
tls_disable = 1 | |
} | |
api_addr = \"http://127.0.0.1:8200\" | |
cluster_addr = \"https://127.0.0.1:8201\"" > config.hcl | |
echo "=============================================================" | |
echo "config.hcl" | |
echo "=============================================================" | |
cat config.hcl | |
echo "=============================================================" | |
fi | |
echo | |
echo | |
if test -f "./config.hcl"; then | |
read -p "Run Vault (y/n)? " CONT | |
if [ "$CONT" = "y" ]; then | |
$(vault server -config=config.hcl) &> /dev/null & | |
read -p "Initialize Vault (y/n)? " CONT | |
if [ "$CONT" = "y" ]; then | |
if test -f "./.vault_secret.json"; then | |
echo | |
echo | |
echo "File already exists: .vault_secret.json" | |
echo "WARN: This will overwrite the existing file!" | |
read -p "Are you sure you want to continue (y/n)? " CONT | |
if [ "$CONT" = "y" ]; then | |
PAYLOAD="{\"secret_shares\":$SECRET_SHARES,\"secret_threshold\":$SECRET_THRESHOLD}" | |
curl --request POST --data "$PAYLOAD" http://127.0.0.1:8200/v1/sys/init > ./.vault_secret.json | |
echo "=============================================================" | |
echo "WARN :::Vault Secret saved in ./.vault_secret.json" | |
echo "WARN ::: KEEP THIS SECURE!" | |
echo "=============================================================" | |
cat ./.vault_secret.json | |
echo "=============================================================" | |
fi | |
else | |
PAYLOAD="{\"secret_shares\":$SECRET_SHARES,\"secret_threshold\":$SECRET_THRESHOLD}" | |
curl --request POST --data "$PAYLOAD" http://127.0.0.1:8200/v1/sys/init > ./.vault_secret.json | |
echo "=============================================================" | |
echo "WARN ::: Vault Secret saved in ./.vault_secret.json" | |
echo "WARN ::: KEEP THIS SECURE!" | |
echo "=============================================================" | |
cat ./.vault_secret.json | |
echo "=============================================================" | |
fi | |
fi | |
fi | |
else | |
echo "ERROR ::: Requires vault config (config.hcl) to run vault..." | |
fi | |
fi | |
# end region }} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment