vault-service

Description

Create a user named 'vault' (if necessary), download the Vault binary into '/usr/local/bin' and create a systemd service unit ('vault') and enable/start it if so specified.

If 'vault_config' is set, the content of the variable will be stored into '/etc/vault.d/vault.hcl'.

Variables

Name Type Default Description

arch

 string --

The architecture of the host system.

dest

 string --

The (absolute) path to the parent folder of the downloaded executable file.

enabled

 boolean --

Whether to enable the service.

platform

 string --

The platform of the host system.

started

 boolean --

Whether to start the service.

vault_config

 dict --

The vault configuration.

version

 string 1.2.1

The version of Vault to install.

Code

doc:
  short_help: Install Hashicorp Vault and run as service.
  help: |
    Create a user named 'vault' (if necessary), download the Vault binary into '/usr/local/bin' and create a
    systemd service unit ('vault') and enable/start it if so specified.

    If 'vault_config' is set, the content of the variable will be stored into '/etc/vault.d/vault.hcl'.

args:
  _import:
  - vault-installed
  - systemd-service-unit
  vault:
    doc:
      short_help: The vault configuration.
    type: dict
    empty: false
    required: false
    keyschema:
      type: string
  vault_config:
    doc:
      short_help: The vault configuration.
    type: dict
    empty: false
    required: false
    keyschema:
      type: string
frecklets:
- user-exists:
    name: vault
    group: vault
    system_user: true
- vault-installed:
    version: '{{:: version ::}}'
    dest: '{{:: dest ::}}'
    platform: '{{:: platform ::}}'
    arch: '{{:: arch ::}}'
    owner: root
    group: root
- config-values-in-file:
    frecklet::skip: '{{ vault_config | true_if_empty }}'
    path: /etc/vault.d/vault.hcl
    owner: vault
    group: vault
    mode: '0660'
    config: '{{:: vault_config ::}}'
- systemd-service-unit:
    name: vault
    unit_description: Hashicorp Vault - a tool for managing secrets
    unit_documentation:
    - https://www.vaultproject.io/docs
    unit_requires:
    - network-online.target
    unit_after:
    - network-online.target
    unit_condition:
    - condition_type: FileNotEmpty
      condition: /etc/vault.d/vault.hcl
    unit_start_limit_interval_sec: 60
    unit_start_limit_burst: 3
    service_user: vault
    service_group: vault
    service_protect_system: full
    service_protect_home: read-only
    service_private_tmp: true
    service_private_devices: true
    service_secure_bits:
    - keep-caps
    service_ambient_capabilities:
    - CAP_IPC_LOCK
    service_capability_bounding_set:
    - CAP_SYSLOG
    - CAP_IPC_LOCK
    service_no_new_privileges: true
    service_exec_start: /usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
    service_exec_reload: /bin/kill --signal HUP $MAINPID
    service_kill_mode: process
    service_kill_signal: SIGINT
    service_restart: on-failure
    service_restart_sec: 5
    service_timeout_stop_sec: 30
    service_limit:
    - limit_type: NOFILE
      limit: 65536
    install_wanted_by:
    - multi-user.target
    enabled: '{{:: enabled ::}}'
    started: '{{:: started ::}}'

frecklecute vault-service --help

Usage: frecklecute vault-service [OPTIONS]

  Create a user named 'vault' (if necessary), download the Vault binary into
  '/usr/local/bin' and create a systemd service unit ('vault') and
  enable/start it if so specified.

  If 'vault_config' is set, the content of the variable will be stored into
  '/etc/vault.d/vault.hcl'.

Options:
  --arch ARCH                  The architecture of the host system.
  --dest DEST                  The (absolute) path to the parent folder of the
                               downloaded executable file.
  --enabled / --no-enabled     Whether to enable the service.
  --platform PLATFORM          The platform of the host system.
  --started / --no-started     Whether to start the service.
  --vault-config VAULT_CONFIG  The vault configuration.
  --version VERSION            The version of Vault to install.
  --help                       Show this message and exit.

# -*- coding: utf-8 -*-


#
# module path: pycklets.vault_service.VaultService
#


from dataclasses import dataclass
from pyckles import AutoPycklet
from typing import *    # noqa

@dataclass
class VaultService(AutoPycklet):
    """Create a user named 'vault' (if necessary), download the Vault binary into '/usr/local/bin' and create a
     systemd service unit ('vault') and enable/start it if so specified.

     If 'vault_config' is set, the content of the variable will be stored into '/etc/vault.d/vault.hcl'.

       Args:
         arch: The architecture of the host system.
         dest: The (absolute) path to the parent folder of the downloaded executable file.
         enabled: Whether to enable the service.
         platform: The platform of the host system.
         started: Whether to start the service.
         vault_config: The vault configuration.
         version: The version of Vault to install.

    """

    FRECKLET_ID = "vault-service"

    arch: str = None
    dest: str = None
    enabled: bool = None
    platform: str = None
    started: bool = None
    vault_config: Dict = None
    version: str = None


    def __post_init__(self):
        super(VaultService, self).__init__(var_names=["arch", "dest", "enabled", "platform", "started", "vault_config", "version"])


frecklet_class = VaultService

# -*- coding: utf-8 -*-


#
# module path: pycklets.vault_service.VaultService
#


from pyckles import AutoPycklet

class VaultService(AutoPycklet):
    """Create a user named 'vault' (if necessary), download the Vault binary into '/usr/local/bin' and create a
     systemd service unit ('vault') and enable/start it if so specified.

     If 'vault_config' is set, the content of the variable will be stored into '/etc/vault.d/vault.hcl'.

       Args:
         arch: The architecture of the host system.
         dest: The (absolute) path to the parent folder of the downloaded executable file.
         enabled: Whether to enable the service.
         platform: The platform of the host system.
         started: Whether to start the service.
         vault_config: The vault configuration.
         version: The version of Vault to install.

    """

    FRECKLET_ID = "vault-service"

    def __init__(self, arch=None, dest=None, enabled=None, platform=None, started=None, vault_config=None, version="1.2.1"):

        super(VaultService, self).__init__(var_names=["arch", "dest", "enabled", "platform", "started", "vault_config", "version"])
        self._arch = arch
        self._dest = dest
        self._enabled = enabled
        self._platform = platform
        self._started = started
        self._vault_config = vault_config
        self._version = version

    @property
    def arch(self):
        return self._arch

    @arch.setter
    def arch(self, arch):
        self._arch = arch

    @property
    def dest(self):
        return self._dest

    @dest.setter
    def dest(self, dest):
        self._dest = dest

    @property
    def enabled(self):
        return self._enabled

    @enabled.setter
    def enabled(self, enabled):
        self._enabled = enabled

    @property
    def platform(self):
        return self._platform

    @platform.setter
    def platform(self, platform):
        self._platform = platform

    @property
    def started(self):
        return self._started

    @started.setter
    def started(self, started):
        self._started = started

    @property
    def vault_config(self):
        return self._vault_config

    @vault_config.setter
    def vault_config(self, vault_config):
        self._vault_config = vault_config

    @property
    def version(self):
        return self._version

    @version.setter
    def version(self, version):
        self._version = version



frecklet_class = VaultService