tepichord/evolved-npcs-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adding existing vault code

Browse source
This commit is contained in:
vandomej 2025-09-27 19:13:52 -07:00
commit 517af2d402
8 changed files with 312 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md Normal file
View file

@ -0,0 +1,7 @@
# Setup
`brew install minikube`
```bash
minikube start --driver=podman --container-runtime=cri-o
```

7
hc_vault/.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
# Ignore the directory where Vault stores its data
vault_data/
# Ignore all pem, crt, and key files
*.pem
*.crt
*.key

52
hc_vault/README.md Normal file
View file

@ -0,0 +1,52 @@
# Setup
Make sure you have `podman` and `podman-compose` installed.
```bash
brew install podman podman-compose
```
Make sure the needed directories exists:
```bash
mkdir -p ./hc_vault/vault_data
mkdir -p ./hc_vault/certs
mkdir -p ./ssl-certs
```
Generate tailscale certs and place them in ssl-certs folder
```bash
tailscale cert <machine-name>.<network-name>
cp ~/Library/Containers/io.tailscale.ipn.macos/Data/<network-name>* ./
```
Then rename them to:
- tailscale-cert.crt
- tailscale-key.key
Then generate a self-signed root CA and use it to sign the Vault server cert:
```bash
brew install mkcert nss
mkcert -install
mkcert -key-file ./hc_vaut/certs/vault.key -cert-file ./hc_cault/certs/vault.crt \
"*.faun-snapper.ts.net" \
"faun-snapper.ts.net" \
127.0.0.1 \
"localhost" \
"::1" \
"vault"
# Copy Root CA cert as well
cp "$(mkcert -CAROOT)/rootCA.pem" ./hc_vault/certs/rootCA.pem
```
Then just run
```bash
podman-compose up -d
```

53
hc_vault/docker-compose.yml Normal file
View file

@ -0,0 +1,53 @@
version: '3.8'
services:
vault:
build: ./hc_vault
image: tepichord/vault:latest
hostname: vault
command: server
cap_add:
- IPC_LOCK
security_opt:
- label=disable
privileged: true
volumes:
- ./hc_vault/config:/vault/config:z
- ./hc_vault/certs:/opt/vault/certs:z
- ./hc_vault/vault_data:/opt/vault/data:z # Host directory (easy to backup)
environment:
- VAULT_ADDR=https://127.0.0.1:8200
- VAULT_API_ADDR=https://0.0.0.0:8200
- VAULT_CACERT=/opt/vault/certs/rootCA.pem
ports:
- "8200:8200" # Only for direct access if needed
restart: unless-stopped
healthcheck:
test: ["CMD", "vault", "status", "-format=json"]
interval: 5m
timeout: 10s
retries: 3
nginx:
image: nginx:alpine
hostname: nginx
volumes:
- ./nginx/conf:/etc/nginx:z
- ./ssl-certs:/etc/ssl:z
- ./hc_vault/certs:/etc/vault-certs:z # For trusting Vault's cert
ports:
- "8443:443"
- "8080:80" # Optional: redirect HTTP to HTTPS
depends_on:
- vault
restart: unless-stopped
healthcheck:
test: ["CMD", "nginx", "-t"]
interval: 5m
timeout: 10s
retries: 3
networks:
default:
name: vault-network
driver: bridge

125
hc_vault/example.yaml Normal file
View file

@ -0,0 +1,125 @@
# Save the output of this file and use kubectl create -f to import
# it into Kubernetes.
#
# Created with podman-5.6.1
# NOTE: The namespace sharing for a pod has been modified by the user and is not the same as the
# default settings for kubernetes. This can lead to unexpected behavior when running the generated
# kube yaml in a kubernetes cluster.
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2025-09-22T02:26:07Z"
labels:
app: podhcvault
name: podhcvault
spec:
ports:
- name: "8200"
nodePort: 32706
port: 8200
targetPort: 8200
- name: "80"
nodePort: 30266
port: 80
targetPort: 80
- name: "443"
nodePort: 32536
port: 443
targetPort: 443
selector:
app: podhcvault
type: NodePort
---
apiVersion: v1
kind: Pod
metadata:
annotations:
bind-mount-options: /Users/tepichord/hc_vault/nginx/conf:z
io.kubernetes.cri-o.SandboxID/hcvaultnginx1: 9953963847a9ec2c093caca148c53d760368fb3dd9acbd5992d5deafd5d73e8d
io.kubernetes.cri-o.SandboxID/hcvaultvault1: 9953963847a9ec2c093caca148c53d760368fb3dd9acbd5992d5deafd5d73e8d
creationTimestamp: "2025-09-22T02:26:07Z"
labels:
app: podhcvault
name: podhcvault
spec:
containers:
- args:
- server
env:
- name: VAULT_CACERT
value: /opt/vault/certs/rootCA.pem
- name: VAULT_ADDR
value: https://127.0.0.1:8200
- name: VAULT_API_ADDR
value: https://0.0.0.0:8200
- name: HOSTNAME
value: vault
image: localhost/tepichord/vault:latest
name: hcvaultvault1
ports:
- containerPort: 8200
securityContext:
privileged: true
procMount: Unmasked
seLinuxOptions:
type: spc_t
volumeMounts:
- mountPath: /vault/config
name: users-tepichord-hc-vault-hc-vault-config-host-0
- mountPath: /opt/vault/certs
name: users-tepichord-hc-vault-hc-vault-certs-host-1
- mountPath: /opt/vault/data
name: users-tepichord-hc-vault-hc-vault-vault-data-host-2
- mountPath: /vault/logs
name: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71-pvc
- mountPath: /vault/file
name: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6-pvc
- args:
- nginx
- -g
- daemon off;
env:
- name: HOSTNAME
value: nginx
image: docker.io/library/nginx:alpine
name: hcvaultnginx1
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- mountPath: /etc/ssl
name: users-tepichord-hc-vault-ssl-certs-host-0
- mountPath: /etc/vault-certs
name: users-tepichord-hc-vault-hc-vault-certs-host-1
- mountPath: /etc/nginx
name: users-tepichord-hc-vault-nginx-conf-host-2
hostname: vault
volumes:
- hostPath:
path: /Users/tepichord/hc_vault/hc_vault/vault_data
type: Directory
name: users-tepichord-hc-vault-hc-vault-vault-data-host-2
- name: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71-pvc
persistentVolumeClaim:
claimName: 2dd2aea4dfe15af0880037ebad6ed68dac260d980411abc9b0b171a57c110d71
- name: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6-pvc
persistentVolumeClaim:
claimName: 4d7764e1aa42ba3d48ef865a321b85883dcdaaacf863d1c0eab041c2d50f96c6
- hostPath:
path: /Users/tepichord/hc_vault/ssl-certs
type: Directory
name: users-tepichord-hc-vault-ssl-certs-host-0
- hostPath:
path: /Users/tepichord/hc_vault/nginx/conf
type: Directory
name: users-tepichord-hc-vault-nginx-conf-host-2
- hostPath:
path: /Users/tepichord/hc_vault/hc_vault/config
type: Directory
name: users-tepichord-hc-vault-hc-vault-config-host-0
- hostPath:
path: /Users/tepichord/hc_vault/hc_vault/certs
type: Directory
name: users-tepichord-hc-vault-hc-vault-certs-host-1

6
hc_vault/hc_vault/Dockerfile Normal file
View file

@ -0,0 +1,6 @@
FROM hashicorp/vault:latest
# VOLUME data
RUN mkdir -p /opt/vault/data
RUN chown -R vault:vault /opt/vault/data

22
hc_vault/hc_vault/config/config.hcl Normal file
View file

@ -0,0 +1,22 @@
ui = true
api_addr = "https://0.0.0.0:8200"
default_lease_ttl = "2304h"
max_lease_ttl = "2304h"
disable_mlock = true
storage "file" {
path = "/opt/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/certs/vault.crt"
tls_key_file = "/opt/vault/certs/vault.key"
tls_client_ca_file = "/opt/vault/certs/rootCA.pem"
}
user_lockout "all" {
lockout_threshold = 25
lockout_duration = "60m"
lockout_counter_reset = "60m"
}

40
hc_vault/nginx/conf/nginx.conf Normal file
View file

@ -0,0 +1,40 @@
# nginx/conf/nginx.conf
events {
worker_connections 1024;
}
http {
server {
listen 443 ssl;
server_name macbook-pro.tailscale-name.ts.net;
ssl_certificate /etc/ssl/tailscale-cert.crt;
ssl_certificate_key /etc/ssl/tailscale-key.key;
location / {
# FIXED: Use container hostname instead of localhost
proxy_pass https://vault:8200;
# Trust Vault's self-signed certificate
proxy_ssl_certificate /etc/vault-certs/vault.crt;
proxy_ssl_certificate_key /etc/vault-certs/vault.key;
proxy_ssl_verify off; # Since you're using mkcert cert
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Important for WebSocket connections (Vault UI)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Optional: HTTP to HTTPS redirect
server {
listen 80;
server_name macbook-pro.tailscale-name.ts.net;
return 301 https://$server_name$request_uri;
}
}