Vault on OpenBSD
Page content
how to Install and run Hashicorp Vault on OpenBSD
in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.
Requirements
- VM with OpenBSD 7.2 (or older …) and root/doas permission
- Domain, or at least a FQDN Name pointing to your VM
- HTTP/HTTPS allowed from Internet (for Certificate Generation)
- Nginx installed (pkg_add nginx)
Source
https://developer.hashicorp.com/vault/docs/get-started/developer-qs
Install Vault
all the Steps must be run as root (or with doas)
pkg_add vault
Vault Config
Backup the prev. Config before …
cp /etc/vault/vault.hcl /etc/vault/vault.hcl-$(date "+%s")
cat << 'EOF' > /etc/vault/vault.hcl
storage "file" {
path = "/var/vault/storage/"
}
ui = "true"
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
api_addr = "http://127.0.0.1:8200"
max_lease_ttl = "10h"
default_lease_ttl = "10h"
disable_mlock = "true"
EOF
Reverese Proxy with Nginx
cat << 'EOF' > /etc/nginx/sites/vault.your.domain.de.conf
#
# HTTP Server vault.your.domain.de
#
server {
listen 80;
listen [::]:80;
server_name vault.your.domain.de;
access_log /var/log/nginx-nossl/vault.your.domain.de.log main;
error_log /var/log/nginx-nossl/vault.your.domain.de-error.log;
location /.well-known/acme-challenge/ {
rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
root /acme;
}
location / {
return 301 https://$host$request_uri;
}
}
EOF
SSL Cert
you need a valid dns record pointing to your server …
cat << 'EOF' >> /etc/acme-client.conf
domain vault.your.domain.de {
domain key "/etc/ssl/private/vault.your.domain.de.key"
domain full chain certificate "/etc/ssl/vault.your.domain.de.fullchain.pem"
sign with letsencrypt
}
EOF
Restart nginx
rcctl restart nginx
Get SSL Cert
acme-client -D vault.your.domain.de
Enable HTTPS on Nginx
cat << 'EOF' >> /etc/nginx/sites/vault.your.domain.de.conf
#
# HTTPS Server vault.your.server.de
#
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name vault.your.server.de;
access_log /var/log/nginx/vault.your.server.de.log main;
error_log /var/log/nginx/vault.your.server.de-error.log;
ssl_certificate_key /etc/ssl/private/vault.your.server.de.key;
ssl_certificate /etc/ssl/vault.your.server.de.fullchain.pem;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
location / {
proxy_pass http://127.0.0.1:8200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
EOF
Restart nginx
rcctl restart nginx
Enable and Start Vault
rcctl enable vault
rcctl start vault
Open Website, get Root Key and Create Unseal Keys
Any Comments ?
sha256: 194d2bd91a70cf8a05bf2c7f82cbf57b6b182b7f7d5d47d4a489ad962608eccb