opan/Vagrantfile-etcd.rb

## Vagrantfile-etcd.rb
# -*- mode: ruby -*-
# vi: set ft=ruby :

$install_go = <<-SCRIPT
  sudo apt-get update -y
  wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz

  sudo tar -xvf go1.12.7.linux-amd64.tar.gz
  sudo mv go /usr/local
  cd ~
  mkdir -p go/bin

  export GOROOT=/usr/local/go
  export GOPATH=$HOME/go
  export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
SCRIPT

# For easy setup: http://play.etcd.io/install
$install_etcd = <<-SCRIPT
#
# Install ETCD
#
ETCD_VER=v3.3.8

# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/coreos/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1

sudo cp /tmp/test-etcd/etcd* /usr/local/bin

/usr/local/bin/etcd --version
ETCDCTL_API=3 /usr/local/bin/etcdctl version

#
# Setup first ETCD server
#

# make sure etcd process has write access to this directory
# remove this directory if the cluster is new; keep if restarting etcd
# rm -rf /tmp/etcd/s1


# to write service file for etcd
cat > /tmp/s1.service <<EOF
[Unit]
Description=etcd
Documentation=https://github.com/coreos/etcd
Conflicts=etcd.service
Conflicts=etcd2.service

[Service]
Type=notify
Restart=always
RestartSec=5s
LimitNOFILE=40000
TimeoutStartSec=0

ExecStart=/usr/local/bin/etcd --name s1 \
  --data-dir /tmp/etcd/s1 \
  --listen-client-urls http://0.0.0.0:2379 \
  --advertise-client-urls http://0.0.0.0:2379 \
  --listen-peer-urls http://0.0.0.0:2380 \
  --initial-advertise-peer-urls http://0.0.0.0:2380 \
  --initial-cluster s1=http://0.0.0.0:2380 \
  --initial-cluster-token tkn \
  --initial-cluster-state new

[Install]
WantedBy=multi-user.target
EOF
sudo mv /tmp/s1.service /etc/systemd/system/s1.service


#
# Enable and run all ETCD servers
#

sudo systemctl daemon-reload
sudo systemctl enable s1.service
sudo systemctl start s1.service
SCRIPT


Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.hostname = 'etcd-box'
  config.vm.network "private_network", ip: "192.168.99.3"
  config.vm.provision "shell", inline: $install_etcd
end

## Vagrantfile-vault.rb
# -*- mode: ruby -*-
# vi: set ft=ruby :

$install_vault = <<-SCRIPT

# Download and install
cd ~
cd /usr/local/bin

VAULT_VERSION="1.2.2"
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig

# wget https://releases.hashicorp.com/vault/1.2.2/vault_1.2.2_linux_amd64.zip
unzip vault_${VAULT_VERSION}_linux_amd64.zip
sudo chown root:root vault

# Enable mlock support
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))

# Create user Vault
sudo useradd --system --home /etc/vault.d --shell /bin/false vault

cd ~
vault version

cat > /etc/systemd/system/vault.service <<EOF
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity

[Install]
WantedBy=multi-user.target
EOF

# Vault config dir
export VAULT_ADDR='http://0.0.0.0:8200'

sudo mkdir -p /etc/vault.d
cat > /etc/vault.d/vault.hcl <<EOF
storage "etcd" {
  # List all ETCD servers
  # address = "http://192.168.99.3:2379,http://192.168.99.3:22379,http://192.168.99.3:32379"
  address = "http://192.168.99.3:2379"
  etcd_api = "v3"
  ha_enabled = "true"
  # Set to false if there is only one ETCD server or ETCD servers is behind proxy-server
  sync = "false"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
}

api_addr = "http://192.168.99.2:8200"
EOF

sudo systemctl enable vault
sudo systemctl start vault
SCRIPT

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.hostname = 'vault-box'
  config.vm.network "private_network", ip: "192.168.99.2"
  config.vm.provision "shell", inline: <<-SHELL
    sudo apt-get update
    sudo apt-get install unzip -y
  SHELL

  config.vm.provision "shell", inline: $install_vault
end
	# -- mode: ruby --
	# vi: set ft=ruby :

	$install_go = <<-SCRIPT
	sudo apt-get update -y
	wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz

	sudo tar -xvf go1.12.7.linux-amd64.tar.gz
	sudo mv go /usr/local
	cd ~
	mkdir -p go/bin

	export GOROOT=/usr/local/go
	export GOPATH=$HOME/go
	export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
	SCRIPT

	# For easy setup: http://play.etcd.io/install
	$install_etcd = <<-SCRIPT
	#
	# Install ETCD
	#
	ETCD_VER=v3.3.8

	# choose either URL
	GOOGLE_URL=https://storage.googleapis.com/etcd
	GITHUB_URL=https://github.com/coreos/etcd/releases/download
	DOWNLOAD_URL=${GOOGLE_URL}

	rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
	rm -rf /tmp/test-etcd && mkdir -p /tmp/test-etcd

	curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
	tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/test-etcd --strip-components=1

	sudo cp /tmp/test-etcd/etcd* /usr/local/bin

	/usr/local/bin/etcd --version
	ETCDCTL_API=3 /usr/local/bin/etcdctl version

	#
	# Setup first ETCD server
	#

	# make sure etcd process has write access to this directory
	# remove this directory if the cluster is new; keep if restarting etcd
	# rm -rf /tmp/etcd/s1


	# to write service file for etcd
	cat > /tmp/s1.service <<EOF
	[Unit]
	Description=etcd
	Documentation=https://github.com/coreos/etcd
	Conflicts=etcd.service
	Conflicts=etcd2.service

	[Service]
	Type=notify
	Restart=always
	RestartSec=5s
	LimitNOFILE=40000
	TimeoutStartSec=0

	ExecStart=/usr/local/bin/etcd --name s1 \
	--data-dir /tmp/etcd/s1 \
	--listen-client-urls http://0.0.0.0:2379 \
	--advertise-client-urls http://0.0.0.0:2379 \
	--listen-peer-urls http://0.0.0.0:2380 \
	--initial-advertise-peer-urls http://0.0.0.0:2380 \
	--initial-cluster s1=http://0.0.0.0:2380 \
	--initial-cluster-token tkn \
	--initial-cluster-state new

	[Install]
	WantedBy=multi-user.target
	EOF
	sudo mv /tmp/s1.service /etc/systemd/system/s1.service





	#
	# Enable and run all ETCD servers
	#

	sudo systemctl daemon-reload
	sudo systemctl enable s1.service
	sudo systemctl start s1.service
	SCRIPT


	Vagrant.configure("2") do \|config\|
	config.vm.box = "ubuntu/xenial64"
	config.vm.hostname = 'etcd-box'
	config.vm.network "private_network", ip: "192.168.99.3"
	config.vm.provision "shell", inline: $install_etcd
	end
	# -- mode: ruby --
	# vi: set ft=ruby :

	$install_vault = <<-SCRIPT

	# Download and install
	cd ~
	cd /usr/local/bin

	VAULT_VERSION="1.2.2"
	curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
	curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS
	curl --silent --remote-name https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS.sig

	# wget https://releases.hashicorp.com/vault/1.2.2/vault_1.2.2_linux_amd64.zip
	unzip vault_${VAULT_VERSION}_linux_amd64.zip
	sudo chown root:root vault

	# Enable mlock support
	sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))

	# Create user Vault
	sudo useradd --system --home /etc/vault.d --shell /bin/false vault

	cd ~
	vault version

	cat > /etc/systemd/system/vault.service <<EOF
	[Unit]
	Description="HashiCorp Vault - A tool for managing secrets"
	Documentation=https://www.vaultproject.io/docs/
	Requires=network-online.target
	After=network-online.target
	ConditionFileNotEmpty=/etc/vault.d/vault.hcl
	StartLimitIntervalSec=60
	StartLimitBurst=3

	[Service]
	User=vault
	Group=vault
	ProtectSystem=full
	ProtectHome=read-only
	PrivateTmp=yes
	PrivateDevices=yes
	SecureBits=keep-caps
	AmbientCapabilities=CAP_IPC_LOCK
	Capabilities=CAP_IPC_LOCK+ep
	CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
	NoNewPrivileges=yes
	ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
	ExecReload=/bin/kill --signal HUP $MAINPID
	KillMode=process
	KillSignal=SIGINT
	Restart=on-failure
	RestartSec=5
	TimeoutStopSec=30
	StartLimitInterval=60
	StartLimitIntervalSec=60
	StartLimitBurst=3
	LimitNOFILE=65536
	LimitMEMLOCK=infinity

	[Install]
	WantedBy=multi-user.target
	EOF

	# Vault config dir
	export VAULT_ADDR='http://0.0.0.0:8200'

	sudo mkdir -p /etc/vault.d
	cat > /etc/vault.d/vault.hcl <<EOF
	storage "etcd" {
	# List all ETCD servers
	# address = "http://192.168.99.3:2379,http://192.168.99.3:22379,http://192.168.99.3:32379"
	address = "http://192.168.99.3:2379"
	etcd_api = "v3"
	ha_enabled = "true"
	# Set to false if there is only one ETCD server or ETCD servers is behind proxy-server
	sync = "false"
	}

	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = "true"
	}

	api_addr = "http://192.168.99.2:8200"
	EOF

	sudo systemctl enable vault
	sudo systemctl start vault
	SCRIPT

	Vagrant.configure("2") do \|config\|
	config.vm.box = "ubuntu/xenial64"
	config.vm.hostname = 'vault-box'
	config.vm.network "private_network", ip: "192.168.99.2"
	config.vm.provision "shell", inline: <<-SHELL
	sudo apt-get update
	sudo apt-get install unzip -y
	SHELL

	config.vm.provision "shell", inline: $install_vault
	end