Last active
August 17, 2023 08:51
-
-
Save yunano/66caf8c5ed993bb2f4e3 to your computer and use it in GitHub Desktop.
/etc/systemd/system/vault.service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=vault server | |
Requires=network-online.target | |
After=network-online.target consul.service | |
[Service] | |
EnvironmentFile=-/etc/sysconfig/vault | |
Restart=on-failure | |
ExecStart=/usr/local/sbin/vault server $OPTIONS -config=/etc/vault.d | |
ExecStartPost=/bin/bash -c "for key in $KEYS; do /usr/local/sbin/vault unseal $CERT $key; done" | |
[Install] | |
WantedBy=multi-user.target |
Also, this file would not safely stop vault on shutdown.
This would be much safer...
ExecStop=/full/path/to/vault step-down
this has moved upstream
https://learn.hashicorp.com/vault/operations/ops-deployment-guide
Or you could use the official service file, provided by hashicorp: https://raw.githubusercontent.com/hashicorp/vault/v1.12.0/.release/linux/package/usr/lib/systemd/system/vault.service
vim /etc/systemd/system/multi-user.target.wants/vault.service
Environment="VAULT_ADDR=https://vlt-uat-app-02.intranet.ilanni.com:8200"
ExecStartPost=/usr/bin/vault operator unseal 2rMyAS1PzBtuGTc/ArxCnb6xdB
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Your unseal keys should never be variables in your environment. Unsealing is meant to be the one and only manual process. What you are doing is extremely unsafe. You may know this already, but just in case, the details are here: hashicorp/vault#72
https://www.vaultproject.io/docs/concepts/seal.html