#cloud-config package_update: true package_upgrade: true packages: - wget - unzip - jq users: - name: vault system: true shell: /bin/false home: /opt/vault write_files: - path: /etc/vault.d/vault.hcl content: | ui = true storage "file" { path = "/opt/vault/data" } listener "tcp" { address = "0.0.0.0:8200" tls_disable = 1 } api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" permissions: '0640' owner: vault:vault - path: /etc/systemd/system/vault.service content: | [Unit] Description=Vault Documentation=https://www.vaultproject.io/docs/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60 StartLimitBurst=3 [Service] Type=notify User=vault Group=vault ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK Capabilities=CAP_IPC_LOCK+ep CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 TimeoutStopSec=30 LimitNOFILE=65536 LimitMEMLOCK=infinity [Install] WantedBy=multi-user.target runcmd: # Download and install Vault - cd /tmp - wget https://releases.hashicorp.com/vault/1.15.0/vault_1.15.0_linux_amd64.zip - unzip vault_1.15.0_linux_amd64.zip - mv vault /usr/local/bin/ - chmod +x /usr/local/bin/vault # Create directories - mkdir -p /opt/vault/data - mkdir -p /etc/vault.d - chown -R vault:vault /opt/vault /etc/vault.d # Set capabilities - setcap cap_ipc_lock=+ep /usr/local/bin/vault # Enable and start Vault - systemctl enable vault - systemctl start vault # Configure firewall - ufw allow 8200/tcp - sleep 10 # Initialize Vault (manual step required) - echo "Run 'vault operator init' to initialize Vault"