cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
openbsd-ports/security/vault/pkg
History
ajacoutot c4096e6659 Stop using the daemon class in @newuser. 
If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.

discussed with sthen@, tb@ and robert@

praying that my grep/sed skills did not break anything and still
believing in portbump :-)
2022-11-08 11:16:56 +00:00
..
DESCR
PLIST Stop using the daemon class in @newuser. 2022-11-08 11:16:56 +00:00
README Update vault 1.9.3 -> 1.9.4 2022-03-06 23:57:12 +00:00
vault.rc Update vault 1.9.3 -> 1.9.4 2022-03-06 23:57:12 +00:00

README 

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

Default Vault locations
=======================
	configuration:	${SYSCONFDIR}/vault/vault.hcl
	logs:		/var/log/vault/
	plugins:	${LOCALSTATEDIR}/vault/plugins/
	storage:	${LOCALSTATEDIR}/vault/storage/

Default configuration
=====================

Default storage engine
----------------------
For more info on integrated Raft storage backend, see:
check https://www.vaultproject.io/docs/concepts/integrated-storage

disable_mlock option
--------------------
Without this option, "vault operator init" will SIGSEGV.
Since OpenBSD encrypts swap by default, this fixes the problem with leaking
plaintext secrets via swap thus setting disable_mlock=true considered harmless.

Initializing Vault
==================
Check the following ${SYSCONFDIR}/vault/vault.hcl configuration options:
	api_addr
	cluster_addr
	cluster_name
	listener address
	listener cluster_address
	storage node_id

and set to the real cluster/node addresses/names for cluster/client
communications.

Enable and start Vault server:
	# rcctl enable vault && rcctl start vault

Set environment variable appropriately:
	$ export VAULT_ADDR="http://localhost:8200"

Initialize Vault:
	$ vault operator init

Unseal Vault:
	$ vault operator unseal

For more information on Vault server deployment, see:
https://learn.hashicorp.com/vault/getting-started/deploy

Note, that Vault server supports PGP, GPG and Keybase for unseal keys,
for more info, see:
https://www.vaultproject.io/docs/concepts/pgp-gpg-keybase.html

Auditing Vault operations
--------------------------
To enable writing audit logs to /var/log/vault/, run
	$ vault audit enable file file_path=/var/log/vault/audit.log mode=0640

Logging
-------
Vault server uses logger(1) to log to syslogd(8) with daemon.info facility/level
and tag "vault". If you want to use a separate file for Vault server logs, add
the following lines to the top of ${SYSCONFDIR}/syslog.conf:
	!!vault
	*.*						/var/log/vault/vault.log
	!*

create logfile:
	# install -Do _vault -g _vault -m 0640 /dev/null /var/log/vault/vault.log

and restart syslogd(8):
	# rcctl reload syslogd

For log rotation, adjust/add the following lines to /etc/newsyslog.conf:
	/var/log/vault/audit.log _vault:_vault  640  7     *    $D23  Z "rcctl reload vault"
	/var/log/vault/vault.log _vault:_vault  640  7     *    $D23  Z