ClarityStack/OPC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OPC # 0001: Extract OPC into standalone repo

Browse Source
This commit is contained in:
amadzarak
2026-04-25 17:26:42 -04:00
commit 42383bdc03
170 changed files with 21365 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ControlPlane.AppHost/VaultConfig/entrypoint.sh
+48
View File
@@ -0,0 +1,48 @@
#!/bin/sh
set -e
KEYS_FILE="/vault/file/init.json"
VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_ADDR
# Start Vault server in the background
vault server -config=/vault/config/vault.hcl &
VAULT_PID=$!
# Wait for Vault to be ready
echo "[vault-init] Waiting for Vault to start..."
until vault status > /dev/null 2>&1 || vault status 2>&1 | grep -q "Sealed\|Initialized"; do
sleep 1
done
echo "[vault-init] Vault is up."
# Check if already initialised
INIT_STATUS=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c "true" || true)
if [ "$INIT_STATUS" = "0" ]; then
echo "[vault-init] First run — initialising Vault..."
vault operator init -key-shares=1 -key-threshold=1 -format=json > "$KEYS_FILE"
echo "[vault-init] Keys saved to $KEYS_FILE"
fi
# Unseal using saved key
UNSEAL_KEY=$(grep '"unseal_keys_b64"' "$KEYS_FILE" -A1 | grep '"' | tail -1 | tr -d ' ",' )
ROOT_TOKEN=$(grep '"root_token"' "$KEYS_FILE" | sed 's/.*: *"\(.*\)".*/\1/')
echo "[vault-init] Unsealing..."
vault operator unseal "$UNSEAL_KEY"
echo "[vault-init] Vault is unsealed. Root token is stored in $KEYS_FILE"
# Authenticate and bootstrap Transit engine + master key (idempotent)
export VAULT_TOKEN="$ROOT_TOKEN"
echo "[vault-init] Enabling Transit secrets engine..."
vault secrets enable -path=clarity-transit transit 2>/dev/null || echo "[vault-init] clarity-transit already enabled."
echo "[vault-init] Creating master-key..."
vault write -f clarity-transit/keys/master-key 2>/dev/null || echo "[vault-init] master-key already exists."
echo "[vault-init] Vault bootstrap complete."
# Keep container alive by waiting on the Vault process
wait $VAULT_PID
ControlPlane.AppHost/VaultConfig/vault.hcl
+13
View File
@@ -0,0 +1,13 @@
storage "file" {
path = "/vault/file"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
ui = true
disable_mlock = true
# Auto-unseal using a static shamir key — dev convenience only, never use in prod