disinto/nomad/vault.hcl

# =============================================================================
# nomad/vault.hcl — Single-node Vault configuration (dev-persisted seal)
#
# Part of the Nomad+Vault migration (S0.3, issue #823). Deployed to
# /etc/vault.d/vault.hcl on the factory dev box.
#
# Seal model: the single unseal key lives on disk at /etc/vault.d/unseal.key
# (0400 root) and is read by systemd ExecStartPost on every boot. This is
# the factory-dev-box-acceptable tradeoff — seal-key theft equals vault
# theft, but we avoid running a second Vault to auto-unseal the first.
#
# This is a factory dev-box baseline — TLS, HA, Raft storage, and audit
# devices are deliberately absent. Storage is the `file` backend (single
# node only). Listener is localhost-only, so no external TLS is needed.
# =============================================================================

# File storage backend — single-node only, no HA, no raft. State lives in
# /var/lib/vault/data which is created (root:root 0700) by
# lib/init/nomad/systemd-vault.sh before the unit starts.
storage "file" {
  path = "/var/lib/vault/data"
}

# Localhost-only listener. TLS is disabled because all callers are on the
# same box — flipping this to tls_disable=false is an audit-worthy change
# paired with cert provisioning.
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = true
}

# mlock prevents Vault's in-memory secrets from being swapped to disk. We
# keep it enabled; the systemd unit grants CAP_IPC_LOCK so mlock() succeeds.
disable_mlock = false

# Advertised API address — used by Vault clients on this host. Matches
# the listener above.
api_addr = "http://127.0.0.1:8200"

# UI on by default — same bind as listener, no TLS (localhost only).
ui = true
fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) Adds the Vault half of the factory-dev-box bringup, landed but not started (per the install-but-don't-start pattern used for nomad in #822): - lib/init/nomad/install.sh — now also installs vault from the shared HashiCorp apt repo. VAULT_VERSION pinned (1.18.5). Fast-path skips apt entirely when both binaries are at their pins; partial upgrades only touch the package that drifted. - nomad/vault.hcl — single-node config: file storage backend at /var/lib/vault/data, localhost listener on :8200, ui on, mlock kept on. No TLS / HA / audit yet; those land in later steps. - lib/init/nomad/systemd-vault.sh — writes /etc/systemd/system/vault.service (Type=notify, ExecStartPost auto-unseals from /etc/vault.d/unseal.key, CAP_IPC_LOCK granted for mlock), deploys nomad/vault.hcl to /etc/vault.d/, creates /var/lib/vault/data (0700 root), enables the unit without starting it. Idempotent via content-compare. - lib/init/nomad/vault-init.sh — first-run init: spawns a temporary `vault server` if not already reachable, runs operator-init with key-shares=1/threshold=1, persists unseal.key + root.token (0400 root), unseals once in-process, shuts down the temp server. Re-run detects initialized + unseal.key present → no-op. Initialized but key missing is a hard failure (can't recover). lib/hvault.sh already defaults VAULT_TOKEN to /etc/vault.d/root.token when the env var is absent, so no change needed there. Seal model: the single unseal key lives on disk; seal-key theft equals vault theft. Factory-dev-box-acceptable tradeoff — avoids running a second Vault to auto-unseal the first. Blocks S0.4 (#824). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 06:29:55 +00:00			`# =============================================================================`
			`# nomad/vault.hcl — Single-node Vault configuration (dev-persisted seal)`
			`#`
			`# Part of the Nomad+Vault migration (S0.3, issue #823). Deployed to`
			`# /etc/vault.d/vault.hcl on the factory dev box.`
			`#`
			`# Seal model: the single unseal key lives on disk at /etc/vault.d/unseal.key`
			`# (0400 root) and is read by systemd ExecStartPost on every boot. This is`
			`# the factory-dev-box-acceptable tradeoff — seal-key theft equals vault`
			`# theft, but we avoid running a second Vault to auto-unseal the first.`
			`#`
			`# This is a factory dev-box baseline — TLS, HA, Raft storage, and audit`
			# devices are deliberately absent. Storage is the `file` backend (single
			`# node only). Listener is localhost-only, so no external TLS is needed.`
			`# =============================================================================`

			`# File storage backend — single-node only, no HA, no raft. State lives in`
			`# /var/lib/vault/data which is created (root:root 0700) by`
			`# lib/init/nomad/systemd-vault.sh before the unit starts.`
			`storage "file" {`
			`path = "/var/lib/vault/data"`
			`}`

			`# Localhost-only listener. TLS is disabled because all callers are on the`
			`# same box — flipping this to tls_disable=false is an audit-worthy change`
			`# paired with cert provisioning.`
			`listener "tcp" {`
			`address = "127.0.0.1:8200"`
			`tls_disable = true`
			`}`

			`# mlock prevents Vault's in-memory secrets from being swapped to disk. We`
			`# keep it enabled; the systemd unit grants CAP_IPC_LOCK so mlock() succeeds.`
			`disable_mlock = false`

			`# Advertised API address — used by Vault clients on this host. Matches`
			`# the listener above.`
			`api_addr = "http://127.0.0.1:8200"`

			`# UI on by default — same bind as listener, no TLS (localhost only).`
			`ui = true`