Skip to content

Instantly share code, notes, and snippets.

View gist:deb794ea759cb8bc1370ffd4a3aec3bb
The purpose of this document is to provide consideration to security, operational and support tasks and conditions of a production-ready / mission-critical Vault deployment.
This is a living document, please feel free to suggest changes and have someone take a review and approve. You might also want to see this doc from Julia that was done for pre-renewal health checking.
Infrastructure Security
Are servers provisioned via a build/codified pipeline?
Can staff login (SSH/Console/etc) to individual servers?
Is all traffic in/out of server encrypted?
Is the cluster subnet firewalled from other network resources?
If a server is destroyed/lost, are logs and events available post-mortem?
Is root token creation restricted? Monitored?
View gist:968a0b9f6f00943b4864fce5285ecd55
$ vault secrets list --detailed
Path Plugin Accessor Default TTL Max TTL Force No Cache Replication Seal Wrap External Entropy Access Options Description UUID
---- ------ -------- ----------- ------- -------------- ----------- --------- ----------------------- ------- ----------- ----
cubbyhole/ cubbyhole cubbyhole_fcbf5e6d n/a n/a false local false false map[] per-token private secret storage 11a09df9-8ef6-bf26-2cc1-d4c6424c4780
database/ database database_c7158e73 system system fal
@mikegreen
mikegreen / custom-vault.py
Last active Sep 27, 2021
DataDog Vault Status Checker
View custom-vault.py
# drafty custom-vault.py
# needs a corresponding /etc/datadog-agent/conf.d/custom-vault.yaml with `instances: [{}]` only
# see https://datadoghq.dev/integrations-core/base/api/#datadog_checks.base.checks.base.AgentCheck.count
# https://github.com/DataDog/integrations-core/tree/master/vault/datadog_checks/vault
import requests
# the following try/except block will make the custom check compatible with any Agent version
try:
# first, try to import the base class from new versions of the Agent...
View openssl-with-ips.sh
# This should be run as root
# this creates a self-signed certificate with the IP addresses as IP SANS
# Todo - see if we want to roll this into https://github.com/hashicorp/linux-packaging/blob/master/products/vault/scripts/postinst
# dump interfaces to file to work with
ifconfig > ifconfig.txt
# Get number of IPs returned, excluding the ip6 loopback for now
grep "inet" ifconfig.txt | grep -v "::1" | awk -F' ' '{print $2}' | wc -l
View ecs-container-definition-ex.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
provider "aws" {
View docker-compose.yml
# started/using https://github.com/mbround18/valheim-docker
:/opt/docker-configs/valheim-server$ cat docker-compose.yml
version: "3"
services:
valheim:
image: mbround18/valheim:latest
restart: unless-stopped
ports:
- 2456:2456/udp
View gist:441a70c5e79f29db65b70a0f4a982c6c
### Keybase proof
I hereby claim:
* I am mikegreen on github.
* I am mikegreen13 (https://keybase.io/mikegreen13) on keybase.
* I have a public key ASCaP9tqP5U_C0bqZ3xj1G2koYY0uMvuxojlIMyEbQOI2wo
To claim this, I am signing this object:
@mikegreen
mikegreen / pol-check-ex.json
Created Aug 20, 2020
TFE Sentinel Policy Check Output sample
View pol-check-ex.json
{
"data": {
"id": "polchk-K7hoj4fHrp17TZw9",
"type": "policy-checks",
"attributes": {
"result": {
"result": true,
"passed": 2,
"total-failed": 0,
"hard-failed": 0,
@mikegreen
mikegreen / sendTempHumidStathat.py
Created Jul 6, 2020
Send dht22 temp and humidity to Stathat
View sendTempHumidStathat.py
import time
import adafruit_dht
import board
from datetime import datetime
from stathat import StatHat
stathat = StatHat()
stathatKey = "foo@foo.com"
@mikegreen
mikegreen / sendVoltsStathat.py
Created Jul 6, 2020
Send ardunio voltage sensor to Stathat
View sendVoltsStathat.py
import RPi.GPIO as gpio
import smbus
import time
import sys
import struct
from datetime import datetime
from stathat import StatHat
stathat = StatHat()