kenpat
dbcf51993d
Replaces .env files across all KiteStacks apps. Vault runs as a Docker container bound to 127.0.0.1:8200 with file storage backend. - apps/vault/: compose file + vault.hcl config (TLS disabled, localhost only) - scripts/vault-env.sh: fetches secret from Vault KV and injects as env vars before running docker compose (drops the .env pattern entirely) - scripts/vault-init.sh: one-time init — GPG-encrypts unseal keys to ~/.vault-keys.gpg, creates kitestacks policy + limited app token - scripts/vault-unseal.sh: post-restart unseal via GPG-decrypted key - docs/vault-setup.md: full setup guide including secret migration steps Usage: vault-env.sh kitestacks/authentik -- docker compose up -d Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
29 lines
845 B
Bash
Executable file
29 lines
845 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# vault-unseal.sh — unseal Vault after a container restart
|
|
# Decrypts the GPG-encrypted keys file and unseals automatically.
|
|
# Add to startup: after `docker compose up`, call this script.
|
|
|
|
set -euo pipefail
|
|
|
|
VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
|
|
KEYS_FILE="${HOME}/.vault-keys.gpg"
|
|
|
|
export VAULT_ADDR
|
|
|
|
if vault status 2>/dev/null | grep -q "Sealed.*false"; then
|
|
echo "Vault is already unsealed."
|
|
exit 0
|
|
fi
|
|
|
|
if [[ ! -f "${KEYS_FILE}" ]]; then
|
|
echo "ERROR: ${KEYS_FILE} not found — run vault-init.sh first"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Decrypting unseal key ..."
|
|
UNSEAL_KEY=$(gpg --decrypt "${KEYS_FILE}" 2>/dev/null \
|
|
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d['unseal_keys_b64'][0])")
|
|
|
|
echo "Unsealing Vault at ${VAULT_ADDR} ..."
|
|
vault operator unseal "${UNSEAL_KEY}"
|
|
echo "Vault unsealed."
|