feat: add vault

vault/config/.pg.local.json

@@ -0,0 +1,27 @@
+{
+    "ui": true,
+    "storage": {
+        "file": {
+            "connection_url": "postgres://postgres:pass@postgresql:5432/vault?sslmode=disable",
+            "table": "vault_kv_store",
+            "max_idle_connections": 2,
+            "max_parallel": "4",
+            "ha_enabled": true,
+            "ha_table": "vault_ha_locks"
+        }
+    },
+    "listener": {
+        "tcp": {
+            "address": "0.0.0.0:8200",
+            "tls_disable": 1
+        }
+    },
+    "backend": {
+        "file": {
+            "path": "/vault/file"
+        }
+    },
+    "log_level": "Debug",
+    "default_lease_ttl": "168h",
+    "max_lease_ttl": "720h"
+}

vault/config/local.json

@@ -0,0 +1,22 @@
+{
+    "ui": true,
+    "storage": {
+        "file": {
+            "path": "/vault/file"
+        }
+    },
+    "listener": {
+        "tcp": {
+            "address": "0.0.0.0:8200",
+            "tls_disable": 1
+        }
+    },
+    "backend": {
+        "file": {
+            "path": "/vault/file"
+        }
+    },
+    "log_level": "Debug",
+    "default_lease_ttl": "168h",
+    "max_lease_ttl": "720h"
+}

vault/db.sql

@@ -0,0 +1,17 @@
+CREATE TABLE vault_kv_store (
+  parent_path TEXT COLLATE "C" NOT NULL,
+  path        TEXT COLLATE "C",
+  key         TEXT COLLATE "C",
+  value       BYTEA,
+  CONSTRAINT pkey PRIMARY KEY (path, key)
+);
+
+CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
+
+CREATE TABLE vault_ha_locks (
+  ha_key                                      TEXT COLLATE "C" NOT NULL,
+  ha_identity                                 TEXT COLLATE "C" NOT NULL,
+  ha_value                                    TEXT COLLATE "C",
+  valid_until                                 TIMESTAMP WITH TIME ZONE NOT NULL,
+  CONSTRAINT ha_key PRIMARY KEY (ha_key)
+);

vault/docker-compose.yml

@@ -0,0 +1,29 @@
+version: "3.9"
+services:
+  vault:
+    image: vault:latest
+    container_name: vault
+    restart: always
+    networks:
+      - traefik
+    volumes:
+      - ./data/file:/vault/file
+      - ./data/config:/vault/config
+      - ./data/logs:/vault/logs
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vault.rule=Host(`vault.esin.io`)"
+      - "traefik.http.routers.vault.entrypoints=websecure"
+      - "traefik.http.routers.vault.tls=true"
+      - "traefik.http.routers.vault.middlewares=vault-mw"
+      - "traefik.http.middlewares.vault-mw.compress=true"
+      - "traefik.http.middlewares.vault-mw.compress.excludedcontenttypes=text/event-stream"
+      - "traefik.http.services.vault.loadbalancer.server.port=8200"
+    cap_add:
+      - IPC_LOCK
+    environment:
+      - VAULT_ADDR=https://vault.esin.io:8200
+    command: vault server -config=/vault/config/local.json
+networks:
+  traefik:
+    external: true