From 0b2319e75e280e0d0fac052e579c3c2b43bd98ef Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Sun, 18 Jul 2021 21:15:49 -0400
Subject: [PATCH] Add bare-metal install instructions

Add instructions for a bare-metal install (like on a raspberry pi) for
use with transit-keys and break-glass scenarios.
---
 README.md | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 117 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index ba2a417..0a52af5 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,115 @@ brew install hashicorp/tap/vault
 brew install jq
 ```
 
+## Install (bare metal)
+
+1. [Download Vault](https://www.vaultproject.io/downloads)
+
+2. Create a vault user
+
+    ```bash
+    useradd --system --home /etc/vault.d --shell /bin/false vault
+    ```
+
+2. Create a config file
+
+    ```bash
+    mkdir -p /etc/vault.d
+    touch /etc/vault.d/vault.hcl
+    chmod 640 /etc/vault.d/vault.hcl
+    chown --recursive vault:vault /etc/vault.d
+    ```
+
+3. Add the following
+
+    ```hcl
+    storage "file" {
+      path = "/vault/data"
+    }
+
+    listener "tcp" {
+      address     = "0.0.0.0:8200"
+      tls_disable = 0
+      tls_cert_file = "/etc/ssl/certs/pi-vault.pem"
+      tls_key_file = "/etc/vault.d/pi-vault.key"
+    }
+
+    ui = true
+    ```
+
+4. Add your CA (if you have one) to /etc/ssl/certs and run `update-ca-certificates`
+
+5. Create a vault storage location
+
+    ```bash
+    mkdir -p /vault/data
+    chown --recursive vault:vault /vault/data/
+    ```
+
+6. Allow vault to use mlock syscall to prevent memory from being swapped
+
+    ```bash
+    setcap cap_ipc_lock=+ep /usr/local/bin/vault
+    ```
+
+7. Create a systemd process
+
+    ```bash
+    touch /etc/systemd/system/vault.service
+    ```
+
+8. Add the following
+
+    ```conf
+    [Unit]
+    Description="HashiCorp Vault - A tool for managing secrets"
+    Documentation=https://www.vaultproject.io/docs/
+    Requires=network-online.target
+    After=network-online.target
+    ConditionFileNotEmpty=/etc/vault.d/vault.hcl
+    StartLimitIntervalSec=60
+    StartLimitBurst=3
+
+    [Service]
+    User=vault
+    Group=vault
+    ProtectSystem=full
+    ProtectHome=read-only
+    PrivateTmp=yes
+    PrivateDevices=yes
+    SecureBits=keep-caps
+    AmbientCapabilities=CAP_IPC_LOCK
+    Capabilities=CAP_IPC_LOCK+ep
+    CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+    NoNewPrivileges=yes
+    ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
+    ExecReload=/bin/kill --signal HUP $MAINPID
+    KillMode=process
+    KillSignal=SIGINT
+    Restart=on-failure
+    RestartSec=5
+    TimeoutStopSec=30
+    StartLimitInterval=60
+    StartLimitIntervalSec=60
+    StartLimitBurst=3
+    LimitNOFILE=65536
+    LimitMEMLOCK=infinity
+
+    [Install]
+    WantedBy=multi-user.target
+    EOF
+    ```
+
+9. Start the service with `systemctl start vault`
+10. Run `vault operator init` on the server to generate keys
+11. Unseal the vault
+12. Add the following backup job to /etc/crontab
+
+    ```crontab
+    0  0    * * *   root    tar czvf /vault/backups/$(date +\%y-\%m-\%d-\%H-\%M)-pivault.tar.gz /vault/data
+    0  0    * * *   root    find /vault/backups/* -mtime +7 -exec rm {} +
+    ```
+
 ## Install (Standalone)
 
 ```bash
@@ -582,11 +691,12 @@ Add signing role
 vault write ssh-client-signer/roles/ducoterra -<<"EOH"
 {
     "allow_user_certificates": true,
-    "allowed_users": "*",
+    "allowed_users": "ducoterra",
     "allowed_extensions": "permit-pty,permit-port-forwarding",
     "default_extensions": [
         { "permit-pty": "" }
     ],
+    "algorithm_signer": "rsa-sha2-512",
     "key_type": "ca",
     "default_user": "ducoterra",
     "ttl": "30m0s"
@@ -598,11 +708,12 @@ EOH
 vault write ssh-client-signer/roles/pi -<<"EOH"
 {
     "allow_user_certificates": true,
-    "allowed_users": "*",
+    "allowed_users": "pi",
     "allowed_extensions": "permit-pty,permit-port-forwarding",
     "default_extensions": [
         { "permit-pty": "" }
     ],
+    "algorithm_signer": "rsa-sha2-512",
     "key_type": "ca",
     "default_user": "pi",
     "ttl": "30m0s"
@@ -614,11 +725,12 @@ EOH
 vault write ssh-client-signer/roles/rancher -<<"EOH"
 {
     "allow_user_certificates": true,
-    "allowed_users": "*",
+    "allowed_users": "rancher",
     "allowed_extensions": "permit-pty,permit-port-forwarding",
     "default_extensions": [
         { "permit-pty": "" }
     ],
+    "algorithm_signer": "rsa-sha2-512",
     "key_type": "ca",
     "default_user": "rancher",
     "ttl": "30m0s"
@@ -629,7 +741,7 @@ EOH
 Sign a key
 
 ```bash
-export SSHUSER=pi; vault write -field=signed_key ssh-client-signer/sign/$SSHUSER public_key=@$HOME/.ssh/test_rsa.pub > ~/.ssh/test_rsa-cert.pub
+export SSHUSER=pi; vault write -field=signed_key ssh-client-signer/sign/$SSHUSER public_key=@$HOME/.ssh/id_rsa.pub > ~/.ssh/id_rsa-cert.pub
 ```
 
 SSH using the signed key
@@ -638,7 +750,7 @@ SSH using the signed key
 # If you saved the signed pub as key_name"-cert.pub" then you don't need to specify the signed-cert.pub part.
 ssh -i signed-cert.pub -i ~/.ssh/test_rsa client
 
-# or without the cert (using default client)
+# without the cert (using default client)
 ssh -i ~/.ssh/test_rsa client
 ```