diff --git a/app-admin/vault/Manifest b/app-admin/vault/Manifest new file mode 100644 index 00000000..d2338de6 --- /dev/null +++ b/app-admin/vault/Manifest @@ -0,0 +1 @@ +DIST vault-1.17.6.tar.gz 33676185 BLAKE2B 55ba11bb74f7fe8511dc8402687a4c59ecf9dafa072df29ba1c84a2073940262381ea887b672110b54288147ac7720ecdf6ebeb52c63dab00a945dfc78543ba3 SHA512 ae1f2504885674f2a3cca4758aaf4f5b8244bba24d840093c8e4596d8c713ac0e63ae8d75cc6424d30e5d70a2f8953615eb35de245f0ad817e50e7494f0169f1 diff --git a/app-admin/vault/files/localhost.json.example b/app-admin/vault/files/localhost.json.example new file mode 100644 index 00000000..02c377e4 --- /dev/null +++ b/app-admin/vault/files/localhost.json.example @@ -0,0 +1,9 @@ +backend "consul" { + address = "127.0.0.1:8500" + path = "vault" +} + +listener "tcp" { + address = "127.0.0.1:8200" + tls_disable = 1 +} diff --git a/app-admin/vault/files/vault.confd b/app-admin/vault/files/vault.confd new file mode 100644 index 00000000..6263ff00 --- /dev/null +++ b/app-admin/vault/files/vault.confd @@ -0,0 +1,7 @@ +# you can change the init script behavior by setting those parameters +# - group (default: vault) +# - pidfile (default: /run/vault/vault.pid) +# - user (default: vault) + +# extra arguments for the consul agent +command_args="-config=/etc/vault.d" diff --git a/app-admin/vault/files/vault.initd b/app-admin/vault/files/vault.initd new file mode 100644 index 00000000..e4bd3e7c --- /dev/null +++ b/app-admin/vault/files/vault.initd @@ -0,0 +1,20 @@ +#!/sbin/openrc-run +# Copyright 2015-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +description="vault server" +group=${group:-${RC_SVCNAME}} +pidfile=${pidfile:-"/run/${RC_SVCNAME}.pid"} +rc_ulimit=${rc_ulimit-"-n 65536"} +user=${user:-${RC_SVCNAME}} + +command="/usr/bin/${RC_SVCNAME}" +command_args="server ${command_args}" +command_background="true" +start_stop_daemon_args="--user ${user} --group ${group} \ + --stdout /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log \ + --stderr /var/log/${RC_SVCNAME}/${RC_SVCNAME}.log" + +depend() { + need net +} diff --git a/app-admin/vault/files/vault.logrotated b/app-admin/vault/files/vault.logrotated new file mode 100644 index 00000000..66b827b9 --- /dev/null +++ b/app-admin/vault/files/vault.logrotated @@ -0,0 +1,7 @@ +/var/log/vault/vault.log { + missingok + size 5M + rotate 3 + compress + copytruncate +} diff --git a/app-admin/vault/files/vault.service b/app-admin/vault/files/vault.service new file mode 100644 index 00000000..939d8caf --- /dev/null +++ b/app-admin/vault/files/vault.service @@ -0,0 +1,31 @@ +[Unit] +Description=vault server +Requires=network-online.target +After=network-online.target + +[Service] +Environment=VAULT_SERVER_OPTS="-config=/etc/vault.d" +User=vault +Group=vault +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +PrivateDevices=yes +SecureBits=keep-caps +AmbientCapabilities=CAP_IPC_LOCK +Capabilities=CAP_IPC_LOCK+ep +CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +NoNewPrivileges=yes +ExecStart=/usr/bin/vault server $VAULT_SERVER_OPTS +ExecReload=/bin/kill --signal HUP $MAINPID +KillMode=process +KillSignal=SIGINT +Restart=on-failure +RestartSec=5 +TimeoutStopSec=30 +StartLimitIntervalSec=60 +StartLimitBurst=3 +LimitNOFILE=65536 + +[Install] +WantedBy=default.target diff --git a/app-admin/vault/metadata.xml b/app-admin/vault/metadata.xml new file mode 100644 index 00000000..8bbd7586 --- /dev/null +++ b/app-admin/vault/metadata.xml @@ -0,0 +1,7 @@ + + + + + ops@adjust.com + + diff --git a/app-admin/vault/vault-1.17.6.ebuild b/app-admin/vault/vault-1.17.6.ebuild new file mode 100644 index 00000000..7ce04c32 --- /dev/null +++ b/app-admin/vault/vault-1.17.6.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit fcaps go-module systemd + +DESCRIPTION="A tool for managing secrets" +HOMEPAGE="https://vaultproject.io/" + +SRC_URI="https://github.com/hashicorp/vault/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="BUSL-1.1 MPL-2.0" +LICENSE+=" Apache-2.0 BSD BSD-2 CC-BY-SA-4.0 ISC MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~riscv" +IUSE="" + +BDEPEND=" + dev-go/gox + dev-go/enumer + app-arch/zip + >=dev-lang/go-1.21" + +COMMON_DEPEND=" + acct-group/vault + acct-user/vault" + +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" + +FILECAPS=( + -m 755 'cap_ipc_lock=+ep' usr/bin/${PN} +) + +RESTRICT="test" + +src_prepare() { + default + # Avoid the need to have a git checkout + sed -e 's:^\(GIT_COMMIT=\).*:\1:' \ + -e 's:^\(GIT_DIRTY=\).*:\1:' \ + -e s:\'\${GIT_COMMIT}\${GIT_DIRTY}\':: \ + -e "s|^BUILD_DATE=.*|BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%SZ)|" \ + -i scripts/build.sh || die + sed -e "/hooks/d" \ + -e 's|^\([[:space:]]*\)goimports .*)|\1true|' \ + -e "s/gofumpt/gofmt/g" \ + -i Makefile || die + if [[ -d "${WORKDIR}/http/web_ui" ]]; then + rm -rf "${S}/http/web_ui" || die + mv "${WORKDIR}/http/web_ui" "${S}/http/web_ui" || + die "mv failed" + else + mkdir -p "${S}/http/web_ui" || die + touch "${S}/http/web_ui/no_web_ui" || die + fi +} + +src_compile() { + mkdir "${T}"/bin || die + GOPATH="${T}" \ + XC_ARCH=$(go env GOARCH) \ + XC_OS=$(go env GOOS) \ + XC_OSARCH=$(go env GOOS)/$(go env GOARCH) \ + emake bin +} + +src_install() { + dobin bin/${PN} + dodoc CHANGELOG.md CONTRIBUTING.md README.md + insinto /etc/${PN}.d + doins "${FILESDIR}/"*.json.example + insinto /etc/logrotate.d + newins "${FILESDIR}/${PN}.logrotated" "${PN}" + newinitd "${FILESDIR}/${PN}.initd" "${PN}" + newconfd "${FILESDIR}/${PN}.confd" "${PN}" + systemd_dounit "${FILESDIR}/${PN}.service" + keepdir /var/log/${PN} + fowners ${PN}:${PN} /var/log/${PN} +}