proxmox/scripts/archive/consolidated/deploy/setup-vault-tls.sh

#!/bin/bash
# Setup TLS for Vault Cluster
# Prepares structure for Let's Encrypt or custom certificates

set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }

PROXMOX_HOST_1="${PROXMOX_HOST_1:-192.168.11.11}"
PROXMOX_HOST_2="${PROXMOX_HOST_2:-192.168.11.12}"
VAULT_NODES=(8640 8641 8642)

echo "═══════════════════════════════════════════════════════════"
echo "  Vault TLS Configuration Setup"
echo "═══════════════════════════════════════════════════════════"
echo ""

# Create TLS directories on all nodes
log_info "Creating TLS directories on all nodes..."

for vmid in "${VAULT_NODES[@]}"; do
    if [ "$vmid" = "8641" ]; then
        host="$PROXMOX_HOST_2"
    else
        host="$PROXMOX_HOST_1"
    fi
    
    log_info "Setting up TLS directory for VMID $vmid on $host..."
    ssh root@"$host" "pct exec $vmid -- bash" << 'TLS_EOF'
mkdir -p /opt/vault/tls
chown vault:vault /opt/vault/tls
chmod 700 /opt/vault/tls
TLS_EOF
    log_success "TLS directory created for VMID $vmid"
done

echo ""

# Create TLS configuration template
log_info "Creating TLS configuration template..."
cat > /home/intlc/projects/proxmox/docs/04-configuration/VAULT_TLS_CONFIGURATION.md << 'TLS_DOC_EOF'
# Vault TLS Configuration Guide

## Overview

This guide explains how to configure TLS for the Phoenix Vault cluster. TLS can be configured using:
- Let's Encrypt (recommended for production)
- Custom certificates
- Self-signed certificates (development only)

## TLS Directory Structure

TLS certificates are stored in `/opt/vault/tls/` on each node:
- `vault.crt` - Certificate file
- `vault.key` - Private key file
- `ca.crt` - CA certificate (if using custom CA)

## Let's Encrypt Setup (Recommended)

### Prerequisites
- Domain name pointing to Vault nodes (or use DNS challenge)
- Certbot installed on a management node
- Port 80 or 443 accessible for ACME challenge

### Steps

1. **Install Certbot** (on management node):
```bash
apt-get update
apt-get install -y certbot
```

2. **Obtain Certificates**:
```bash
# For each Vault node
certbot certonly --standalone -d vault-phoenix-1.example.com
certbot certonly --standalone -d vault-phoenix-2.example.com
certbot certonly --standalone -d vault-phoenix-3.example.com
```

3. **Copy Certificates to Vault Nodes**:
```bash
# Node 1
scp /etc/letsencrypt/live/vault-phoenix-1.example.com/fullchain.pem root@${PROXMOX_HOST_R630_01:-192.168.11.11}:/tmp/vault.crt
scp /etc/letsencrypt/live/vault-phoenix-1.example.com/privkey.pem root@${PROXMOX_HOST_R630_01:-192.168.11.11}:/tmp/vault.key
ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct push 8640 /tmp/vault.crt /opt/vault/tls/vault.crt && pct push 8640 /tmp/vault.key /opt/vault/tls/vault.key && pct exec 8640 -- chown vault:vault /opt/vault/tls/* && pct exec 8640 -- chmod 600 /opt/vault/tls/vault.key && pct exec 8640 -- chmod 644 /opt/vault/tls/vault.crt"

# Repeat for nodes 2 and 3
```

4. **Update Vault Configuration**:
Update `/etc/vault.d/vault.hcl` on each node:
```hcl
listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "10.160.0.40:8201"
  tls_cert_file    = "/opt/vault/tls/vault.crt"
  tls_key_file     = "/opt/vault/tls/vault.key"
  tls_min_version  = "1.2"
  tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
}
```

5. **Restart Vault Services**:
```bash
ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct exec 8640 -- systemctl restart vault"
ssh root@${PROXMOX_HOST_R630_02:-192.168.11.12} "pct exec 8641 -- systemctl restart vault"
ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct exec 8642 -- systemctl restart vault"
```

6. **Set Up Auto-Renewal**:
```bash
# Add to crontab on management node
0 2 * * * certbot renew --quiet --deploy-hook "/path/to/renew-vault-certs.sh"
```

## Custom Certificates

1. **Generate Certificate Signing Request (CSR)**:
```bash
openssl genrsa -out vault.key 2048
openssl req -new -key vault.key -out vault.csr
```

2. **Sign Certificate with CA**:
```bash
openssl x509 -req -in vault.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out vault.crt -days 365
```

3. **Copy to Vault Nodes** (same as Let's Encrypt step 3)

4. **Update Configuration** (same as Let's Encrypt step 4)

## Self-Signed Certificates (Development Only)

```bash
# Generate self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout vault.key -out vault.crt -days 365 -nodes \
  -subj "/CN=vault-phoenix-1/O=Sankofa/C=US"

# Copy to all nodes
# Update configuration
```

## Verification

After enabling TLS:
```bash
# Test HTTPS connection
curl -k https://10.160.0.40:8200/v1/sys/health

# Check certificate
openssl s_client -connect 10.160.0.40:8200 -showcerts
```

## Important Notes

- **Never commit private keys to Git**
- **Use strong TLS cipher suites**
- **Set minimum TLS version to 1.2 or higher**
- **Regularly renew certificates**
- **Monitor certificate expiration**
- **Use separate certificates for each node in production**

TLS_DOC_EOF

log_success "TLS configuration guide created"

echo ""

log_info "TLS setup structure prepared"
log_warn "TLS is currently disabled. Enable TLS in production using the guide:"
log_info "  docs/04-configuration/VAULT_TLS_CONFIGURATION.md"

echo ""