ign8vault 1.0.0__tar.gz

ign8vault-1.0.0/PKG-INFO

@@ -0,0 +1,36 @@
+Metadata-Version: 2.4
+Name: ign8vault
+Version: 1.0.0
+Summary: Spin up a production HashiCorp Vault + Consul stack in minutes — Hetzner Cloud, Cloudflare DNS, automated backups to Hetzner StorageBox.
+License: MIT
+Requires-Python: >=3.11
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Provides-Extra: dev
+Requires-Dist: cloudflare (>=3)
+Requires-Dist: cryptography (>=42)
+Requires-Dist: hcloud (>=2)
+Requires-Dist: mypy (>=1.10) ; extra == "dev"
+Requires-Dist: paramiko (>=3)
+Requires-Dist: pydantic (>=2)
+Requires-Dist: pydantic-settings (>=2)
+Requires-Dist: pytest (>=8) ; extra == "dev"
+Requires-Dist: rich (>=13)
+Requires-Dist: ruff (>=0.4) ; extra == "dev"
+Requires-Dist: typer (>=0.12)
+Description-Content-Type: text/markdown
+
+# ign8vault
+
+Spin up HashiCorp Vault + Consul on Hetzner Cloud in one command.
+
+```bash
+pip install -e .
+cp .env.example .env  # fill in credentials
+ign8vault up
+```
+

ign8vault-1.0.0/README.md

@@ -0,0 +1,9 @@
+# ign8vault
+
+Spin up HashiCorp Vault + Consul on Hetzner Cloud in one command.
+
+```bash
+pip install -e .
+cp .env.example .env  # fill in credentials
+ign8vault up
+```

ign8vault-1.0.0/pyproject.toml

@@ -0,0 +1,48 @@
+[build-system]
+requires = ["poetry-core>=2.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[project]
+name = "ign8vault"
+version = "1.0.0"
+description = "Spin up a production HashiCorp Vault + Consul stack in minutes — Hetzner Cloud, Cloudflare DNS, automated backups to Hetzner StorageBox."
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "MIT" }
+dependencies = [
+    "typer>=0.12",
+    "rich>=13",
+    "hcloud>=2",
+    "cloudflare>=3",
+    "paramiko>=3",
+    "pydantic>=2",
+    "pydantic-settings>=2",
+    "cryptography>=42",
+]
+
+[project.scripts]
+ign8vault = "ign8vault.cli:app"
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8",
+    "ruff>=0.4",
+    "mypy>=1.10",
+]
+
+[tool.poetry]
+packages = [{include = "ign8vault", from = "src"}]
+
+[tool.ruff]
+src = ["src"]
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP"]
+
+[tool.mypy]
+strict = true
+mypy_path = "src"
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

ign8vault-1.0.0/src/ign8vault/cli.py

@@ -0,0 +1,238 @@
+"""CLI entry point: `ign8vault up` provisions Vault + Consul on Hetzner."""
+
+import json
+import secrets
+from pathlib import Path
+from typing import Optional
+
+import typer
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+
+import urllib.request
+
+from ign8vault.config import Config
+from ign8vault.dns.cloudflare import CloudflareDNS
+from ign8vault.infra import hetzner
+from ign8vault.keys import ensure_ed25519_keypair, save_keypair
+from ign8vault.setup.server import VaultSetup
+
+app = typer.Typer(name="ign8vault", help="Ignite a production Vault + Consul stack in minutes.", invoke_without_command=True)
+console = Console()
+
+
+@app.callback(invoke_without_command=True)
+def _main(
+    ctx: typer.Context,
+    env_file: Path = typer.Option(Path(".env"), "--env-file", hidden=True),
+) -> None:
+    # Load .env into os.environ so all envvar= options pick it up
+    if env_file.exists():
+        import os
+        for line in env_file.read_text().splitlines():
+            line = line.strip()
+            if not line or line.startswith("#") or "=" not in line:
+                continue
+            k, _, v = line.partition("=")
+            os.environ.setdefault(k.strip(), v.strip())
+    if ctx.invoked_subcommand is None:
+        _print_intro()
+
+
+@app.command()
+def up(
+    domain: str = typer.Option(..., envvar="IGN8_DOMAIN", help="Base domain (e.g. example.com)"),
+    admin_email: str = typer.Option(..., envvar="IGN8_ADMIN_EMAIL", help="Admin / certbot email"),
+    hetzner_token: str = typer.Option(..., envvar="IGN8_HETZNER_TOKEN", help="Hetzner Cloud API token"),
+    cloudflare_token: str = typer.Option(..., envvar="IGN8_CLOUDFLARE_TOKEN", help="Cloudflare API token"),
+    cloudflare_zone_id: str = typer.Option(..., envvar="IGN8_CLOUDFLARE_ZONE_ID", help="Cloudflare Zone ID"),
+    cloudflare_email: str = typer.Option("", envvar="IGN8_CLOUDFLARE_EMAIL", help="Cloudflare account email (Global API Key only)"),
+    storagebox_host: str = typer.Option("", envvar="IGN8_STORAGEBOX_HOST", help="Hetzner StorageBox hostname"),
+    storagebox_user: str = typer.Option("", envvar="IGN8_STORAGEBOX_USER", help="StorageBox username (defaults to first part of host)"),
+    storagebox_password: str = typer.Option("", envvar="IGN8_STORAGEBOX_PASSWORD", help="StorageBox password"),
+    backup_password: str = typer.Option("", envvar="IGN8_BACKUP_PASSWORD", help="Restic encryption password (auto-generated if empty)"),
+    work_dir: Path = typer.Option(Path(".ign8vault"), help="Directory for keys and state"),
+) -> None:
+    """Provision Vault + Consul: Hetzner VM + Cloudflare DNS + TLS + backups."""
+
+    cfg = Config(
+        domain=domain,
+        admin_email=admin_email,  # type: ignore[arg-type]
+        hetzner_token=hetzner_token,
+        cloudflare_token=cloudflare_token,
+        cloudflare_zone_id=cloudflare_zone_id,
+        cloudflare_email=cloudflare_email,
+        storagebox_host=storagebox_host,
+        storagebox_user=storagebox_user,
+        storagebox_password=storagebox_password,
+        backup_password=backup_password,
+    )
+
+    # Auto-generate backup password if not supplied
+    effective_backup_password = cfg.backup_password or secrets.token_hex(24)
+
+    console.print(Panel(f"[bold]ign8vault[/bold] — igniting [cyan]{cfg.domain}[/cyan]"))
+
+    # 1. SSH keypair
+    console.print("[1/5] Generating SSH keypair...")
+    keys_dir = work_dir / "keys"
+    priv_path, pub_path = save_keypair(keys_dir)
+    public_key_openssh = pub_path.read_text().strip()
+
+    # 2. Hetzner server
+    console.print("[2/5] Provisioning Hetzner server...")
+    outputs = hetzner.provision(cfg, public_key_openssh, work_dir / "state.json")
+    ipv4: str = outputs["ipv4"]
+    ipv6: str = outputs["ipv6"]
+    console.print(f"    Server IPv4: [green]{ipv4}[/green]")
+    if ipv6:
+        console.print(f"    Server IPv6: [green]{ipv6}[/green]")
+
+    # 3. Cloudflare DNS
+    console.print("[3/5] Creating Cloudflare DNS records...")
+    dns = CloudflareDNS(cfg.cloudflare_token, cfg.cloudflare_zone_id, cfg.domain, cfg.cloudflare_email)
+    dns.provision(ipv4, ipv6)
+    console.print(f"    vault.{cfg.domain}  → {ipv4}")
+    console.print(f"    consul.{cfg.domain} → {ipv4}")
+
+    # 4. Server setup
+    console.print("[4/5] Setting up server (Consul + Vault + nginx + TLS)...")
+    console.print("    Connecting via SSH (may take up to 5 minutes for boot)...")
+    setup = VaultSetup(cfg, ipv4, str(priv_path))
+    setup.connect(retries=30, delay=10)
+    try:
+        init_data = setup.run(effective_backup_password)
+    finally:
+        setup.disconnect()
+
+    # 5. Save credentials locally
+    console.print("[5/5] Saving credentials...")
+    init_path = work_dir / "vault-init.json"
+    saved: dict[str, object] = {
+        "vault_url": f"https://vault.{cfg.domain}",
+        "consul_url": f"https://consul.{cfg.domain}",
+        "backup_password": effective_backup_password,
+    }
+    if init_data:
+        saved.update(init_data)
+
+    init_path.write_text(json.dumps(saved, indent=2))
+    init_path.chmod(0o600)
+
+    _print_summary(cfg, saved, init_data)
+
+
+@app.command()
+def destroy(
+    domain: str = typer.Option(..., envvar="IGN8_DOMAIN", help="Base domain"),
+    hetzner_token: str = typer.Option(..., envvar="IGN8_HETZNER_TOKEN", help="Hetzner Cloud API token"),
+    cloudflare_token: str = typer.Option("", envvar="IGN8_CLOUDFLARE_TOKEN", help="Cloudflare API token"),
+    cloudflare_zone_id: str = typer.Option("", envvar="IGN8_CLOUDFLARE_ZONE_ID", help="Cloudflare Zone ID"),
+    cloudflare_email: str = typer.Option("", envvar="IGN8_CLOUDFLARE_EMAIL"),
+    work_dir: Path = typer.Option(Path(".ign8vault"), help="Directory for keys and state"),
+    yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompt"),
+) -> None:
+    """Tear down the Vault + Consul server and DNS records."""
+    if not yes:
+        typer.confirm(f"Destroy all ign8vault resources for {domain}?", abort=True)
+
+    console.print(Panel(f"[bold red]ign8vault destroy[/bold red] — tearing down [cyan]{domain}[/cyan]"))
+
+    console.print("[1/2] Deleting Hetzner server...")
+    hetzner.destroy(work_dir / "state.json", hetzner_token)
+
+    if cloudflare_token and cloudflare_zone_id:
+        console.print("[2/2] Removing DNS records...")
+        dns = CloudflareDNS(cloudflare_token, cloudflare_zone_id, domain, cloudflare_email)
+        dns.destroy()
+    else:
+        console.print("[2/2] Skipping DNS cleanup (no Cloudflare credentials)")
+
+    console.print("[green]Done.[/green] DNS may take a few minutes to propagate removal.")
+
+
+def _print_summary(cfg: Config, saved: dict[str, object], init_data: dict[str, object]) -> None:
+    console.print()
+    console.print(Panel("[bold green]Vault stack is live![/bold green]"))
+
+    table = Table(show_header=False, box=None, padding=(0, 2))
+    table.add_row("[dim]Vault UI[/dim]",  f"[cyan]https://vault.{cfg.domain}[/cyan]")
+    table.add_row("[dim]Consul UI[/dim]", f"[cyan]https://consul.{cfg.domain}[/cyan]")
+
+    if init_data:
+        root_token = str(init_data.get("root_token", ""))
+        table.add_row("[dim]Root token[/dim]", f"[yellow]{root_token}[/yellow]")
+        keys = init_data.get("unseal_keys_b64", [])
+        for i, k in enumerate(keys, 1):  # type: ignore[union-attr]
+            table.add_row(f"[dim]Unseal key {i}[/dim]", str(k))
+
+    backup_pw = str(saved.get("backup_password", ""))
+    if backup_pw:
+        table.add_row("[dim]Backup password[/dim]", f"[yellow]{backup_pw}[/yellow]")
+
+    console.print(table)
+    console.print()
+    console.print(
+        f"[dim]Credentials saved to[/dim] [bold].ign8vault/vault-init.json[/bold]\n"
+        f"[dim]Keep unseal keys safe — you need 3 of 5 to unseal after a reboot.[/dim]"
+    )
+
+
+@app.command()
+def sign(
+    vault_addr: str = typer.Option(..., envvar="IGN8_VAULT_ADDR", help="Vault address"),
+    vault_token: str = typer.Option(..., envvar="IGN8_VAULT_TOKEN", help="Vault token"),
+    principals: str = typer.Option("root", help="Comma-separated list of valid principals"),
+    role: str = typer.Option("signer", help="Vault SSH signing role"),
+    work_dir: Path = typer.Option(Path(".ign8vault"), help="Directory for keys and state"),
+) -> None:
+    """Create (if absent) the signssh keypair and sign it, saving the cert as signedssh."""
+    keys_dir = work_dir / "keys"
+
+    # 1. Create keypair if it doesn't exist yet
+    priv_path, pub_path = ensure_ed25519_keypair(keys_dir, "signssh")
+    public_key = pub_path.read_text().strip()
+    console.print(f"[dim]Key:[/dim] {pub_path}")
+
+    # 2. Sign via Vault SSH API
+    payload = json.dumps({
+        "public_key": public_key,
+        "valid_principals": principals,
+        "cert_type": "user",
+    }).encode()
+
+    req = urllib.request.Request(
+        f"{vault_addr.rstrip('/')}/v1/ssh/sign/{role}",
+        data=payload,
+        headers={"X-Vault-Token": vault_token, "Content-Type": "application/json"},
+        method="POST",
+    )
+    with urllib.request.urlopen(req) as resp:
+        data = json.loads(resp.read())
+
+    signed_key: str = data["data"]["signed_key"]
+
+    # 3. Save certificate as signedssh
+    cert_path = keys_dir / "signedssh"
+    cert_path.write_text(signed_key + "\n")
+    cert_path.chmod(0o600)
+
+    console.print(f"[green]Signed certificate saved to[/green] {cert_path}")
+    console.print(f"[dim]Serial:[/dim] {data['data']['serial_number']}")
+
+    # Print usage hint
+    console.print(
+        f"\n[dim]Use it:[/dim]\n"
+        f"  ssh -i {priv_path} -i {cert_path} <host>"
+    )
+
+
+def _print_intro() -> None:
+    console.print(Panel(
+        "[bold]ign8vault[/bold] — HashiCorp Vault + Consul on Hetzner\n\n"
+        "  [cyan]ign8vault up[/cyan]      provision a complete stack\n"
+        "  [cyan]ign8vault sign[/cyan]    create/sign the signssh keypair\n"
+        "  [cyan]ign8vault destroy[/cyan] tear it all down",
+        title="ign8vault",
+    ))

ign8vault-1.0.0/src/ign8vault/config.py

@@ -0,0 +1,40 @@
+from pydantic import EmailStr, field_validator, model_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class Config(BaseSettings):
+    model_config = SettingsConfigDict(env_prefix="IGN8_", env_file=".env", extra="ignore")
+
+    # Required
+    domain: str
+    admin_email: EmailStr
+    hetzner_token: str
+    cloudflare_token: str
+    cloudflare_zone_id: str
+    cloudflare_email: str = ""
+
+    # Server
+    server_location: str = "nbg1"
+    server_type: str = "cpx22"
+    server_image: str = "ubuntu-24.04"
+
+    # StorageBox backup
+    storagebox_host: str = ""
+    storagebox_user: str = ""
+    storagebox_password: str = ""
+    backup_password: str = ""  # auto-generated if empty
+
+    # Vault (for sign command)
+    vault_addr: str = ""
+    vault_token: str = ""
+
+    @field_validator("domain")
+    @classmethod
+    def strip_trailing_dot(cls, v: str) -> str:
+        return v.rstrip(".")
+
+    @model_validator(mode="after")
+    def _derive_storagebox_user(self) -> "Config":
+        if self.storagebox_host and not self.storagebox_user:
+            self.storagebox_user = self.storagebox_host.split(".")[0]
+        return self

ign8vault-1.0.0/src/ign8vault/dns/cloudflare.py

@@ -0,0 +1,42 @@
+"""Create DNS records for vault.DOMAIN and consul.DOMAIN."""
+
+import cloudflare
+from cloudflare.types.dns import RecordCreateParams
+
+
+class CloudflareDNS:
+    def __init__(self, token: str, zone_id: str, domain: str, email: str = "") -> None:
+        if email:
+            self._cf = cloudflare.Cloudflare(api_email=email, api_key=token)
+        else:
+            self._cf = cloudflare.Cloudflare(api_token=token)
+        self._zone = zone_id
+        self._domain = domain
+
+    def provision(self, ipv4: str, ipv6: str) -> None:
+        records: list[RecordCreateParams] = [
+            {"type": "A",    "name": f"vault.{self._domain}",  "content": ipv4, "proxied": False, "ttl": 1},
+            {"type": "A",    "name": f"consul.{self._domain}", "content": ipv4, "proxied": False, "ttl": 1},
+        ]
+        if ipv6:
+            records += [
+                {"type": "AAAA", "name": f"vault.{self._domain}",  "content": ipv6, "proxied": False, "ttl": 1},
+                {"type": "AAAA", "name": f"consul.{self._domain}", "content": ipv6, "proxied": False, "ttl": 1},
+            ]
+
+        names = {r["name"] for r in records}  # type: ignore[index]
+        for existing in self._cf.dns.records.list(zone_id=self._zone).result or []:
+            if existing.name in names:
+                self._cf.dns.records.delete(existing.id, zone_id=self._zone)
+
+        for record in records:
+            self._cf.dns.records.create(zone_id=self._zone, **record)  # type: ignore[arg-type]
+
+    def destroy(self) -> None:
+        targets = {
+            f"vault.{self._domain}",
+            f"consul.{self._domain}",
+        }
+        for existing in self._cf.dns.records.list(zone_id=self._zone).result or []:
+            if existing.name in targets:
+                self._cf.dns.records.delete(existing.id, zone_id=self._zone)

ign8vault-1.0.0/src/ign8vault/infra/hetzner.py

@@ -0,0 +1,109 @@
+"""Hetzner Cloud provisioner: SSH key, firewall, and server via the hcloud SDK."""
+
+import json
+from pathlib import Path
+
+from hcloud import Client
+from hcloud.firewalls.domain import FirewallRule
+from hcloud.images import Image
+from hcloud.locations import Location
+from hcloud.server_types import ServerType
+
+from ign8vault.config import Config
+
+_NAME = "ign8vault"
+_SSH_KEY_NAME = "ign8vault-key"
+_FW_NAME = "ign8vault-fw"
+
+_INBOUND_PORTS = ["22", "80", "443"]
+
+
+def provision(cfg: Config, public_key: str, state_path: Path) -> dict[str, str]:
+    client = Client(token=cfg.hetzner_token)
+
+    ssh_key = _ensure_ssh_key(client, public_key)
+    firewall = _ensure_firewall(client)
+    server = _ensure_server(client, cfg, ssh_key, firewall)
+
+    import ipaddress as _ipaddress
+    _ipv4 = server.public_net.ipv4.ip if server.public_net.ipv4 else ""
+    _ipv6 = ""
+    if server.public_net.ipv6:
+        _net = _ipaddress.IPv6Network(server.public_net.ipv6.ip)
+        _ipv6 = str(_net.network_address + 1)
+
+    _hostname = f"vault.{cfg.domain}"
+    if _ipv4:
+        server.change_dns_ptr(ip=_ipv4, dns_ptr=_hostname).wait_until_finished()
+    if _ipv6:
+        server.change_dns_ptr(ip=_ipv6, dns_ptr=_hostname).wait_until_finished()
+
+    state_path.parent.mkdir(parents=True, exist_ok=True)
+    state_path.write_text(json.dumps({
+        "server_id": server.id,
+        "ssh_key_id": ssh_key.id,
+        "firewall_id": firewall.id,
+        "ipv4": _ipv4,
+        "ipv6": _ipv6,
+    }, indent=2))
+
+    return {"ipv4": _ipv4, "ipv6": _ipv6}
+
+
+def destroy(state_path: Path, hetzner_token: str) -> None:
+    client = Client(token=hetzner_token)
+
+    for server in client.servers.get_all(name=_NAME):
+        server.delete().wait_until_finished()
+
+    for fw in client.firewalls.get_all(name=_FW_NAME):
+        fw.delete()
+
+    for key in client.ssh_keys.get_all(name=_SSH_KEY_NAME):
+        key.delete()
+
+    state_path.unlink(missing_ok=True)
+
+
+def _ensure_ssh_key(client: Client, public_key: str):  # type: ignore[return]
+    existing = client.ssh_keys.get_all(name=_SSH_KEY_NAME)
+    if existing:
+        key = existing[0]
+        if key.public_key.strip() != public_key.strip():
+            key.delete()
+        else:
+            return key
+    return client.ssh_keys.create(name=_SSH_KEY_NAME, public_key=public_key)
+
+
+def _ensure_firewall(client: Client):  # type: ignore[return]
+    existing = client.firewalls.get_all(name=_FW_NAME)
+    if existing:
+        return existing[0]
+    rules = [
+        FirewallRule(
+            direction="in",
+            protocol="tcp",
+            port=port,
+            source_ips=["0.0.0.0/0", "::/0"],
+        )
+        for port in _INBOUND_PORTS
+    ]
+    return client.firewalls.create(name=_FW_NAME, rules=rules).firewall
+
+
+def _ensure_server(client: Client, cfg: Config, ssh_key: object, firewall: object):  # type: ignore[return]
+    existing = client.servers.get_all(name=_NAME)
+    if existing:
+        return existing[0]
+    response = client.servers.create(
+        name=_NAME,
+        server_type=ServerType(name=cfg.server_type),
+        image=Image(name=cfg.server_image),
+        location=Location(name=cfg.server_location),
+        ssh_keys=[ssh_key],
+        firewalls=[firewall],
+        labels={"managed-by": "ign8vault", "domain": cfg.domain},
+    )
+    response.action.wait_until_finished()
+    return response.server

ign8vault-1.0.0/src/ign8vault/keys.py

@@ -0,0 +1,62 @@
+from pathlib import Path
+
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ed25519, rsa
+
+
+def generate_rsa_keypair(bits: int = 4096) -> tuple[str, str]:
+    """Return (private_key_pem, public_key_openssh)."""
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=bits)
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.OpenSSH,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+    public_openssh = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.OpenSSH,
+        format=serialization.PublicFormat.OpenSSH,
+    ).decode()
+    return private_pem, public_openssh
+
+
+def generate_ed25519_keypair() -> tuple[str, str]:
+    """Return (private_key_pem_openssh, public_key_openssh)."""
+    private_key = ed25519.Ed25519PrivateKey.generate()
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.OpenSSH,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+    public_openssh = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.OpenSSH,
+        format=serialization.PublicFormat.OpenSSH,
+    ).decode()
+    return private_pem, public_openssh
+
+
+def save_keypair(directory: Path, name: str = "ign8vault") -> tuple[Path, Path]:
+    """Generate RSA keypair if absent, return (private_path, public_path)."""
+    directory.mkdir(parents=True, exist_ok=True)
+    priv_path = directory / name
+    pub_path = directory / f"{name}.pub"
+
+    if not priv_path.exists():
+        private_pem, public_openssh = generate_rsa_keypair()
+        priv_path.write_text(private_pem)
+        priv_path.chmod(0o600)
+        pub_path.write_text(public_openssh)
+    return priv_path, pub_path
+
+
+def ensure_ed25519_keypair(directory: Path, name: str) -> tuple[Path, Path]:
+    """Create ed25519 keypair if absent, return (private_path, public_path)."""
+    directory.mkdir(parents=True, exist_ok=True)
+    priv_path = directory / name
+    pub_path = directory / f"{name}.pub"
+
+    if not priv_path.exists():
+        private_pem, public_openssh = generate_ed25519_keypair()
+        priv_path.write_text(private_pem)
+        priv_path.chmod(0o600)
+        pub_path.write_text(public_openssh)
+    return priv_path, pub_path

ign8vault-1.0.0/src/ign8vault/setup/server.py

@@ -0,0 +1,387 @@
+"""SSH into the provisioned server and install Consul + Vault + nginx + backup."""
+
+import json
+import time
+from pathlib import Path
+
+import paramiko
+
+from ign8vault.config import Config
+
+_PACKAGES = "curl gnupg nginx certbot python3-certbot-nginx restic sshpass lsb-release"
+
+_CONSUL_CONFIG = """\
+datacenter = "dc1"
+data_dir   = "/opt/consul/data"
+server     = true
+bootstrap_expect = 1
+bind_addr  = "127.0.0.1"
+client_addr = "127.0.0.1"
+log_level  = "INFO"
+
+ui_config {
+  enabled = true
+}
+"""
+
+_VAULT_CONFIG_TMPL = """\
+storage "consul" {{
+  address = "127.0.0.1:8500"
+  path    = "vault/"
+}}
+
+listener "tcp" {{
+  address     = "127.0.0.1:8200"
+  tls_disable = true
+}}
+
+api_addr = "https://vault.{domain}"
+ui       = true
+log_level = "INFO"
+"""
+
+_NGINX_ACME_TMPL = """\
+server {{
+    listen 80;
+    server_name vault.{domain} consul.{domain};
+    root /var/www/html;
+    location /.well-known/acme-challenge/ {{ try_files $uri =404; }}
+    location / {{ return 200 'ok'; add_header Content-Type text/plain; }}
+}}
+"""
+
+_NGINX_FINAL_TMPL = """\
+server {{
+    listen 80;
+    server_name vault.{domain} consul.{domain};
+    location /.well-known/acme-challenge/ {{ root /var/www/html; }}
+    location / {{ return 301 https://$host$request_uri; }}
+}}
+
+server {{
+    listen 443 ssl http2;
+    server_name vault.{domain};
+
+    ssl_certificate     /etc/letsencrypt/live/vault.{domain}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vault.{domain}/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    # Allow Vault's large request headers
+    proxy_buffer_size   128k;
+    proxy_buffers       4 256k;
+    proxy_busy_buffers_size 256k;
+
+    location / {{
+        proxy_pass         http://127.0.0.1:8200;
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto https;
+        proxy_read_timeout 300s;
+    }}
+}}
+
+server {{
+    listen 443 ssl http2;
+    server_name consul.{domain};
+
+    ssl_certificate     /etc/letsencrypt/live/vault.{domain}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vault.{domain}/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    location / {{
+        proxy_pass       http://127.0.0.1:8500;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }}
+}}
+"""
+
+_BACKUP_SERVICE_TMPL = """\
+[Unit]
+Description=Vault/Consul backup via restic
+After=network.target
+
+[Service]
+Type=oneshot
+Environment="RESTIC_PASSWORD={restic_password}"
+ExecStart=/usr/bin/restic -r sftp:storagebox:/vault-backup backup /opt/consul/data
+ExecStart=/usr/bin/restic -r sftp:storagebox:/vault-backup forget --keep-daily 7 --keep-weekly 4 --prune
+"""
+
+_BACKUP_TIMER = """\
+[Unit]
+Description=Daily Vault/Consul backup
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=1800
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+"""
+
+
+class VaultSetup:
+    def __init__(self, cfg: Config, host: str, private_key_path: str) -> None:
+        self._cfg = cfg
+        self._host = host
+        self._key_path = private_key_path
+        self._ssh: paramiko.SSHClient | None = None
+        self._known_hosts_path = Path(private_key_path).parent.parent / "known_hosts"
+
+    def connect(self, retries: int = 30, delay: int = 10) -> None:
+        client = paramiko.SSHClient()
+        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        key = paramiko.RSAKey.from_private_key_file(self._key_path)
+
+        for attempt in range(retries):
+            try:
+                client.connect(self._host, username="root", pkey=key, timeout=15)
+                self._ssh = client
+                return
+            except Exception:
+                if attempt == retries - 1:
+                    raise
+                time.sleep(delay)
+
+    def disconnect(self) -> None:
+        if self._ssh:
+            self._ssh.close()
+            self._ssh = None
+
+    def run(self, backup_password: str) -> dict[str, object]:
+        """Full server setup. Returns vault init data (unseal keys + root token)."""
+        assert self._ssh, "Call connect() first"
+
+        self._install_packages()
+        self._install_hashicorp()
+        self._setup_consul()
+        self._setup_vault()
+        self._setup_nginx_acme()
+        self._get_tls_certs()
+        self._setup_nginx_final()
+
+        init_data = self._init_vault()
+
+        if self._cfg.storagebox_host:
+            self._setup_backup(backup_password)
+
+        return init_data
+
+    # ------------------------------------------------------------------
+    # Installation
+
+    def _install_packages(self) -> None:
+        self._exec("apt-get update -qq")
+        self._exec(f"DEBIAN_FRONTEND=noninteractive apt-get install -y -qq {_PACKAGES}")
+
+    def _install_hashicorp(self) -> None:
+        already = self._exec("dpkg -l consul 2>/dev/null | grep -c '^ii' || true").strip()
+        if already == "1":
+            return
+        self._exec(
+            "curl -fsSL https://apt.releases.hashicorp.com/gpg"
+            " | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg"
+        )
+        self._exec(
+            'echo "deb [arch=$(dpkg --print-architecture)'
+            " signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg]"
+            ' https://apt.releases.hashicorp.com $(lsb_release -cs) main"'
+            " > /etc/apt/sources.list.d/hashicorp.list"
+        )
+        self._exec("apt-get update -qq")
+        self._exec("DEBIAN_FRONTEND=noninteractive apt-get install -y -qq consul vault")
+
+    # ------------------------------------------------------------------
+    # Consul
+
+    def _setup_consul(self) -> None:
+        self._exec("mkdir -p /opt/consul/data && chown -R consul:consul /opt/consul/data")
+        self._write_remote("/etc/consul.d/consul.hcl", _CONSUL_CONFIG)
+        self._exec("systemctl enable consul")
+        # restart may time out waiting for sd_notify even though consul is healthy
+        try:
+            self._exec("systemctl restart consul")
+        except RuntimeError as e:
+            if "timeout" not in str(e).lower() and "timed out" not in str(e).lower():
+                raise
+        # Wait until Consul API returns a leader
+        for _ in range(30):
+            try:
+                out = self._exec("curl -sf http://127.0.0.1:8500/v1/status/leader || true").strip()
+                if out and out != '""':
+                    return
+            except RuntimeError:
+                pass
+            time.sleep(2)
+        raise RuntimeError("Consul API did not become healthy within 60s")
+
+    # ------------------------------------------------------------------
+    # Vault
+
+    def _setup_vault(self) -> None:
+        self._exec("mkdir -p /opt/vault/data && chown -R vault:vault /opt/vault/data")
+        vault_cfg = _VAULT_CONFIG_TMPL.format(domain=self._cfg.domain)
+        self._write_remote("/etc/vault.d/vault.hcl", vault_cfg)
+        self._exec("systemctl enable vault")
+        try:
+            self._exec("systemctl restart vault")
+        except RuntimeError as e:
+            if "timeout" not in str(e).lower() and "timed out" not in str(e).lower():
+                raise
+        # Wait until Vault API responds (501=not init, 429=sealed, 200=ok)
+        for _ in range(30):
+            code = self._exec(
+                "curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:8200/v1/sys/health || true"
+            ).strip()
+            if code in ("200", "429", "472", "473", "501"):
+                return
+            time.sleep(2)
+        raise RuntimeError("Vault API did not become healthy within 60s")
+
+    # ------------------------------------------------------------------
+    # nginx
+
+    def _setup_nginx_acme(self) -> None:
+        self._exec("mkdir -p /var/www/html")
+        self._exec("rm -f /etc/nginx/sites-enabled/default")
+        acme_cfg = _NGINX_ACME_TMPL.format(domain=self._cfg.domain)
+        self._write_remote("/etc/nginx/sites-available/ign8vault", acme_cfg)
+        self._exec("ln -sf /etc/nginx/sites-available/ign8vault /etc/nginx/sites-enabled/ign8vault")
+        self._exec("nginx -t && systemctl reload nginx")
+
+    def _get_tls_certs(self) -> None:
+        domain = self._cfg.domain
+        self._exec(
+            f"certbot certonly --webroot -w /var/www/html"
+            f" -d vault.{domain} -d consul.{domain}"
+            f" --non-interactive --agree-tos -m {self._cfg.admin_email}"
+        )
+
+    def _setup_nginx_final(self) -> None:
+        final_cfg = _NGINX_FINAL_TMPL.format(domain=self._cfg.domain)
+        self._write_remote("/etc/nginx/sites-available/ign8vault", final_cfg)
+        self._exec("nginx -t && systemctl reload nginx")
+
+    # ------------------------------------------------------------------
+    # Vault init & unseal
+
+    def _init_vault(self) -> dict[str, object]:
+        """Initialize Vault if needed, unseal it, return init data."""
+        status_raw = self._exec(
+            "VAULT_ADDR=http://127.0.0.1:8200 vault status -format=json 2>&1 || true"
+        ).strip()
+
+        try:
+            status = json.loads(status_raw)
+            already_initialized = status.get("initialized", False)
+        except (json.JSONDecodeError, ValueError):
+            already_initialized = False
+
+        if already_initialized:
+            # Vault already initialized — unseal if sealed
+            if status.get("sealed", True):
+                raise RuntimeError(
+                    "Vault is already initialized but sealed. "
+                    "Retrieve your unseal keys from .ign8vault/vault-init.json and unseal manually."
+                )
+            return {}
+
+        init_raw = self._exec(
+            "VAULT_ADDR=http://127.0.0.1:8200"
+            " vault operator init -key-shares=5 -key-threshold=3 -format=json"
+        ).strip()
+
+        init_data: dict[str, object] = json.loads(init_raw)
+
+        # Save on the server (root-only)
+        self._write_remote("/root/vault-init.json", init_raw)
+        self._exec("chmod 600 /root/vault-init.json")
+
+        # Unseal using the first 3 keys (threshold=3)
+        keys = init_data.get("unseal_keys_b64", [])
+        for key in keys[:3]:
+            self._exec(
+                f"VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal {key}"
+            )
+
+        return init_data
+
+    # ------------------------------------------------------------------
+    # Backup
+
+    def _setup_backup(self, restic_password: str) -> None:
+        cfg = self._cfg
+
+        # Generate dedicated backup SSH key on the server (idempotent)
+        self._exec(
+            "test -f /root/.ssh/backup_key"
+            " || ssh-keygen -t ed25519 -f /root/.ssh/backup_key -N '' -C 'vault-backup'"
+        )
+
+        # Authorise the key on the storage box via sshpass (port 23)
+        self._exec(
+            f"sshpass -p '{cfg.storagebox_password}'"
+            f" ssh-copy-id -p 23 -i /root/.ssh/backup_key.pub"
+            f" -o StrictHostKeyChecking=no"
+            f" {cfg.storagebox_user}@{cfg.storagebox_host}"
+        )
+
+        # SSH client config for the storagebox alias
+        ssh_snippet = (
+            f"Host storagebox\n"
+            f"    HostName {cfg.storagebox_host}\n"
+            f"    User {cfg.storagebox_user}\n"
+            f"    Port 23\n"
+            f"    IdentityFile /root/.ssh/backup_key\n"
+            f"    StrictHostKeyChecking no\n"
+        )
+        self._exec(
+            f"grep -q 'Host storagebox' /root/.ssh/config 2>/dev/null"
+            f" || printf '{ssh_snippet}' >> /root/.ssh/config"
+        )
+        self._exec("chmod 600 /root/.ssh/config")
+
+        # Init restic repo (idempotent — fails gracefully if already initialised)
+        self._exec(
+            f"RESTIC_PASSWORD='{restic_password}'"
+            " restic -r sftp:storagebox:/vault-backup init 2>&1"
+            " | grep -v 'already initialized' || true"
+        )
+
+        # Systemd service + timer
+        svc = _BACKUP_SERVICE_TMPL.format(restic_password=restic_password)
+        self._write_remote("/etc/systemd/system/vault-backup.service", svc)
+        self._write_remote("/etc/systemd/system/vault-backup.timer", _BACKUP_TIMER)
+        self._exec(
+            "systemctl daemon-reload"
+            " && systemctl enable vault-backup.timer"
+            " && systemctl start vault-backup.timer"
+        )
+
+    # ------------------------------------------------------------------
+    # Helpers
+
+    def _write_remote(self, remote_path: str, content: str) -> None:
+        assert self._ssh
+        sftp = self._ssh.open_sftp()
+        try:
+            import io
+            sftp.putfo(io.BytesIO(content.encode()), remote_path)
+        finally:
+            sftp.close()
+
+    def _exec(self, cmd: str) -> str:
+        assert self._ssh
+        _, stdout, stderr = self._ssh.exec_command(cmd)
+        exit_code = stdout.channel.recv_exit_status()
+        output = stdout.read().decode()
+        if exit_code != 0:
+            raise RuntimeError(f"Command failed ({exit_code}): {cmd}\n{stderr.read().decode()}")
+        return output