depot/ops/vault/create-server.sh

#!/usr/bin/env nix-shell
#!nix-shell -p vault -p jq -i bash

set -euo pipefail

readonly server_name=${1}

export VAULT_ADDR=https://vault.int.lukegb.com/

echo Checking login credentials...
vault token lookup >/dev/null || vault login -method=oidc role=admin

echo Grabbing approle accessor...
APPROLE_ACCESSOR="$(vault auth list -format=json | jq -r '.["approle/"].accessor')"
echo -ne "\t${APPROLE_ACCESSOR}\n"

echo Creating new approle...
vault write auth/approle/role/${server_name} \
	secret_id_num_uses=0 \
	secret_id_ttl="" \
	token_ttl=20m \
	token_max_ttl=30m \
	token_policies="default,server" \
	token_max_uses=0

echo Setting role-id...
vault write auth/approle/role/${server_name}/role-id role_id=${server_name}

echo Creating new secret...
SECRET_ID="$(vault write -f -format=json auth/approle/role/${server_name}/secret-id | jq -r '.data.secret_id')"
echo -ne "\t$SECRET_ID\n"

echo Creating entity...
ENTITY_ID="$(vault write -format=json identity/entity \
	name="${server_name}" \
	policies="server" \
	metadata="server=${server_name}" | jq -r '.data.id')"
echo -ne "\t$ENTITY_ID\n"

echo Creating entity alias...
vault write identity/entity-alias \
	name="${server_name}" \
	canonical_id="${ENTITY_ID}" \
	mount_accessor="${APPROLE_ACCESSOR}"
ops/nixos: add some vault-agent setup 2022-01-23 23:38:40 +00:00			`#!/usr/bin/env nix-shell`
			`#!nix-shell -p vault -p jq -i bash`

			`set -euo pipefail`

			`readonly server_name=${1}`

			`export VAULT_ADDR=https://vault.int.lukegb.com/`

			`echo Checking login credentials...`
			`vault token lookup >/dev/null \|\| vault login -method=oidc role=admin`

			`echo Grabbing approle accessor...`
			`APPROLE_ACCESSOR="$(vault auth list -format=json \| jq -r '.["approle/"].accessor')"`
			`echo -ne "\t${APPROLE_ACCESSOR}\n"`

			`echo Creating new approle...`
			`vault write auth/approle/role/${server_name} \`
			`secret_id_num_uses=0 \`
			`secret_id_ttl="" \`
			`token_ttl=20m \`
			`token_max_ttl=30m \`
			`token_policies="default,server" \`
			`token_max_uses=0`

			`echo Setting role-id...`
			`vault write auth/approle/role/${server_name}/role-id role_id=${server_name}`

			`echo Creating new secret...`
			`SECRET_ID="$(vault write -f -format=json auth/approle/role/${server_name}/secret-id \| jq -r '.data.secret_id')"`
			`echo -ne "\t$SECRET_ID\n"`

			`echo Creating entity...`
			`ENTITY_ID="$(vault write -format=json identity/entity \`
			`name="${server_name}" \`
			`policies="server" \`
			`metadata="server=${server_name}" \| jq -r '.data.id')"`
			`echo -ne "\t$ENTITY_ID\n"`

			`echo Creating entity alias...`
			`vault write identity/entity-alias \`
			`name="${server_name}" \`
			`canonical_id="${ENTITY_ID}" \`
			`mount_accessor="${APPROLE_ACCESSOR}"`