Vault

Overview

This is a flavour containing the vault security storage platform.

You can e.g. store certificates, passwords etc to be used with the nomad-server pot flavour on this site.

The flavour expects a local consul agent instance to be available that it can connect to (see configuration below). You can e.g. use the consul pot flavour on this site to run consul. If no consul instance is available at first, make sure it’s up within an hour and the certificate renewal process will restart consul. You can also connect to this host and service consul restart manually.

pro tip

Start vault cluster with the IP addresses of consul servers, which aren’t live. Then start loki instance. Then start a consul cluster. Restart consul on vault and loki instances or wait for first certificate renewal after an hour.

Installation

Unseal node

  • [unseal node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultunseal zroot/vaultunseal
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultunseal
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> -E IP=<IP address of this vault node> -E VAULTTYPE=unseal

Vault leader

  • [cluster node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \
    -E IP=<IP address of this vault node> -E VAULTTYPE=leader \
    -E UNSEALIP=<unseal vault IP> -E UNSEALTOKEN=<wrapped token generated on unseal node> \
    -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \
    -E SFTPUSER=certuser -E SFTPPASS=<password> -E SFTPNETWORK=<local /24 in 10.0.0.0 notation> \
    [-E GOSSIPKEY=<32 byte Base64 key from consul keygen> -E REMOTELOG=<remote syslog IP>]
    

The SFTPUSER and SFTPPASS parameters are to create a user with SSH private keys, where you will need to export the private key to the host systems for follower nodes.

The SFTPNETWORK parameter is to select a /24 network range to pre-generate 2h SSL certificates for, for initial vault logins by follower nodes and other images making use of vault. Please enter 10.0.0.0 or 192.168.0.0 etc.

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

Important: the leader boot can take a while with certificate generation. Let it complete before adding followers.

Once booted you will need to run ./cli-vault-auto-login.sh for a login token to use on follower nodes, and export /home/certuser/.ssh/id_rsa to a file to import to follower nodes and other types of pot images.

To re-generate the temporary certificates run ./gen-temp-certs.sh. You will need to do this if two hours have passed since setting up the vault leader.

Vault follower

  • [cluster node] Create a ZFS data set on the parent system beforehand:
    zfs create -o mountpoint=/mnt/vaultdata zroot/vaultdata
  • Create your local jail from the image or the flavour files.
  • Mount in the ZFS data set you created:
    pot mount-in -p <jailname> -m /mnt -d /mnt/vaultdata
  • Copy in the SSH private key for the user on the Vault leader:
    pot copy-in -p <jailname> -s /root/sshkey -d /root/sshkey
  • Optionally export the ports after creating the jail:
    pot export-ports -p <jailname> -e 8200:8200
  • Adjust to your environment:
    sudo pot set-env -p <jailname> -E DATACENTER=<datacentername> -E NODENAME=<nodename> \
    -E IP=<IP address of this vault node> -E VAULTTYPE=follower \
    -E UNSEALIP=<unseal vault node> -E UNSEALTOKEN=<wrapped token generated on unseal node> -E VAULTLEADER=<IP> -E LEADERTOKEN=<token>
    -E CONSULSERVERS=<correctly-quoted-array-consul-IPs> \
    -E SFTPUSER=certuser -E SFTPPASS=<password> -E SFTPNETWORK=<local /24 in 0.0.0.0 notation> \
    [-E GOSSIPKEY=<32 byte Base64 key from consul keygen> -E REMOTELOG=<remote syslog IP>]
    

The SFTPUSER and SFTPPASS parameters are on the follower node are used to login to the vault leader to get temporary certificates for a further login.

The SFTPNETWORK parameter is only used by the Vault leader node.

The CONSULSERVERS parameter defines the consul server instances, and must be set as CONSULSERVERS='"10.0.0.2"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4"' or CONSULSERVERS='"10.0.0.2", "10.0.0.3", "10.0.0.4", "10.0.0.5", "10.0.0.6"'

The GOSSIPKEY parameter is the gossip encryption key for consul agent. We’re using a default key if you do not set the parameter, do not use the default key for production encryption, instead provide your own.

The REMOTELOG parameter is the IP address of a remote syslog server to send logs to, such as for the loki flavour on this site.

Architecture

  • vault-unseal: is initialized and unsealed. The root token creates a transit key that enables the other Vaults auto-unseal. This Vault server is not a part of the cluster.
  • vault-clone-1: is initialized and unsealed automatically with the passed in wrapped unseal key. Joins raft cluster after unsealing, sets up PKI and generates a bunch of temporary certificates.
  • vault-clone-2: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.
  • vault-clone-n+: is initialized and unsealed automatically with the passed in NEW wrapped unseal key. Joins raft cluster after unsealing, sets up PKI. Needs to have SSH key from vault leader.

Usage

vault is then running on port 8200 of your jail IP address.

Unseal Node

(This stage of development of the pot image doesn’t yet include HTTPS on the unseal node. Please include the parameter -address=http://<IP>:8200 to any vault commands```)

This vault instance exists to generate unseal keys. It must first be initialised. Please save this information securely.

$ pot term vault-unseal
$ vault operator init -address=http://<IP>:8200

Unseal Key 1: key1
Unseal Key 2: key2
Unseal Key 3: key3
Unseal Key 4: key4
Unseal Key 5: key5

Initial Root Token: s.token

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

$ vault operator unseal -address=http://<IP>:8200 "key1"
$ vault operator unseal -address=http://<IP>:8200 "key2"
$ vault operator unseal -address=http://<IP>:8200 "key3"

$ vault login -address=http://<IP>:8200

(using Initial Root Token)

$ ./setup-autounseal.sh
Success! Enabled the file audit device at: file/
Success! Enabled the transit secrets engine at: transit/
Success! Data written to: transit/keys/autounseal
Success! Uploaded policy: autounseal

$ ./issue-unseal.sh
Key                              Value
---                              -----
wrapping_token:                  s.newtoken
wrapping_accessor:               REDACTED
wrapping_token_ttl:              24h
wrapping_token_creation_time:    2021-05-29 13:52:13.743971005 +0000 UTC
wrapping_token_creation_path:    auth/token/create
wrapped_accessor:                REDACTED

This new token s.newtoken can be used to unseal the cluster nodes. A new token must be generated for each node in the vault cluster.

Important note

If the unseal node is restarted you will need to unseal and login again. Shut down your vault cluster first, starting with followers, then leader. Start unseal node, unseal and login, then start leader and followers.

You did save the keys and login token right?

Cluster leader node using raft storage

To unseal a cluster leader, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>

Once running, you can login and run the script /root/cli-vault-auto-login.sh to automatically login to vault in the CLI and return a token for use in additional vault instances, in addition to an unseal token.

To generate a token for PKI, run pot term vault-clone and then /root/issue-pki-token.sh.

To run other vault commands pass in the extra parameters -address=https://<IP-being-queried>:8200 and one of:

  • -tls-skip-verify to skip verifying the certificate; or
  • -ca-cert=/mnt/certs/combinedca.pem to verify with the CA certificate obtained (if everything working)

Example vault command with parameters

vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem

Cluster follower follower using raft storage

To unseal a cluster follower, make use of a wrapped key generated on the unseal node. Pass it in with -E UNSEALTOKEN=<wrapped token>

A leader node should already exist, and must be passed in with the parameter -E VAULTLEADER=<IP>.

A leader token is also required and must be passed in with the parameter -E LEADERTOKEN=<login token from unsealed leader>. You can get this token from /root/cli-vault-auto-login.sh on the leader.

The SSH key created for the SFTPUSER on the Vault leader needs to be made available during pot setup of the follower node.

The cluster node will be automatically unsealed and join the cluster. It will automatically retrieve a temporary certificate with 2h TTL from the Vault leader via SFTP, and use this to perform a client-tls-validated login to vault, to retrieve proper certificates with a longer TTL of 24h.

Repeat for all additional nodes in the vault cluster.

To run other vault commands pass in the extra parameters -address=https://<IP-being-queried>:8200 and -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem to verify with the CA certificate obtained (if everything working)

Example vault command with parameters

vault status -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft list-peers -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
vault operator raft autopilot state -address=https://10.0.0.3:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem

Default cluster usage

This cluster will generate, issue, renew certificates.

Other example cluster usage

This cluster can be used as a kv store.

vault secrets enable -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -path=kv kv-v2
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem put kv/testkey webapp=TESTKEY
vault kv -address=https://<IP>:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem get kv/testkey

Getting Started

How To Use The Ready-Made Image

FreeBSD 13.0:
pot import -p vault-amd64-13_0 -t 2.0.35 -U https://potluck.honeyguide.net/vault

FreeBSD 12.2:
pot import -p vault-amd64-12_2 -t 2.0.35 -U https://potluck.honeyguide.net/vault

If you don’t want to use the default pot bridged network configuration but instead need an individual network setup (e.g. assign a host IP address), after importing it you can simply clone the jail like that (em0 is the host network adapter in this example):
pot clone -P vault-amd64-13_0 -p my-cloned-jail -N alias -i "em0|10.10.10.10"

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Alternatively: Create a Jail With This Flavour Yourself

1. Create Flavour Files

Save all files and directories from https://github.com/hny-gd/potluck/tree/master/vault to /usr/local/etc/pot/flavours/

2. Create Jail From Flavour

Run
pot create -b <FreeBSD Version> -p <jailname> -t single -N public-bridge -f fbsd-update

with your FreeBSD version (e.g. 12.1) and the name your jail should get.

Note: Some images might require specific network configuration, double check the Overview-chapter at the top.

Version History

2.0.35

  • Updating consul agent to tls-client-validation

2.0.34

  • Switch to using jo to generate json files for vault certificate payload.json. Minor fixes.

2.0.33

  • Minor fixes to script to remove duplication. Added admin script to re-generate temp certificates.

2.0.32

  • Implementing solution to force always-on client tls validation temporary short-lived certificates and keys via sftp

2.0.31

  • Vault client TLS verification improvements and bug fixes, certificate validation as step

2.0.30

  • Vault TLS verification working, with initial leader login ignoring tls-validation and leader having it as optional

2.0.29

  • Turning off consul tls verification

2.0.28

  • Turning off flow-control in syslog-ng, setting 120s time_reopen, and reducing log-fifo parameter

2.0.27

  • Automation scripts and pki improvements. tls-verify doesn’t work, syslog-ng with verification slows things down, raft cluster may be slow or not work

2.0.26

  • Clearing syslog-ng /dev/console entries to remove log spam

2.0.25

  • Updating syslog-ng and standardised cert.pem key.pem ca.pem

2.0.24

  • Implementing syslog-ng with tls for remote logging

2.0.23

  • Switched to quarterly package sources

2.0.22

  • Optional remote syslog capability added

2.0.21

  • Node-exporter TLS

2.0.20

  • Telemetry improvements

2.0.19

  • Fixing cron job for cert rotation

2.0.18

  • Using pkg vault

2.0.17

  • Improvements for consul

2.0.16

  • Added missing role, fixing rotation scripts

2.0.15

  • Fixes to vault policy permissions, fixing typos in docs, longer sleep timers to avoid occassional lockup

2.0.14

  • New and improved git-lite build process from sparse package source

2.0.13

  • Using /mnt for vault AND template and certificate store. Requires a mount-in dataset for persistence. Using latest vault from port sources instead of package version.

2.0.12

  • Follower generate certificates for self, reload with TLS

2.0.11

  • Generate certificates for self, reload with TLS

2.0.10

  • Enabling audit.log, split to case statement for three server types unseal, leader, cluster

2.0.9

  • More adjustments to vault policies

2.0.8

  • Adjustments for policy and CA

2.0.7

  • Removed autostart from vault file

2.0.6

  • Vault login and setup raft cluster for PKI and self-signed CA

2.0.5

  • Fixups for raft storage cluster with automatic unseal based on wrapped token

2.0.4

  • Unseal or cluster type with raft storage, along with persistent mount-in dataset at /mnt

2.0.3

  • Adjusting parameters for node-exporter service

2.0.2

  • Adding prometheus node_exporter and setting up as consul service

2.0.1

  • Updated to use pre-generated consul encryption key for gossip, planning for TLS

2.0

  • Updated to use local consul agent and a consul cluster for data store

1.0.1

  • Rebuild for FreeBSD 13 & new packages

1.0

  • initiate file

These images were built on Wed Aug 4 19:00:09 UTC 2021

Manual Image Download Links

vault-amd64-13_0_2.0.35.xz ( 329.415 MB )
vault-amd64-13_0_2.0.35.xz.skein ( 0.250977 KB )

vault-amd64-12_2_2.0.35.xz ( 419.058 MB )
vault-amd64-12_2_2.0.35.xz.skein ( 0.250977 KB )

Jenkins Pot Creation Logs

vault-amd64-13_0_2.0.35:


vault/vault:
copy-in -s /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -d /root
vault/vault.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(expr "$STEPCOUNT" + 1)
  STEP="$@"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$@"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# we need latest for vault 1.7.3
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Enable SSH"
sysrc sshd_enable="YES"

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package sudo"
pkg install -y sudo

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package jq"
pkg install -y jq

step "Install package jo"
pkg install -y jo

step "Install package curl"
pkg install -y curl

step "Install package openssl"
pkg install -y openssl

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Add vault user to daemon class"
pw usermod vault -G daemon

step "Clean package installation"
pkg autoremove -y
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook

# this runs when image boots
# ----------------- BEGIN COOK ------------------

step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return),
    # we block indefinitely
    if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
    then
        /bin/sh /etc/rc
        tail -f /dev/null
    fi
    exit 0
fi

# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION

# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi

#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#

# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
    echo 'DATACENTER is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${NODENAME+x} ];
then
    echo 'NODENAME is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
    echo 'CONSULSERVERS is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${IP+x} ]; then
    echo 'IP is unset - see documentation how to configure this flavour'
    exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
    echo 'GOSSIPKEY is unset - see documentation how to configure this flavour, defaulting to preset encrypt key. Do not use this in production!'
    GOSSIPKEY='\"BY+vavBUSEmNzmxxS3k3bmVFn1giS4uEudc774nBhIw=\"'
fi
# this defaults to unseal. Other options are leader for a raft cluster leader, and cluster, for a raft cluster peer.
if [ -z \${VAULTTYPE+x} ];
then
    echo 'VAULTTYPE is unset - see documentation how to configure this flavour, defaulting to unseal instead of leader or follower.'
    VAULTTYPE=\"unseal\"
fi
# IP address of the unseal server
if [ -z \${UNSEALIP+x} ];
then
    echo 'UNSEALIP is unset - see documentation how to configure this flavour, defaulting to preset value. Do not use this in production!'
    UNSEALIP=\"127.0.0.1\"
fi
# Unwrap token to pass into cluster
if [ -z \${UNSEALTOKEN+x} ];
then
    echo 'UNSEALTOKEN is unset - see documentation how to configure this flavour, defaulting to unset value. Do not use this in production!'
    UNSEALTOKEN=\"unset\"
fi
# Vault leader IP
if [ -z \${VAULTLEADER+x} ];
then
    echo 'VAULTLEADER is unset - see documentation how to configure this flavour, defaulting to own IP.'
    VAULTLEADER=\"\$IP\"
fi
# Vault leader token
if [ -z \${LEADERTOKEN+x} ];
then
    echo 'LEADERTOKEN is unset - see documentation how to configure this flavour, defaulting to unset.'
    LEADERTOKEN=\"unset\"
fi
# optional logging to remote syslog server
if [ -z \${REMOTELOG+x} ];
then
    echo 'REMOTELOG is unset - see documentation how to configure this flavour with IP address of remote syslog server. Defaulting to 0'
    REMOTELOG=\"null\"
fi
# sftpuser credentials
if [ -z \${SFTPUSER+x} ];
then
    echo 'SFTPUSER is unset - see documentation how to configure this flavour with sftp user and pass. Defaulting to username: certuser'
    SFTPUSER=\"certuser\"
fi
# sftpuser password
if [ -z \${SFTPPASS+x} ];
then
    echo 'SFTPPASS is unset - see documentation how to configure this flavour with sftp user and pass. Defaulting to password: c3rtp4ss'
    SFTPPASS=\"c3rtp4ss\"
fi
# ip subnet to generate temporary short-lived certificates for
if [ -z \${SFTPNETWORK+x} ];
then
    echo 'SFTPNETWORK is unset - see documentation how to configure this flavour with IP range to generate short-lived temporary certificates for. Defaulting to IP address'
    SFTPNETWORK=\"\$IP\"
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files

# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/hash
mkdir -p /mnt/vault

## start Vault

# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
    rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image

# default FreeBSD vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar

# Create vault configuration file
# Three types of vault servers
# - unseal (unseal node)
# - leader (raft cluster leader)
# - cluster (raft cluster member)

case \$VAULTTYPE in

  ### Vault type: Unseal Node - no consul or node_template setup
  unseal)
    export VAULT_CLIENT_TIMEOUT=300s

    #begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  tls_disable = 1
  telemetry {
    unauthenticated_metrics_access = true
  }
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"file\\\" {
  path    = \\\"/mnt/vault/\\\"
}
log_level = \\\"Debug\\\"
api_addr = \\\"http://\$IP:8200\\\"
\" > /usr/local/etc/vault.hcl

    # setup autounseal config
    echo \"path \\\"transit/encrypt/autounseal\\\" {
  capabilities = [ \\\"update\\\" ]
}
path \\\"transit/decrypt/autounseal\\\" {
  capabilities = [ \\\"update\\\" ]
}
\" > /root/autounseal.hcl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt/

    # remove the copied in rotate-certs.sh file, not needed on unseal node
    if [ -f /root/rotate-certs.sh ]; then
        rm -f /root/rotate-certs.sh
    fi

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # setup some automation scripts
    echo \"#!/bin/sh
/usr/local/bin/vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log
/usr/local/bin/vault secrets enable -address=http://\$IP:8200 transit
/usr/local/bin/vault write -address=http://\$IP:8200 -f transit/keys/autounseal
/usr/local/bin/vault policy write -address=http://\$IP:8200 autounseal /root/autounseal.hcl
\" > /root/setup-autounseal.sh

    chmod +x /root/setup-autounseal.sh

    # setup quick way to issue unseal tokens
    echo \"#!/bin/sh
/usr/local/bin/vault token create -address=http://\$IP:8200 -policy=\\\"autounseal\\\" -wrap-ttl=24h
\" > /root/issue-unseal.sh

    chmod +x /root/issue-unseal.sh

    # setup a quick way to check vault status
    echo \"#!/bin/sh
/usr/local/bin/vault status -address=http://\$IP:8200
\" > /root/vault-status.sh

    chmod +x /root/vault-status.sh

    # start vault
    echo \"Starting Vault Unseal Node\"
    /usr/local/etc/rc.d/vault start

    echo \"------------------------------------------------------------------------------------------\"
    echo \"Unseal node is almost complete, you must now login and manually run the following\"
    echo \"commands to complete the setup:\"
    echo \" \"
    echo \"  vault operator init -address=http://\$IP:8200\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key1)\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key2)\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key3)\"
    echo \"  vault login -address=http://\$IP:8200\"
    echo \"     (use token from operator init)\"
    echo \" \"
    echo \" Then run /root/setup-autounseal.sh to automatically run each of the following 4 steps \"
    echo \"  vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log\"
    echo \"  vault secrets enable -address=http://\$IP:8200 transit\"
    echo \"  vault write -address=http://\$IP:8200 -f transit/keys/autounseal\"
    echo \"  vault policy write -address=http://\$IP:8200 autounseal /root/autounseal.hcl\"
    echo \" \"
    echo \"Unseal node is setup\"
    echo \" \"
    echo \"To issue unseal tokens for each RAFT cluster node, run /root/issue-unseal.sh or manually run:\"
    echo \" \"
    echo \"  vault token create -address=http://\$IP:8200 -policy=\\\"autounseal\\\" -wrap-ttl=24h\"
    echo \" \"
    echo \"You must run this for each node in your cluster. Every node needs an unseal token.\"
    echo \"------------------------------------------------------------------------------------------\"
    # end unseal config
    ;;

    ### Vault type: RAFT Leader
    leader)

    export VAULT_CLIENT_TIMEOUT=300s
    export VAULT_MAX_RETRIES=5

    # setup chroot directory for use by sftp, gets wiped on reboot
    mkdir -p /tmpcerts
    chown root:wheel /tmpcerts
    chmod 755 /tmpcerts

    # begin sftpuser configuration
    echo \"Setting up ssh and sftp\"
    echo \"Port 8888
PubkeyAuthentication yes
AuthorizedKeysFile       .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
StrictModes no
UseDNS no
Banner none
AllowUsers sample
#LogLevel DEBUG
AllowAgentForwarding yes
PermitTTY yes
AllowUsers \$SFTPUSER

Match User \$SFTPUSER
  ChrootDirectory /tmpcerts
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
\" >> /etc/ssh/sshd_config

    # setup host keys
    echo \"Manually setting up host keys\"
    cd /etc/ssh
    /usr/bin/ssh-keygen -A
    cd /

    # setup a user
    /usr/sbin/pw useradd -n \$SFTPUSER -c 'certificate user' -m -s /bin/sh -h 0 <<EOP
\$SFTPPASS
EOP

    # setup user ssh key to be exported for use elsewhere
    echo \"Setting up \$SFTPUSER ssh keys\"
    mkdir -p /home/\$SFTPUSER/.ssh
    /usr/bin/ssh-keygen -q -N '' -f /home/\$SFTPUSER/.ssh/id_rsa -t rsa
    chmod 700 /home/\$SFTPUSER/.ssh
    cat /home/\$SFTPUSER/.ssh/id_rsa.pub > /home/\$SFTPUSER/.ssh/authorized_keys
    chmod 700 /home/\$SFTPUSER/.ssh
    chmod 600 /home/\$SFTPUSER/.ssh/id_rsa
    chmod 644 /home/\$SFTPUSER/.ssh/authorized_keys
    chown \$SFTPUSER:\$SFTPUSER /home/\$SFTPUSER/.ssh

    echo \"\"
    echo \"########################### IMPORTANT NOTICE ###########################\"
    echo \"\"
    echo \"You must copy /home/\$SFTPUSER/.ssh/id_rsa OUT of this vault image, and\"
    echo \"then copy IN to all other images' (to /root/.ssh/id_rsa) which need to\"
    echo \"login to vault and get certificates issued!\"
    echo \"\"
    echo \"This is required so that tls-client-validation is always enforced.\"
    echo \"Round 1: temp certificates for vault leader login tls-client-validation\"
    echo \"Round 2: get certificates from vault for vault agent and applications\"
    echo \"\"
    echo \"########################################################################\"
    echo \"\"

    # restart ssh
    echo \"Restarting ssh\"
    /etc/rc.d/sshd restart

    # begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  cluster_address = \\\"\$IP:8201\\\"
  telemetry {
    unauthenticated_metrics_access = true
  }
  # set to zero to enable TLS only
  tls_disable = 1
  #xyz#tls_skip_verify = false
  #xyz#tls_require_and_verify_client_cert = true
  #xyz#tls_client_ca_file = \\\"/mnt/certs/ca.pem\\\"
  #xyz#tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
  #xyz#tls_key_file = \\\"/mnt/certs/key.pem\\\"
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"raft\\\" {
  path    = \\\"/mnt/vault/\\\"
  node_id = \\\"\$NODENAME\\\"
  autopilot_reconcile_interval = \\\"5s\\\"
  retry_join {
    leader_api_addr = \\\"http://\$VAULTLEADER:8200\\\"
    #xyz#leader_ca_cert_file = \\\"/mnt/certs/ca.pem\\\"
    #xyz#leader_client_cert_file = \\\"/mnt/certs/cert.pem\\\"
    #xyz#leader_client_key_file = \\\"/mnt/certs/key.pem\\\"
  }
}
seal \\\"transit\\\" {
  address = \\\"http://\$UNSEALIP:8200\\\"
  disable_renewal = \\\"false\\\"
  key_name = \\\"autounseal\\\"
  mount_path = \\\"transit/\\\"
  token = \\\"UNWRAPPEDTOKEN\\\"
}
telemetry {
  disable_hostname = true
  prometheus_retention_time = \\\"24h\\\"
}
#brb#service_registration \\\"consul\\\" {
#brb#  address = \\\"\$IP:8500\\\"
#brb#  scheme = \\\"http\\\"
#brb#  service = \\\"vault\\\"
#brb#  tls_ca_file = \\\"/mnt/certs/combinedca.pem\\\"
#brb#  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
#brb#  tls_key_file = \\\"/mnt/certs/key.pem\\\"
#brb#}
pid_file = \\\"/var/run/vault.pid\\\"
log_format = \\\"standard\\\"
log_level = \\\"Debug\\\"
api_addr = \\\"http://\$IP:8200\\\"
cluster_addr = \\\"http://\$IP:8201\\\"
\" > /usr/local/etc/vault.hcl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt/vault

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # set vault timeout
    export VAULT_CLIENT_TIMEOUT=300s

    # if we need to autounseal with passed in unwrap token
    # vault unwrap [options] [TOKEN]
    /usr/local/bin/vault unwrap -address=http://\$UNSEALIP:8200 -format=json \$UNSEALTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
    if [ -s /root/unwrapped.token ]; then
        THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
        /usr/bin/sed -i .orig \"/UNWRAPPEDTOKEN/s/UNWRAPPEDTOKEN/\$THIS_TOKEN/g\" /usr/local/etc/vault.hcl
    fi

    # start vault
    echo \"Starting Vault Leader\"
    /usr/local/etc/rc.d/vault start

    # login
    echo \"Logging in to unseal vault\"
    /usr/local/bin/vault login -address=http://\$UNSEALIP:8200 -format=json \$THIS_TOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/this.token
    sleep 5
    echo \"initiating raft cluster with operator init\"

    # perform operator init on unsealed node and get recovery keys instead of unseal keys, save to file
    /usr/local/bin/vault operator init -address=http://\$IP:8200 -format=json > /root/recovery.keys

    # set some variables from the saved file
    # the saved file may be a security risk?
    echo \"Setting variables from recovery.keys\"
    KEY1=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[0]')
    KEY2=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[1]')
    KEY3=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[2]')
    KEY4=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[3]')
    KEY5=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[4]')
    ROOTKEY=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.root_token')

    echo \"Unsealing raft cluster\"
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY1
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY2
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY3
    # uncomment this if more than 3 keys required to unseal
    #/usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY4
    #/usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY5

    echo \"Please wait for cluster...\"
    sleep 6

    # The vault documentation says this is not done on first node, but raft only works if it is!
    echo \"Joining the raft cluster\"
    /usr/local/bin/vault operator raft join -address=http://\$IP:8200
    # we need to wait a period for the cluster to initialise correctly and elect leader
    # cluster requires 10 seconds to bootstrap, even if single server, we can only login after
    echo \"Please wait for raft cluster to contemplate self...\"
    sleep 12

    echo \"Logging in to local raft instance\"
    echo \"\$ROOTKEY\" | /usr/local/bin/vault login -address=http://\$IP:8200 -method=token -field=token token=- > /root/login.token

    if [ -s /root/login.token ]; then
        TOKENOUT=\$(/bin/cat /root/login.token)
        echo \"Your new login token is \$TOKENOUT\"
        echo \"Also available in /root/login.token\"

        # setup logging
        echo \"enabling /mnt/audit.log\"
        /usr/local/bin/vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log

        # enable pki and become a CA
        echo \"Setting up raft cluster CA\"
        echo \"\"
        # tweak raft autopilot settings
        # requires vault 1.7
        /usr/local/bin/vault operator raft autopilot set-config -address=http://\$IP:8200 -dead-server-last-contact-threshold=10s -server-stabilization-time=30s -cleanup-dead-servers=true -min-quorum=3

        # vault secrets enable [options] TYPE
        # enable the pki secrets engine at the pki path
        echo \"Enabling PKI\"
        /usr/local/bin/vault secrets enable -address=http://\$IP:8200 pki

        # vault secrets tune [options] PATH
        # Tune the pki secrets engine to issue certificates with a maximum time-to-live (TTL) of 87600 hours (10 years)
        echo \"Tuning PKI\"
        /usr/local/bin/vault secrets tune -max-lease-ttl=87600h -address=http://\$IP:8200 pki/

        # enable cert authentication, currently disabled
        echo \"Enabling certificate authentication\"
        /usr/local/bin/vault auth enable -address=http://\$IP:8200 cert

        # vault write [options] PATH [DATA K=V...]
        # Generate the root CA, extracting the root CA certificate to CA_cert.pem in pem format
        # note: the secret key is not exported
        echo \"Generating internal certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -field=certificate pki/root/generate/internal common_name=\"\$DATACENTER\" ttl=\"87600h\" format=pem exclude_cn_from_sans=true > /mnt/certs/CA_cert.pem
        # we need this newline for combining certs later
        echo \"\" >> /mnt/certs/CA_cert.pem
        # configure the CA and CRL endpoints
        echo \"Writing certificate URLs\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki/config/urls issuing_certificates=\"http://\$IP:8200/v1/pki/ca\" crl_distribution_points=\"http://\$IP:8200/v1/pki/crl\"

        # setup intermediate CA
        echo \"Setting up raft cluster intermediate CA\"
        # vault secrets enable [options] TYPE
        # enable the pki secrets engine at the pki_int path
        echo \"Enabling PKI Intermediate\"
        /usr/local/bin/vault secrets enable -address=http://\$IP:8200 -path=pki_int pki

        # vault secrets tune [options] PATH
        # tune the secrets engine to issue certificates with a maximum time-to-live (TTL) of 43800 hours (5 years)
        echo \"Tuning PKI Intermediate\"
        /usr/local/bin/vault secrets tune -max-lease-ttl=43800h -address=http://\$IP:8200 pki_int/

        # vault write [options] PATH [DATA K=V...]
        # generate an intermediate certificate and save the CSR
        echo \"Writing intermediate certificate to file\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -format=json pki_int/intermediate/generate/exported common_name=\"\$DATACENTER Intermediate Authority\" format=pem exclude_cn_from_sans=true > /mnt/certs/pki_intermediate.pem
        # Extract the private key & certificate signing request from the previous command
        /usr/local/bin/jq -r '.data.private_key' < /mnt/certs/pki_intermediate.pem > /mnt/certs/intermediate.key.pem
        /usr/local/bin/jq -r '.data.csr' < /mnt/certs/pki_intermediate.pem > /mnt/certs/pki_intermediate.csr

        # Sign the intermediate certificate with the root certificate and save the generated certificate as intermediate.cert.pem
        echo \"Signing intermediate certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -format=json pki/root/sign-intermediate csr=@/mnt/certs/pki_intermediate.csr format=pem_bundle ttl=\"43800h\" | /usr/local/bin/jq -r '.data.certificate' > /mnt/certs/intermediate.cert.pem

        # once CSR signed and root CA returns certificate, import back into vault
        echo \"Storing intermediate certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/intermediate/set-signed certificate=@/mnt/certs/intermediate.cert.pem

        # combine intermediate certs and root CA into chain
        cat /mnt/certs/intermediate.cert.pem > /mnt/certs/intermediate.chain.pem
        cat /mnt/certs/CA_cert.pem >> /mnt/certs/intermediate.chain.pem

        # setup roles
        echo \"Setting up roles\"
        # vault write [options] PATH [DATA K=V...]
        # setup roles to enable certificate issue
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/roles/\$DATACENTER allow_any_name=true allow_bare_domains=true allow_subdomains=true max_ttl=\"720h\" require_cn=false generate_lease=true allow_ip_sans=true allow_localhost=true enforce_hostnames=false 
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/issue/\$DATACENTER common_name=\"\$DATACENTER\" ttl=\"24h\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki/roles/\$DATACENTER allow_any_name=true allow_bare_domains=true allow_subdomains=true max_ttl=\"72h\" require_cn=false allow_ip_sans=true allow_localhost=true enforce_hostnames=false 

        # set policy in a file, will import next
        # this needs a review, from multiple sources
        echo \"Writing detailed vault policy to file /root/vault.policy\"
        echo \"
path \\\"sys/mounts/*\\\" { capabilities = [ \\\"create\\\", \\\"read\\\", \\\"update\\\", \\\"delete\\\", \\\"list\\\"] }
path \\\"sys/mounts\\\" { capabilities = [ \\\"read\\\", \\\"list\\\"] }
path \\\"auth/token/roles/\$DATACENTER\\\" { capabilities = [ \\\"read\\\", \\\"update\\\"] }
path \\\"auth/token/revoke-accessor\\\" { capabilities = [ \\\"update\\\"] }
path \\\"auth/token/create/*\\\" { capabilities = [ \\\"update\\\"] }
path \\\"pki/cert/ca\\\" { capabilities = [\\\"read\\\"] }
path \\\"pki*\\\" { capabilities = [\\\"read\\\", \\\"list\\\", \\\"update\\\", \\\"delete\\\", \\\"list\\\", \\\"sudo\\\"] }
path \\\"pki/roles/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki/sign/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/roles/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/sign/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/issue/*\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/certs/\\\" { capabilities = [\\\"list\\\"] }
path \\\"pki_int/revoke\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/tidy\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
\" > /root/vault.policy

        echo \"Writing vault policy to Vault\"
        # vault policy write [options] NAME PATH
        /usr/local/bin/vault policy write -address=http://\$IP:8200 pki /root/vault.policy

        # setup role
        /usr/local/bin/vault write -address=http://\$IP:8200 auth/token/roles/\$DATACENTER allowed_policies=\"pki\" orphan=true period=\"24h\"
    fi

    # setup template files for certificates
    # this is not currently in use, using cron job to rotate certs
    # it also doesn't hash the ca.pem file, which cron job does
    echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

    echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

    echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

# removed as not using vault to renew currently
#    # update vault.hcl
#    echo \"template {
#  source = \\\"/mnt/templates/cert.tpl\\\"
#  destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/ca.tpl\\\"
#  destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/key.tpl\\\"
#  destination = \\\"/mnt/certs/key.pem\\\"
#}
#\" >> /usr/local/etc/vault.hcl

##### removed
#	# using this payload.json approach to avoid nested single and double quotes for expansion
#    echo \"{
#  \\\"common_name\\\": \\\"\$IP\\\",
#  \\\"alt_names\\\": \\\"\$NODENAME\\\",
#  \\\"ttl\\\": \\\"24h\\\",
#  \\\"ip_sans\\\": \\\"\$IP,127.0.0.1\\\",
#  \\\"format\\\": \\\"pem\\\"
#}\" > /mnt/templates/payload.json
#####

    # new payload approach, using jo to generate json
    /usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json

    # generate certificates to use
    # we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
    # but no json format except via the API
    if [ -s /root/login.token ]; then
        HEADER=\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json http://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
        cd /mnt/certs
        # concat the root CA and intermediary CA into combined file
        cat CA_cert.pem ca.pem > combinedca.pem
        # steps here to hash ca
        ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
        ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
        cd /root
        # set permissions on /mnt/certs for vault
        chown -R vault:wheel /mnt/certs
        # validate the certificates
        echo \"Validating client certificate\"
        if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
        fi
    fi

    # if we get a successful private key, update vault.hcl and restart vault
    if [ -s /mnt/certs/key.pem ]; then
        # enable TLS by removing the config line disabling it
        /usr/bin/sed -i .orig 's/tls_disable = 1/tls_disable = 0/g' /usr/local/etc/vault.hcl

        # update http to https, this will include leader_api_addr
        /usr/bin/sed -i .orig '/api_addr/s/http/https/' /usr/local/etc/vault.hcl
        /usr/bin/sed -i .orig '/cluster_addr/s/http/https/' /usr/local/etc/vault.hcl

        # remove the comment #xyz# to enable certificates
        /usr/bin/sed -i .orig 's/#xyz#tls/tls/g' /usr/local/etc/vault.hcl
        /usr/bin/sed -i .orig 's/#xyz#leader/leader/g' /usr/local/etc/vault.hcl

        # enable consul components
        /usr/bin/sed -i .orig 's/#brb#//g' /usr/local/etc/vault.hcl

        # optional remote logging
        if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
            if [ -f /root/syslog-ng.conf ]; then
                /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
                cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
                # stop syslogd
                service syslogd onestop || true
                # setup sysrc entries to start and set parameters to accept logs from remote subnet
                sysrc syslogd_enable=\"NO\"
                sysrc syslog_ng_enable=\"YES\"
                #sysrc syslog_ng_flags=\"-u daemon\"
                sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
                /usr/local/etc/rc.d/syslog-ng start
                echo \"syslog-ng setup complete\"
            else
                echo \"/root/syslog-ng.conf is missing?\"
            fi
        else
            echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
        fi

        ## start consul config
        # make consul configuration directory and set permissions
        mkdir -p /usr/local/etc/consul.d
        chmod 750 /usr/local/etc/consul.d

        # Create the consul agent config file with imported variables
        echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\":  \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
  \\\"a_record_limit\\\": 3,
  \\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\": false,
\\\"verify_incoming_rpc\\\":true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \$GOSSIPKEY,
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"service\\\": {
  \\\"name\\\": \\\"node-exporter\\\",
  \\\"tags\\\": [\\\"_app=vault\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\"],
  \\\"port\\\": 9100
}
}\" > /usr/local/etc/consul.d/agent.json

        # set owner and perms on agent.json
        chown consul:wheel /usr/local/etc/consul.d/agent.json
        chmod 640 /usr/local/etc/consul.d/agent.json

        # enable consul
        sysrc consul_enable=\"YES\"

        # set load parameter for consul config
        sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
        #sysrc consul_datadir=\"/var/db/consul\"

        # Workaround for bug in rc.d/consul script:
        sysrc consul_group=\"wheel\"

        # setup consul logs, might be redundant if not specified in agent.json above
        mkdir -p /var/log/consul
        touch /var/log/consul/consul.log
        chown -R consul:wheel /var/log/consul

        # add the consul user to the wheel group, this seems to be required for
        # consul to start on this instance. May need to figure out why.
        # I'm not entirely sure this is the correct way to do it
        /usr/sbin/pw usermod consul -G wheel

        ## end consul

        # start consul agent
        /usr/local/etc/rc.d/consul start

        # node exporter needs tls setup
        echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

        # enable node_exporter service
        sysrc node_exporter_enable=\"YES\"
        sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"

        # start node_exporter
        /usr/local/etc/rc.d/node_exporter start

        # restart vault, requires SIGHUP
        echo \"We must restart vault to enable https\"
        /usr/local/etc/rc.d/vault restart
    fi

    # there is a problem with generating client certs too early after vault restart
    # we need a strategic delay, like with most vault issues, otherwise initial certificates will get error
    #ERR#  unable to load certificate
    #ERR#  34374492160:error:0909006C:PEM routines:get_name:no start line:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
    #
    echo \"\"
    echo \"Strategic delay. Please wait 20s\"
    sleep 5
    echo \"\"
    echo \"In a moment certificates will be generated for 253 hosts in the network \$SFTPNETWORK. This will take a while to complete.\"
    sleep 5
    echo \"\"
    echo \"Starting in 10s.   >>> Did you know a group of cats is called a clowder?\"
    sleep 5
    echo \"\"
    echo \"Starting in 5s.    >>> Sysadmin Day is always on the last Friday of July!\"
    sleep 5
    # setup temp certs for client first login
    # destination is /tmpcerts/$IP/cert.pem | /tmpcerts/$IP/key.pem | | /tmpcerts/$IP/cat.pem
    echo \"\"
    echo \"Building SFTPNETWORK list\"
    echo \"\"
    TRIMNETWORK=\$(echo \$SFTPNETWORK | sed 's/\.[0-9]*$//')
    SEQNETWORK=\$(/usr/bin/seq -f \"\$TRIMNETWORK.%g\" 1 253)
    # diagnostic
    echo \$SEQNETWORK > /tmpcerts/iplist.txt
    # generate certificates per host
    for sftphost in \$SEQNETWORK; do
        mkdir -p /tmpcerts/\$sftphost
        # use jo to generate payload.json file
        /usr/local/bin/jo -p common_name=\$sftphost ttl=2h ip_sans=\"\$sftphost,127.0.0.1\" format=pem > /tmpcerts/\$sftphost/payload.json
        if [ -s /root/login.token ]; then
            echo \"Generating 2 hour ttl client cert for ip \$sftphost in /tmpcerts/\$sftphost/...\"
            HEADER=\$(/bin/cat /root/login.token)
            /usr/local/bin/curl --silent --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/tmpcerts/\$sftphost/payload.json https://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /tmpcerts/\$sftphost/vaultissue.json
            # extract the required certificates to individual files
            /usr/local/bin/jq -r '.data.certificate' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/cert.pem
            /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\$sftphost/vaultissue.json >> /tmpcerts/\$sftphost/cert.pem
            /usr/local/bin/jq -r '.data.private_key' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/key.pem
            /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/ca.pem
            # concat the root CA and intermediary CA into combined file
            cat /mnt/certs/CA_cert.pem /tmpcerts/\$sftphost/ca.pem > /tmpcerts/\$sftphost/combinedca.pem
            chown -R \$SFTPUSER:wheel /tmpcerts/\$sftphost/
            # validate the certificates
            echo \"Validating client certificate\"
            if [ -s /tmpcerts/\$sftphost/combinedca.pem ] && [ -s /tmpcerts/\$sftphost/cert.pem ]; then
                /usr/bin/openssl verify -CAfile /tmpcerts/\$sftphost/combinedca.pem /tmpcerts/\$sftphost/cert.pem
            fi
        fi
    done

    echo \"Creating auto-login script\"
    # setup auto-login script
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
if [ -s /root/login.token ]; then
    /bin/cat /root/login.token | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
fi
\" > /root/cli-vault-auto-login.sh

    # make executable
    chmod +x /root/cli-vault-auto-login.sh

    echo \"Creating script to issue pki tokens\"
    # setup script to issue pki tokens
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault token create -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -policy=default -policy=pki -wrap-ttl=24h
\" > /root/issue-pki-token.sh

    # make executable
    chmod +x /root/issue-pki-token.sh

    echo \"Creating certificate rotation script\"
    # setup certificate rotation script
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    # we're using tls-client-validation so need cert, key, cacert, along with a login token, and payload.json file
    # we'll pass all this to the vault leader api and get back a json file with certificate data embedded
    # this payload.json was created in the setup of the server
    /usr/local/bin/curl --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    # extract the required certificates to individual files
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    cd /mnt/certs
    # concat the root CA and intermediary CA into combined file
    cat CA_cert.pem ca.pem > combinedca.pem
    # steps here to hash ca files for ca-dir usage
    ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
    ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
    cd /root
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /bin/pkill -HUP vault
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi

    echo \"Adding vault-status.sh script\"
    # setup a quick way to check vault status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault status -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/vault-status.sh

    chmod +x /root/vault-status.sh

    echo \"Adding raft-status.sh script\"
    # setup a quick way to check raft status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault operator raft list-peers -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/raft-status.sh

    # make executable
    chmod +x /root/raft-status.sh

    # add script to regenerate 2h temp certs
    echo \"Adding gen-temp-certs.sh script to regenerate temporary certificates\"

    echo \"#!/bin/sh
MYNETWORK=\$SFTPNETWORK
TRIMNETWORK=\\\$(echo \\\$MYNETWORK | sed 's/\.[0-9]*$//')
SEQNETWORK=\\\$(/usr/bin/seq -f \\\"\\\$TRIMNETWORK.%g\\\" 1 253)
# diagnostic
echo \\\$SEQNETWORK > /tmpcerts/iplist.txt
# generate certificates per host
for sftphost in \\\$SEQNETWORK; do
    mkdir -p /tmpcerts/\\\$sftphost
    /usr/local/bin/jo -p common_name=\\\$sftphost ttl=2h ip_sans=\\\"\\\$sftphost,127.0.0.1\\\" format=pem > /tmpcerts/\\\$sftphost/payload.json
    if [ -s /root/login.token ]; then
        echo \\\"Re-generating 2 hour ttl client cert for ip \\\$sftphost in /tmpcerts/\\\$sftphost/...\\\"
        HEADER=\\\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --silent --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem \
         --header \\\"X-Vault-Token: \\\$HEADER\\\" \
         --request POST --data @/tmpcerts/\\\$sftphost/payload.json \
         https://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /tmpcerts/\\\$sftphost/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/cert.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\\\$sftphost/vaultissue.json >> /tmpcerts/\\\$sftphost/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/ca.pem
        # concat the root CA and intermediary CA into combined file
        cat /mnt/certs/CA_cert.pem /tmpcerts/\\\$sftphost/ca.pem > /tmpcerts/\\\$sftphost/combinedca.pem
        chown -R \$SFTPUSER:wheel /tmpcerts/\\\$sftphost/
        # validate the certificates
        echo \\\"Validating client certificate\\\"
        if [ -s /tmpcerts/\\\$sftphost/combinedca.pem ] && [ -s /tmpcerts/\\\$sftphost/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /tmpcerts/\\\$sftphost/combinedca.pem /tmpcerts/\\\$sftphost/cert.pem
        fi
    fi
done
\" > /root/gen-temp-certs.sh

    # make executable
    chmod +x /root/gen-temp-certs.sh

###### not working
#    # setup token renewals
#    echo \"
#if [ -s /root/login.token ]; then
#    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
#    echo \\\$LOGINTOKEN | /usr/local/bin/vault token renew -address=https://\$VAULTLEADER:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
#else
#    echo "/root/login.token does not contain a token to be renewed."
#fi
#\" > /root/token-renew.sh
#
#    if [ -f /root/token-renew.sh ]; then
#        chmod +x /root/token-renew.sh
#    fi
########

    # end leader config
    ;;

    ### Vault type: RAFT cluster follower
    follower)

    # some basic ssh setup
    echo \"Initialising ssh settings\"
    mkdir -p /root/.ssh
    chmod 700 /root/.ssh
    touch /root/.ssh/authorized_keys

    if [ -f /root/sshkey ] && [ ! -f /root/.ssh/id_rsa ]; then
        cp /root/sshkey /root/.ssh/id_rsa
        chmod 600 /root/.ssh/id_rsa
        ssh-keygen -f /root/.ssh/id_rsa -y > /root/.ssh/id_rsa.pub
    fi

    # setup temp directory for temp certs
    mkdir -p /tmp/tmpcerts

    # echo a message to user
    echo \"\"
    echo \"########################### IMPORTANT NOTICE ###########################\"
    echo \"\"
    echo \"Make sure to copy in id_rsa from vault leader certuser instance!\"
    echo \"\"
    echo \"########################################################################\"
    echo \"\"
    # end client

    # retrieve first round of certificates from vault leader via sftp
    echo \"Get first round of certificates from vault leader via sftp\"
    if [ -f /root/.ssh/id_rsa ]; then
        cd /tmp/tmpcerts
        # wildcard retrieval works manually but not in the script, so we specify each file to retrieve
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/cert.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/key.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/ca.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/combinedca.pem
    fi

    #set vault variables
    export VAULT_CLIENT_TIMEOUT=300s
    export VAULT_MAX_RETRIES=5

    #begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  cluster_address = \\\"\$IP:8201\\\"
  telemetry {
    unauthenticated_metrics_access = true
  }
  # set to zero/false to enable TLS only
  tls_disable = false
  tls_require_and_verify_client_cert = true
  tls_skip_verify = false
  tls_client_ca_file = \\\"/mnt/certs/ca.pem\\\"
  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
  tls_key_file = \\\"/mnt/certs/key.pem\\\"
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"raft\\\" {
  path    = \\\"/mnt/vault/\\\"
  node_id = \\\"\$NODENAME\\\"
  retry_join {
    leader_api_addr = \\\"https://\$VAULTLEADER:8200\\\"
    leader_ca_cert_file = \\\"/mnt/certs/ca.pem\\\"
    leader_client_cert_file = \\\"/mnt/certs/cert.pem\\\"
    leader_client_key_file = \\\"/mnt/certs/key.pem\\\"
  }
  autopilot_reconcile_interval = \\\"5s\\\"
}
seal \\\"transit\\\" {
  address = \\\"http://\$UNSEALIP:8200\\\"
  disable_renewal = \\\"false\\\"
  key_name = \\\"autounseal\\\"
  mount_path = \\\"transit/\\\"
  token = \\\"UNWRAPPEDTOKEN\\\"
}
telemetry {
  disable_hostname = true
  prometheus_retention_time = \\\"24h\\\"
}
#brb#service_registration \\\"consul\\\" {
#brb#  address = \\\"\$IP:8500\\\"
#brb#  scheme = \\\"http\\\"
#brb#  service = \\\"vault\\\"
#brb#  tls_ca_file = \\\"/mnt/certs/combinedca.pem\\\"
#brb#  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
#brb#  tls_key_file = \\\"/mnt/certs/key.pem\\\"
#brb#}
pid_file = \\\"/var/run/vault.pid\\\"
log_format = \\\"standard\\\"
log_level = \\\"Debug\\\"
api_addr = \\\"https://\$IP:8200\\\"
cluster_addr = \\\"https://\$IP:8201\\\"
#template {
#  source = \\\"/mnt/templates/cert.tpl\\\"
#  destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/ca.tpl\\\"
#  destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/key.tpl\\\"
#  destination = \\\"/mnt/certs/key.pem\\\"
#}
\" > /usr/local/etc/vault.hcl

    # setup template files for certificates
    # not currently enabled via vault, using cron job to renew, combined, hashes combinedca.pem
    echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

    echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

    echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # if we need to autounseal with passed in unwrap token
    # vault unwrap [options] [TOKEN]
    /usr/local/bin/vault unwrap -address=http://\$UNSEALIP:8200 -format=json \$UNSEALTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
    if [ -s /root/unwrapped.token ]; then
        THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
        /usr/bin/sed -i .orig \"/UNWRAPPEDTOKEN/s/UNWRAPPEDTOKEN/\$THIS_TOKEN/g\" /usr/local/etc/vault.hcl
    fi

    # new CA cert retrieval process with curl
    echo \"Retrieving CA certificates from Vault leader\"
    # get the root CA, we're not able to do any tls verification at this stage
    /usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/CA_cert.pem https://\$VAULTLEADER:8200/v1/pki/ca/pem
    # append a new line to the file, as will concat together later with another file
    if [ -s /mnt/certs/CA_cert.pem ]; then
        echo \"\" >> /mnt/certs/CA_cert.pem
    fi
    # get the intermediate CA, we're not able to do any tls verification at this stage
    /usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/intermediate.cert.pem https://\$VAULTLEADER:8200/v1/pki_int/ca/pem
    # append a new line to the file, as will concat together later with another file
    if [ -s /mnt/certs/intermediate.cert.pem ]; then
        echo \"\" >> /mnt/certs/intermediate.cert.pem
    fi
    # validate the certificates
    echo \"Validating CA certificates\"
    if [ -s /mnt/certs/CA_cert.pem ] && [ -s /mnt/certs/intermediate.cert.pem ]; then
        /usr/bin/openssl verify -CAfile /mnt/certs/CA_cert.pem /mnt/certs/intermediate.cert.pem
    fi

    # login to unseal vault to get a root token to login to the leader node
    echo \"Logging in to unseal vault to unseal\"
    /usr/local/bin/vault login -address=http://\$UNSEALIP:8200 -format=json \$THIS_TOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/this.token
    echo \"Unseal login success. Please wait\"
    sleep 5

    # login to the vault leader with full tls validation of client
    echo \"Logging in to vault leader instance to authenticate\"
    echo \"\$LEADERTOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTLEADER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token
    echo \"Login success. Please wait\"
    sleep 5

    # if a root login token exists with file size greater than zero, then setup a payload.json file for certificate request
    if [ -s /root/login.token ]; then
        # generate certificates to use
        # using this payload.json approach to avoid nested single and double quotes for expansion
        # new way of generating payload.json with jo
        /usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json

        # we use curl to get the certificates in json format from vault leader api, as vaults cli's issue command only has the formats: pem, pem_bundle, der
        # but no json format with everything in one file
        echo \"Generating certificates to use from Vault leader\"
        HEADER=\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --cacert /tmp/tmpcerts/combinedca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
        # append the ca cert to the cert
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
        cd /mnt/certs
        # concat the root CA and intermediary CA into combined file
        cat /mnt/certs/CA_cert.pem /mnt/certs/ca.pem > /mnt/certs/combinedca.pem
        # steps here to hash ca, required for syslog-ng
        ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
        ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
        cd /root
        # set permissions on /mnt/certs for vault
        chown -R vault:wheel /mnt/certs

        # validate the certificates
        echo \"Validating client certificate\"
        if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
        fi

        # enable consul components
        /usr/bin/sed -i .orig 's/#brb#//g' /usr/local/etc/vault.hcl

        # optional remote logging
        if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
            if [ -f /root/syslog-ng.conf ]; then
                /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
                cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
                # stop syslogd
                service syslogd onestop || true
                # setup sysrc entries to start and set parameters to accept logs from remote subnet
                sysrc syslogd_enable=\"NO\"
                sysrc syslog_ng_enable=\"YES\"
                #sysrc syslog_ng_flags=\"-u daemon\"
                sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
                /usr/local/etc/rc.d/syslog-ng start
                echo \"syslog-ng setup complete\"
            else
                echo \"/root/syslog-ng.conf is missing?\"
            fi
        else
            echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
        fi

        ## start consul config
        # make consul configuration directory and set permissions
        mkdir -p /usr/local/etc/consul.d
        chmod 750 /usr/local/etc/consul.d

        # Create the consul agent config file with imported variables
        echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\":  \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
 \\\"a_record_limit\\\": 3,
 \\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\": false,
\\\"verify_incoming_rpc\\\":true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \$GOSSIPKEY,
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"service\\\": {
 \\\"name\\\": \\\"node-exporter\\\",
 \\\"tags\\\": [\\\"_app=vault\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\"],
 \\\"port\\\": 9100
 }
}\" > /usr/local/etc/consul.d/agent.json

        # set owner and perms on agent.json
        chown consul:wheel /usr/local/etc/consul.d/agent.json
        chmod 640 /usr/local/etc/consul.d/agent.json

        # enable consul
        sysrc consul_enable=\"YES\"

        # set load parameter for consul config
        sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
        #sysrc consul_datadir=\"/var/db/consul\"

        # Workaround for bug in rc.d/consul script:
        sysrc consul_group=\"wheel\"

        # setup consul logs, might be redundant if not specified in agent.json above
        mkdir -p /var/log/consul
        touch /var/log/consul/consul.log
        chown -R consul:wheel /var/log/consul

        # add the consul user to the wheel group, this seems to be required for
        # consul to start on this instance. May need to figure out why.
        # not entirely sure this is the correct way to do it
        /usr/sbin/pw usermod consul -G wheel

        ## end consul

        # node exporter needs tls setup
        echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

        # enable node_exporter service
        sysrc node_exporter_enable=\"YES\"
        sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"

        # start consul agent
        /usr/local/etc/rc.d/consul start

        # start node_exporter
        /usr/local/etc/rc.d/node_exporter start

        # start vault
        echo \"Starting Vault Follower\"
        /usr/local/etc/rc.d/vault start
        sleep 6

        # join the raft cluster
        echo \"Joining the raft cluster\"
        # we're using tls-client-validation so cert, key, cacert required
        /usr/local/bin/vault operator raft join -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
        # we need to wait a period for the cluster to initialise correctly and elect leader
        # cluster requires 10 seconds to bootstrap, even if single server, we can only login after 10 seconds
        # syslog-ng flow control adds a lot of overhead, so longer delay is required if enabled. 30s at least
        echo \"Please wait for raft cluster to contemplate self... (30s)\"
        sleep 30

        # login to the local vault instance to initialise the follower node
        echo \"Logging in to local vault instance\"
        # we're using tls-client-validation so need cert, key, cacert and a login token
        echo \"\$LEADERTOKEN\" | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -method=token -field=token token=- > /root/login.token

        if [ -s /root/login.token ]; then
            TOKENOUT=\$(/bin/cat /root/login.token)
            echo \"Your token is \$TOKENOUT\"
            echo \"Also available in /root/login.token\"
        fi
    else
        echo \"ERROR: There was a problem logging into the vault leader and no certificates were retrieved. Vault not started.\"
    fi

    # setup auto-login script
    echo \"Setting up auto-login script\"
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
if [ -s /root/login.token ]; then
    /bin/cat /root/login.token | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
fi\" > /root/cli-vault-auto-login.sh

    # set executable perms
    chmod +x /root/cli-vault-auto-login.sh

    # setup certificate rotation script
    echo \"Setting up certificate rotation script\"
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    /usr/local/bin/curl --cacert /mnt/certs/combinedca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    # extract the required certificates to individual files
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    cd /mnt/certs
    # concat the root CA and intermediary CA into combined file
    cat CA_cert.pem ca.pem > combinedca.pem
    # steps here to hash ca
    ln -s ca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
    ln -s combinedca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
    cd /root
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /bin/pkill -HUP vault
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        echo \"Adding cron job\"
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi

    echo \"Adding vault-status.sh script\"
    # setup a quick way to check vault status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault status -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/vault-status.sh

    # make executable
    chmod +x /root/vault-status.sh

    echo \"Adding raft-status.sh script\"
    # setup a quick way to check raft status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault operator raft list-peers -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/raft-status.sh

    # make executable
    chmod +x /root/raft-status.sh

######## not working
#    # setup token renewals
#    echo \"
#if [ -s /root/login.token ]; then
#    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
#    echo \\\$LOGINTOKEN | /usr/local/bin/vault token renew -address=https://\$VAULTLEADER:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
#else
#    echo "/root/login.token does not contain a token to be renewed."
#fi
#\" > /root/token-renew.sh
#
#    if [ -f /root/token-renew.sh ]; then
#        chmod +x /root/token-renew.sh
#    fi
#######

    # end follower config
    ;;

    # catch all, exit because bad VAULTTYPE
    *)
    echo \"there is a problem with the VAULTTYPE variable - set to unseal or leader or cluster\"
    exit 1
    # end catchall config
    ;;

esac

# end vault case statements #

# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION

# Do not touch this:
touch /usr/local/etc/pot-is-seasoned

# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
    /bin/sh /etc/rc
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=\"cook\"
rcvar=\"cook_enable\"
load_rc_config \$name
: \${cook_enable:=\"NO\"}
: \${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

vault/vault+1:
vault/vault+1.sh:

vault/vault+2:
vault/vault+2.sh:

vault/vault+3:
vault/vault+3.sh:

vault/vault+4:
vault/vault+4.sh:
Password:===>  Creating a new pot
===>  pot name : vault-amd64-13_0
===>  type : single
===>  base : 13.0
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.3
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update vault vault+1 vault+2 vault+3 vault+4
===>  Fetching FreeBSD 13.0
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting vault-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot vault-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:37:7c:d9:8a:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug  4 18:46:22 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on vault-amd64-13_0
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 6 patches.... done.
Applying patches... done.
Fetching 6 files... ... done.
The following files will be added as part of updating to
13.0-RELEASE-p3:
/usr/include/c++/v1/barrier
/usr/include/c++/v1/concepts
/usr/include/c++/v1/execution
/usr/include/c++/v1/latch
/usr/include/c++/v1/numbers
/usr/include/c++/v1/semaphore
/usr/include/c++/v1/tr1/barrier
/usr/include/c++/v1/tr1/concepts
/usr/include/c++/v1/tr1/execution
/usr/include/c++/v1/tr1/latch
/usr/include/c++/v1/tr1/numbers
/usr/include/c++/v1/tr1/semaphore
The following files will be updated as part of updating to
13.0-RELEASE-p3:
/bin/freebsd-version
/lib/libcasper.so.1
/usr/bin/bc
/usr/bin/dc
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot vault-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/dev
=====>  Flavour: vault
=====>  Executing vault pot commands on vault-amd64-13_0
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
/usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -> /mnt/data/pot/jails/vault-amd64-13_0/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf copied in the pot vault-amd64-13_0
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-13_0/m/dev is already unmounted
=====>  Starting vault-amd64-13_0 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot vault-amd64-13_0
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:9f:32:c1:bf:0b
	inet 10.192.0.3 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Updating /var/run/os-release done.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating motd:.
Starting syslogd.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug  4 18:46:40 UTC 2021
/usr/local/etc/pot/flavours/vault.sh -> /mnt/data/pot/jails/vault-amd64-13_0/m/tmp/vault.sh
=====>  Executing vault script on vault-amd64-13_0
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.16.3...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.16.3: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Enable SSH
sshd_enable: NO -> YES
Step 6: Create /usr/local/etc/rc.d
Step 7: Install package consul
Updating FreeBSD repository catalogue...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30735 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.5

Number of packages to be installed: 1

The process will require 78 MiB more space.
27 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.5.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.5...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.5: ..... done
Step 8: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.7p1

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.7p1.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.txz: . done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.7p1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.7p1: .......... done
Step 9: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.1.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.1.2.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.1.2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.1.2: .......... done
=====
Message from node_exporter-1.1.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 10: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
500 KiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 11: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jo: 1.4

Number of packages to be installed: 1

19 KiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching jo-1.4.txz: ... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing jo-1.4...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting jo-1.4: ...... done
Step 12: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.63
	curl: 7.77.0
	libnghttp2: 1.43.0

Number of packages to be installed: 3

The process will require 5 MiB more space.
2 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching curl-7.77.0.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching libnghttp2-1.43.0.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching ca_root_nss-3.63.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Installing libnghttp2-1.43.0...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting libnghttp2-1.43.0: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Installing ca_root_nss-3.63...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting ca_root_nss-3.63: ........ done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Installing curl-7.77.0...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting curl-7.77.0: .......... done
=====
Message from ca_root_nss-3.63:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 13: Install package openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1k_1,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
4 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching openssl-1.1.1k_1,1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing openssl-1.1.1k_1,1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting openssl-1.1.1k_1,1: .......... done
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.2
	glib: 2.66.8,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.44
	python38: 3.8.10
	readline: 8.1.1
	syslog-ng: 3.32.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
24 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.32.1.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.2.txz: ..... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.44.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.txz: ........ done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.66.8,2.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.10.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.txz: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.txz: ..... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.44...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.44: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.10...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.10: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.2: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.66.8,2...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.66.8,2: .......... done
No schema files found: doing nothing.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.32.1...
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.32.1: .......... done
=====
Message from python38-3.8.10:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.32.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 15: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.7.3

Number of packages to be installed: 1

The process will require 149 MiB more space.
49 MiB to be downloaded.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.7.3.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.7.3...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[vault-amd64-13_0.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.7.3: ..... done
=====
Message from vault-1.7.3:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 1024M or more and run:

cap_mkdb /etc/login.conf

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 16: Add vault user to daemon class
Step 17: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
The following package files will be deleted:
	/var/cache/pkg/indexinfo-0.3.1~d4818e637c.txz
	/var/cache/pkg/readline-8.1.1.txz
	/var/cache/pkg/json-c-0.15_1.txz
	/var/cache/pkg/node_exporter-1.1.2~fc91952053.txz
	/var/cache/pkg/curl-7.77.0.txz
	/var/cache/pkg/gettext-runtime-0.21.txz
	/var/cache/pkg/python38-3.8.10~779ca296e6.txz
	/var/cache/pkg/syslog-ng-3.32.1~6053da93ff.txz
	/var/cache/pkg/oniguruma-6.9.7.1~992ea8fca0.txz
	/var/cache/pkg/libnghttp2-1.43.0.txz
	/var/cache/pkg/openssl-1.1.1k_1,1~337a7460ed.txz
	/var/cache/pkg/glib-2.66.8,2.txz
	/var/cache/pkg/libffi-3.3_1.txz
	/var/cache/pkg/libiconv-1.16~58a485ac67.txz
	/var/cache/pkg/pcre-8.44~18fdb314f8.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2.txz
	/var/cache/pkg/mpdecimal-2.5.1~6a1530aa63.txz
	/var/cache/pkg/json-c-0.15_1~c9e6e8b4e3.txz
	/var/cache/pkg/curl-7.77.0~b352d1e3c3.txz
	/var/cache/pkg/syslog-ng-3.32.1.txz
	/var/cache/pkg/ca_root_nss-3.63.txz
	/var/cache/pkg/vault-1.7.3.txz
	/var/cache/pkg/jo-1.4.txz
	/var/cache/pkg/libxml2-2.9.12~808886ae95.txz
	/var/cache/pkg/mpdecimal-2.5.1.txz
	/var/cache/pkg/indexinfo-0.3.1.txz
	/var/cache/pkg/node_exporter-1.1.2.txz
	/var/cache/pkg/gettext-runtime-0.21~051ad548f7.txz
	/var/cache/pkg/sudo-1.9.7p1~f275c1822e.txz
	/var/cache/pkg/oniguruma-6.9.7.1.txz
	/var/cache/pkg/glib-2.66.8,2~9873f41b28.txz
	/var/cache/pkg/libiconv-1.16.txz
	/var/cache/pkg/openssl-1.1.1k_1,1.txz
	/var/cache/pkg/libnghttp2-1.43.0~e01ce95679.txz
	/var/cache/pkg/ca_root_nss-3.63~2e4dafd35f.txz
	/var/cache/pkg/sudo-1.9.7p1.txz
	/var/cache/pkg/libffi-3.3_1~ceb6b0f52a.txz
	/var/cache/pkg/libxml2-2.9.12.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2~ba64737474.txz
	/var/cache/pkg/consul-1.9.5.txz
	/var/cache/pkg/pcre-8.44.txz
	/var/cache/pkg/jq-1.6~48e58e6577.txz
	/var/cache/pkg/readline-8.1.1~f705aeb15c.txz
	/var/cache/pkg/python38-3.8.10.txz
	/var/cache/pkg/jo-1.4~4bab3e7b7a.txz
	/var/cache/pkg/consul-1.9.5~bde1e68fea.txz
	/var/cache/pkg/vault-1.7.3~e104fea0c0.txz
	/var/cache/pkg/jq-1.6.txz
The cleanup will free 111 MiB
Deleting files: .......... done
All done
Step 18: Remove pre-existing cook script (if any)
Step 19: Create cook script
Step 20: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 21: Create rc.d script to start cook
creating rc.d script to start cook
Step 22: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 23: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot vault-amd64-13_0
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-13_0/m/dev
=====>  Flavour: vault+1
=====>  Executing vault+1 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+1
=====>  Flavour: vault+2
=====>  Executing vault+2 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+2
=====>  Flavour: vault+3
=====>  Executing vault+3 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+3
=====>  Flavour: vault+4
=====>  Executing vault+4 pot commands on vault-amd64-13_0
=====>  No shell script available for the flavour vault+4

vault-amd64-12_2_2.0.35:


vault/vault:
copy-in -s /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -d /root
vault/vault.sh:
#!/bin/sh

# Based on POTLUCK TEMPLATE v3.0
# Altered by Michael Gmelin
#
# EDIT THE FOLLOWING FOR NEW FLAVOUR:
# 1. RUNS_IN_NOMAD - true or false
# 2. If RUNS_IN_NOMAD is false, can delete the <flavour>+4 file, else
#    make sure pot create command doesn't include it
# 3. Create a matching <flavour> file with this <flavour>.sh file that
#    contains the copy-in commands for the config files from <flavour>.d/
#    Remember that the package directories don't exist yet, so likely copy
#    to /root
# 4. Adjust package installation between BEGIN & END PACKAGE SETUP
# 5. Adjust jail configuration script generation between BEGIN & END COOK
#    Configure the config files that have been copied in where necessary

# Set this to true if this jail flavour is to be created as a nomad (i.e. blocking) jail.
# You can then query it in the cook script generation below and the script is installed
# appropriately at the end of this script
RUNS_IN_NOMAD=false

# set the cook log path/filename
COOKLOG=/var/log/cook.log

# check if cooklog exists, create it if not
if [ ! -e $COOKLOG ]
then
    echo "Creating $COOKLOG" | tee -a $COOKLOG
else
    echo "WARNING $COOKLOG already exists"  | tee -a $COOKLOG
fi
date >> $COOKLOG

# -------------------- COMMON ---------------

STEPCOUNT=0
step() {
  STEPCOUNT=$(expr "$STEPCOUNT" + 1)
  STEP="$@"
  echo "Step $STEPCOUNT: $STEP" | tee -a $COOKLOG
}

exit_ok() {
  trap - EXIT
  exit 0
}

FAILED=" failed"
exit_error() {
  STEP="$@"
  FAILED=""
  exit 1
}

set -e
trap 'echo ERROR: $STEP$FAILED | (>&2 tee -a $COOKLOG)' EXIT

# -------------- BEGIN PACKAGE SETUP -------------

step "Bootstrap package repo"
mkdir -p /usr/local/etc/pkg/repos
# we need latest for vault 1.7.3
#echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' \
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly" }' \
  >/usr/local/etc/pkg/repos/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap

step "Touch /etc/rc.conf"
touch /etc/rc.conf

# this is important, otherwise running /etc/rc from cook will
# overwrite the IP address set in tinirc
step "Remove ifconfig_epair0b from config"
sysrc -cq ifconfig_epair0b && sysrc -x ifconfig_epair0b || true

step "Disable sendmail"
service sendmail onedisable

step "Enable SSH"
sysrc sshd_enable="YES"

step "Create /usr/local/etc/rc.d"
mkdir -p /usr/local/etc/rc.d

# we need consul for consul agent
step "Install package consul"
pkg install -y consul

step "Install package sudo"
pkg install -y sudo

step "Install package node_exporter"
pkg install -y node_exporter

step "Install package jq"
pkg install -y jq

step "Install package jo"
pkg install -y jo

step "Install package curl"
pkg install -y curl

step "Install package openssl"
pkg install -y openssl

step "Install package syslog-ng"
pkg install -y syslog-ng

step "Install package vault"
pkg install -y vault

step "Add vault user to daemon class"
pw usermod vault -G daemon

step "Clean package installation"
pkg autoremove -y
pkg clean -y

# -------------- END PACKAGE SETUP -------------

#
# Create configurations
#

#
# Now generate the run command script "cook"
# It configures the system on the first run by creating the config file(s)
# On subsequent runs, it only starts sleeps (if nomad-jail) or simply exits
#

# clear any old cook runtime file
step "Remove pre-existing cook script (if any)"
rm -f /usr/local/bin/cook

# this runs when image boots
# ----------------- BEGIN COOK ------------------

step "Create cook script"
echo "#!/bin/sh
RUNS_IN_NOMAD=$RUNS_IN_NOMAD
# declare this again for the pot image, might work carrying variable through like
# with above
COOKLOG=/var/log/cook.log
# No need to change this, just ensures configuration is done only once
if [ -e /usr/local/etc/pot-is-seasoned ]
then
    # If this pot flavour is blocking (i.e. it should not return),
    # we block indefinitely
    if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
    then
        /bin/sh /etc/rc
        tail -f /dev/null
    fi
    exit 0
fi

# ADJUST THIS: STOP SERVICES AS NEEDED BEFORE CONFIGURATION

# No need to adjust this:
# If this pot flavour is not blocking, we need to read the environment first from /tmp/environment.sh
# where pot is storing it in this case
if [ -e /tmp/environment.sh ]
then
    . /tmp/environment.sh
fi

#
# ADJUST THIS BY CHECKING FOR ALL VARIABLES YOUR FLAVOUR NEEDS:
#

# Check config variables are set
#
if [ -z \${DATACENTER+x} ]; then
    echo 'DATACENTER is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${NODENAME+x} ];
then
    echo 'NODENAME is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${CONSULSERVERS+x} ]; then
    echo 'CONSULSERVERS is unset - see documentation how to configure this flavour'
    exit 1
fi
if [ -z \${IP+x} ]; then
    echo 'IP is unset - see documentation how to configure this flavour'
    exit 1
fi
# GOSSIPKEY is a 32 byte, Base64 encoded key generated with consul keygen for the consul flavour.
# Re-used for nomad, which is usually 16 byte key but supports 32 byte, Base64 encoded keys
# We'll re-use the one from the consul flavour
if [ -z \${GOSSIPKEY+x} ];
then
    echo 'GOSSIPKEY is unset - see documentation how to configure this flavour, defaulting to preset encrypt key. Do not use this in production!'
    GOSSIPKEY='\"BY+vavBUSEmNzmxxS3k3bmVFn1giS4uEudc774nBhIw=\"'
fi
# this defaults to unseal. Other options are leader for a raft cluster leader, and cluster, for a raft cluster peer.
if [ -z \${VAULTTYPE+x} ];
then
    echo 'VAULTTYPE is unset - see documentation how to configure this flavour, defaulting to unseal instead of leader or follower.'
    VAULTTYPE=\"unseal\"
fi
# IP address of the unseal server
if [ -z \${UNSEALIP+x} ];
then
    echo 'UNSEALIP is unset - see documentation how to configure this flavour, defaulting to preset value. Do not use this in production!'
    UNSEALIP=\"127.0.0.1\"
fi
# Unwrap token to pass into cluster
if [ -z \${UNSEALTOKEN+x} ];
then
    echo 'UNSEALTOKEN is unset - see documentation how to configure this flavour, defaulting to unset value. Do not use this in production!'
    UNSEALTOKEN=\"unset\"
fi
# Vault leader IP
if [ -z \${VAULTLEADER+x} ];
then
    echo 'VAULTLEADER is unset - see documentation how to configure this flavour, defaulting to own IP.'
    VAULTLEADER=\"\$IP\"
fi
# Vault leader token
if [ -z \${LEADERTOKEN+x} ];
then
    echo 'LEADERTOKEN is unset - see documentation how to configure this flavour, defaulting to unset.'
    LEADERTOKEN=\"unset\"
fi
# optional logging to remote syslog server
if [ -z \${REMOTELOG+x} ];
then
    echo 'REMOTELOG is unset - see documentation how to configure this flavour with IP address of remote syslog server. Defaulting to 0'
    REMOTELOG=\"null\"
fi
# sftpuser credentials
if [ -z \${SFTPUSER+x} ];
then
    echo 'SFTPUSER is unset - see documentation how to configure this flavour with sftp user and pass. Defaulting to username: certuser'
    SFTPUSER=\"certuser\"
fi
# sftpuser password
if [ -z \${SFTPPASS+x} ];
then
    echo 'SFTPPASS is unset - see documentation how to configure this flavour with sftp user and pass. Defaulting to password: c3rtp4ss'
    SFTPPASS=\"c3rtp4ss\"
fi
# ip subnet to generate temporary short-lived certificates for
if [ -z \${SFTPNETWORK+x} ];
then
    echo 'SFTPNETWORK is unset - see documentation how to configure this flavour with IP range to generate short-lived temporary certificates for. Defaulting to IP address'
    SFTPNETWORK=\"\$IP\"
fi

# ADJUST THIS BELOW: NOW ALL THE CONFIGURATION FILES NEED TO BE CREATED:
# Don't forget to double(!)-escape quotes and dollar signs in the config files

# setup directories for vault usage
mkdir -p /mnt/templates
mkdir -p /mnt/certs/hash
mkdir -p /mnt/vault

## start Vault

# first remove any existing vault configuration
if [ -f /usr/local/etc/vault/vault-server.hcl ]; then
    rm /usr/local/etc/vault/vault-server.hcl
fi
# then setup a fresh vault.hcl specific to the type of image

# default FreeBSD vault.hcl is /usr/local/etc/vault.hcl and
# the init script /usr/local/etc/rc.d/vault refers to this
# but many vault docs refer to /usr/local/etc/vault/vault-server.hcl
# or similar

# Create vault configuration file
# Three types of vault servers
# - unseal (unseal node)
# - leader (raft cluster leader)
# - cluster (raft cluster member)

case \$VAULTTYPE in

  ### Vault type: Unseal Node - no consul or node_template setup
  unseal)
    export VAULT_CLIENT_TIMEOUT=300s

    #begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  tls_disable = 1
  telemetry {
    unauthenticated_metrics_access = true
  }
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"file\\\" {
  path    = \\\"/mnt/vault/\\\"
}
log_level = \\\"Debug\\\"
api_addr = \\\"http://\$IP:8200\\\"
\" > /usr/local/etc/vault.hcl

    # setup autounseal config
    echo \"path \\\"transit/encrypt/autounseal\\\" {
  capabilities = [ \\\"update\\\" ]
}
path \\\"transit/decrypt/autounseal\\\" {
  capabilities = [ \\\"update\\\" ]
}
\" > /root/autounseal.hcl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt/

    # remove the copied in rotate-certs.sh file, not needed on unseal node
    if [ -f /root/rotate-certs.sh ]; then
        rm -f /root/rotate-certs.sh
    fi

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # setup some automation scripts
    echo \"#!/bin/sh
/usr/local/bin/vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log
/usr/local/bin/vault secrets enable -address=http://\$IP:8200 transit
/usr/local/bin/vault write -address=http://\$IP:8200 -f transit/keys/autounseal
/usr/local/bin/vault policy write -address=http://\$IP:8200 autounseal /root/autounseal.hcl
\" > /root/setup-autounseal.sh

    chmod +x /root/setup-autounseal.sh

    # setup quick way to issue unseal tokens
    echo \"#!/bin/sh
/usr/local/bin/vault token create -address=http://\$IP:8200 -policy=\\\"autounseal\\\" -wrap-ttl=24h
\" > /root/issue-unseal.sh

    chmod +x /root/issue-unseal.sh

    # setup a quick way to check vault status
    echo \"#!/bin/sh
/usr/local/bin/vault status -address=http://\$IP:8200
\" > /root/vault-status.sh

    chmod +x /root/vault-status.sh

    # start vault
    echo \"Starting Vault Unseal Node\"
    /usr/local/etc/rc.d/vault start

    echo \"------------------------------------------------------------------------------------------\"
    echo \"Unseal node is almost complete, you must now login and manually run the following\"
    echo \"commands to complete the setup:\"
    echo \" \"
    echo \"  vault operator init -address=http://\$IP:8200\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key1)\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key2)\"
    echo \"  vault operator unseal -address=http://\$IP:8200\"
    echo \"     (paste key3)\"
    echo \"  vault login -address=http://\$IP:8200\"
    echo \"     (use token from operator init)\"
    echo \" \"
    echo \" Then run /root/setup-autounseal.sh to automatically run each of the following 4 steps \"
    echo \"  vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log\"
    echo \"  vault secrets enable -address=http://\$IP:8200 transit\"
    echo \"  vault write -address=http://\$IP:8200 -f transit/keys/autounseal\"
    echo \"  vault policy write -address=http://\$IP:8200 autounseal /root/autounseal.hcl\"
    echo \" \"
    echo \"Unseal node is setup\"
    echo \" \"
    echo \"To issue unseal tokens for each RAFT cluster node, run /root/issue-unseal.sh or manually run:\"
    echo \" \"
    echo \"  vault token create -address=http://\$IP:8200 -policy=\\\"autounseal\\\" -wrap-ttl=24h\"
    echo \" \"
    echo \"You must run this for each node in your cluster. Every node needs an unseal token.\"
    echo \"------------------------------------------------------------------------------------------\"
    # end unseal config
    ;;

    ### Vault type: RAFT Leader
    leader)

    export VAULT_CLIENT_TIMEOUT=300s
    export VAULT_MAX_RETRIES=5

    # setup chroot directory for use by sftp, gets wiped on reboot
    mkdir -p /tmpcerts
    chown root:wheel /tmpcerts
    chmod 755 /tmpcerts

    # begin sftpuser configuration
    echo \"Setting up ssh and sftp\"
    echo \"Port 8888
PubkeyAuthentication yes
AuthorizedKeysFile       .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
StrictModes no
UseDNS no
Banner none
AllowUsers sample
#LogLevel DEBUG
AllowAgentForwarding yes
PermitTTY yes
AllowUsers \$SFTPUSER

Match User \$SFTPUSER
  ChrootDirectory /tmpcerts
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
\" >> /etc/ssh/sshd_config

    # setup host keys
    echo \"Manually setting up host keys\"
    cd /etc/ssh
    /usr/bin/ssh-keygen -A
    cd /

    # setup a user
    /usr/sbin/pw useradd -n \$SFTPUSER -c 'certificate user' -m -s /bin/sh -h 0 <<EOP
\$SFTPPASS
EOP

    # setup user ssh key to be exported for use elsewhere
    echo \"Setting up \$SFTPUSER ssh keys\"
    mkdir -p /home/\$SFTPUSER/.ssh
    /usr/bin/ssh-keygen -q -N '' -f /home/\$SFTPUSER/.ssh/id_rsa -t rsa
    chmod 700 /home/\$SFTPUSER/.ssh
    cat /home/\$SFTPUSER/.ssh/id_rsa.pub > /home/\$SFTPUSER/.ssh/authorized_keys
    chmod 700 /home/\$SFTPUSER/.ssh
    chmod 600 /home/\$SFTPUSER/.ssh/id_rsa
    chmod 644 /home/\$SFTPUSER/.ssh/authorized_keys
    chown \$SFTPUSER:\$SFTPUSER /home/\$SFTPUSER/.ssh

    echo \"\"
    echo \"########################### IMPORTANT NOTICE ###########################\"
    echo \"\"
    echo \"You must copy /home/\$SFTPUSER/.ssh/id_rsa OUT of this vault image, and\"
    echo \"then copy IN to all other images' (to /root/.ssh/id_rsa) which need to\"
    echo \"login to vault and get certificates issued!\"
    echo \"\"
    echo \"This is required so that tls-client-validation is always enforced.\"
    echo \"Round 1: temp certificates for vault leader login tls-client-validation\"
    echo \"Round 2: get certificates from vault for vault agent and applications\"
    echo \"\"
    echo \"########################################################################\"
    echo \"\"

    # restart ssh
    echo \"Restarting ssh\"
    /etc/rc.d/sshd restart

    # begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  cluster_address = \\\"\$IP:8201\\\"
  telemetry {
    unauthenticated_metrics_access = true
  }
  # set to zero to enable TLS only
  tls_disable = 1
  #xyz#tls_skip_verify = false
  #xyz#tls_require_and_verify_client_cert = true
  #xyz#tls_client_ca_file = \\\"/mnt/certs/ca.pem\\\"
  #xyz#tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
  #xyz#tls_key_file = \\\"/mnt/certs/key.pem\\\"
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"raft\\\" {
  path    = \\\"/mnt/vault/\\\"
  node_id = \\\"\$NODENAME\\\"
  autopilot_reconcile_interval = \\\"5s\\\"
  retry_join {
    leader_api_addr = \\\"http://\$VAULTLEADER:8200\\\"
    #xyz#leader_ca_cert_file = \\\"/mnt/certs/ca.pem\\\"
    #xyz#leader_client_cert_file = \\\"/mnt/certs/cert.pem\\\"
    #xyz#leader_client_key_file = \\\"/mnt/certs/key.pem\\\"
  }
}
seal \\\"transit\\\" {
  address = \\\"http://\$UNSEALIP:8200\\\"
  disable_renewal = \\\"false\\\"
  key_name = \\\"autounseal\\\"
  mount_path = \\\"transit/\\\"
  token = \\\"UNWRAPPEDTOKEN\\\"
}
telemetry {
  disable_hostname = true
  prometheus_retention_time = \\\"24h\\\"
}
#brb#service_registration \\\"consul\\\" {
#brb#  address = \\\"\$IP:8500\\\"
#brb#  scheme = \\\"http\\\"
#brb#  service = \\\"vault\\\"
#brb#  tls_ca_file = \\\"/mnt/certs/combinedca.pem\\\"
#brb#  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
#brb#  tls_key_file = \\\"/mnt/certs/key.pem\\\"
#brb#}
pid_file = \\\"/var/run/vault.pid\\\"
log_format = \\\"standard\\\"
log_level = \\\"Debug\\\"
api_addr = \\\"http://\$IP:8200\\\"
cluster_addr = \\\"http://\$IP:8201\\\"
\" > /usr/local/etc/vault.hcl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt/vault

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # set vault timeout
    export VAULT_CLIENT_TIMEOUT=300s

    # if we need to autounseal with passed in unwrap token
    # vault unwrap [options] [TOKEN]
    /usr/local/bin/vault unwrap -address=http://\$UNSEALIP:8200 -format=json \$UNSEALTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
    if [ -s /root/unwrapped.token ]; then
        THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
        /usr/bin/sed -i .orig \"/UNWRAPPEDTOKEN/s/UNWRAPPEDTOKEN/\$THIS_TOKEN/g\" /usr/local/etc/vault.hcl
    fi

    # start vault
    echo \"Starting Vault Leader\"
    /usr/local/etc/rc.d/vault start

    # login
    echo \"Logging in to unseal vault\"
    /usr/local/bin/vault login -address=http://\$UNSEALIP:8200 -format=json \$THIS_TOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/this.token
    sleep 5
    echo \"initiating raft cluster with operator init\"

    # perform operator init on unsealed node and get recovery keys instead of unseal keys, save to file
    /usr/local/bin/vault operator init -address=http://\$IP:8200 -format=json > /root/recovery.keys

    # set some variables from the saved file
    # the saved file may be a security risk?
    echo \"Setting variables from recovery.keys\"
    KEY1=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[0]')
    KEY2=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[1]')
    KEY3=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[2]')
    KEY4=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[3]')
    KEY5=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.recovery_keys_b64[4]')
    ROOTKEY=\$(/bin/cat /root/recovery.keys | /usr/local/bin/jq -r '.root_token')

    echo \"Unsealing raft cluster\"
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY1
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY2
    /usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY3
    # uncomment this if more than 3 keys required to unseal
    #/usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY4
    #/usr/local/bin/vault operator unseal -address=http://\$IP:8200 \$KEY5

    echo \"Please wait for cluster...\"
    sleep 6

    # The vault documentation says this is not done on first node, but raft only works if it is!
    echo \"Joining the raft cluster\"
    /usr/local/bin/vault operator raft join -address=http://\$IP:8200
    # we need to wait a period for the cluster to initialise correctly and elect leader
    # cluster requires 10 seconds to bootstrap, even if single server, we can only login after
    echo \"Please wait for raft cluster to contemplate self...\"
    sleep 12

    echo \"Logging in to local raft instance\"
    echo \"\$ROOTKEY\" | /usr/local/bin/vault login -address=http://\$IP:8200 -method=token -field=token token=- > /root/login.token

    if [ -s /root/login.token ]; then
        TOKENOUT=\$(/bin/cat /root/login.token)
        echo \"Your new login token is \$TOKENOUT\"
        echo \"Also available in /root/login.token\"

        # setup logging
        echo \"enabling /mnt/audit.log\"
        /usr/local/bin/vault audit enable -address=http://\$IP:8200 file file_path=/mnt/audit.log

        # enable pki and become a CA
        echo \"Setting up raft cluster CA\"
        echo \"\"
        # tweak raft autopilot settings
        # requires vault 1.7
        /usr/local/bin/vault operator raft autopilot set-config -address=http://\$IP:8200 -dead-server-last-contact-threshold=10s -server-stabilization-time=30s -cleanup-dead-servers=true -min-quorum=3

        # vault secrets enable [options] TYPE
        # enable the pki secrets engine at the pki path
        echo \"Enabling PKI\"
        /usr/local/bin/vault secrets enable -address=http://\$IP:8200 pki

        # vault secrets tune [options] PATH
        # Tune the pki secrets engine to issue certificates with a maximum time-to-live (TTL) of 87600 hours (10 years)
        echo \"Tuning PKI\"
        /usr/local/bin/vault secrets tune -max-lease-ttl=87600h -address=http://\$IP:8200 pki/

        # enable cert authentication, currently disabled
        echo \"Enabling certificate authentication\"
        /usr/local/bin/vault auth enable -address=http://\$IP:8200 cert

        # vault write [options] PATH [DATA K=V...]
        # Generate the root CA, extracting the root CA certificate to CA_cert.pem in pem format
        # note: the secret key is not exported
        echo \"Generating internal certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -field=certificate pki/root/generate/internal common_name=\"\$DATACENTER\" ttl=\"87600h\" format=pem exclude_cn_from_sans=true > /mnt/certs/CA_cert.pem
        # we need this newline for combining certs later
        echo \"\" >> /mnt/certs/CA_cert.pem
        # configure the CA and CRL endpoints
        echo \"Writing certificate URLs\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki/config/urls issuing_certificates=\"http://\$IP:8200/v1/pki/ca\" crl_distribution_points=\"http://\$IP:8200/v1/pki/crl\"

        # setup intermediate CA
        echo \"Setting up raft cluster intermediate CA\"
        # vault secrets enable [options] TYPE
        # enable the pki secrets engine at the pki_int path
        echo \"Enabling PKI Intermediate\"
        /usr/local/bin/vault secrets enable -address=http://\$IP:8200 -path=pki_int pki

        # vault secrets tune [options] PATH
        # tune the secrets engine to issue certificates with a maximum time-to-live (TTL) of 43800 hours (5 years)
        echo \"Tuning PKI Intermediate\"
        /usr/local/bin/vault secrets tune -max-lease-ttl=43800h -address=http://\$IP:8200 pki_int/

        # vault write [options] PATH [DATA K=V...]
        # generate an intermediate certificate and save the CSR
        echo \"Writing intermediate certificate to file\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -format=json pki_int/intermediate/generate/exported common_name=\"\$DATACENTER Intermediate Authority\" format=pem exclude_cn_from_sans=true > /mnt/certs/pki_intermediate.pem
        # Extract the private key & certificate signing request from the previous command
        /usr/local/bin/jq -r '.data.private_key' < /mnt/certs/pki_intermediate.pem > /mnt/certs/intermediate.key.pem
        /usr/local/bin/jq -r '.data.csr' < /mnt/certs/pki_intermediate.pem > /mnt/certs/pki_intermediate.csr

        # Sign the intermediate certificate with the root certificate and save the generated certificate as intermediate.cert.pem
        echo \"Signing intermediate certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 -format=json pki/root/sign-intermediate csr=@/mnt/certs/pki_intermediate.csr format=pem_bundle ttl=\"43800h\" | /usr/local/bin/jq -r '.data.certificate' > /mnt/certs/intermediate.cert.pem

        # once CSR signed and root CA returns certificate, import back into vault
        echo \"Storing intermediate certificate\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/intermediate/set-signed certificate=@/mnt/certs/intermediate.cert.pem

        # combine intermediate certs and root CA into chain
        cat /mnt/certs/intermediate.cert.pem > /mnt/certs/intermediate.chain.pem
        cat /mnt/certs/CA_cert.pem >> /mnt/certs/intermediate.chain.pem

        # setup roles
        echo \"Setting up roles\"
        # vault write [options] PATH [DATA K=V...]
        # setup roles to enable certificate issue
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/roles/\$DATACENTER allow_any_name=true allow_bare_domains=true allow_subdomains=true max_ttl=\"720h\" require_cn=false generate_lease=true allow_ip_sans=true allow_localhost=true enforce_hostnames=false 
        /usr/local/bin/vault write -address=http://\$IP:8200 pki_int/issue/\$DATACENTER common_name=\"\$DATACENTER\" ttl=\"24h\"
        /usr/local/bin/vault write -address=http://\$IP:8200 pki/roles/\$DATACENTER allow_any_name=true allow_bare_domains=true allow_subdomains=true max_ttl=\"72h\" require_cn=false allow_ip_sans=true allow_localhost=true enforce_hostnames=false 

        # set policy in a file, will import next
        # this needs a review, from multiple sources
        echo \"Writing detailed vault policy to file /root/vault.policy\"
        echo \"
path \\\"sys/mounts/*\\\" { capabilities = [ \\\"create\\\", \\\"read\\\", \\\"update\\\", \\\"delete\\\", \\\"list\\\"] }
path \\\"sys/mounts\\\" { capabilities = [ \\\"read\\\", \\\"list\\\"] }
path \\\"auth/token/roles/\$DATACENTER\\\" { capabilities = [ \\\"read\\\", \\\"update\\\"] }
path \\\"auth/token/revoke-accessor\\\" { capabilities = [ \\\"update\\\"] }
path \\\"auth/token/create/*\\\" { capabilities = [ \\\"update\\\"] }
path \\\"pki/cert/ca\\\" { capabilities = [\\\"read\\\"] }
path \\\"pki*\\\" { capabilities = [\\\"read\\\", \\\"list\\\", \\\"update\\\", \\\"delete\\\", \\\"list\\\", \\\"sudo\\\"] }
path \\\"pki/roles/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki/sign/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/roles/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/sign/\$DATACENTER\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/issue/*\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/certs/\\\" { capabilities = [\\\"list\\\"] }
path \\\"pki_int/revoke\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
path \\\"pki_int/tidy\\\" { capabilities = [\\\"create\\\", \\\"update\\\"] }
\" > /root/vault.policy

        echo \"Writing vault policy to Vault\"
        # vault policy write [options] NAME PATH
        /usr/local/bin/vault policy write -address=http://\$IP:8200 pki /root/vault.policy

        # setup role
        /usr/local/bin/vault write -address=http://\$IP:8200 auth/token/roles/\$DATACENTER allowed_policies=\"pki\" orphan=true period=\"24h\"
    fi

    # setup template files for certificates
    # this is not currently in use, using cron job to rotate certs
    # it also doesn't hash the ca.pem file, which cron job does
    echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

    echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

    echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

# removed as not using vault to renew currently
#    # update vault.hcl
#    echo \"template {
#  source = \\\"/mnt/templates/cert.tpl\\\"
#  destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/ca.tpl\\\"
#  destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/key.tpl\\\"
#  destination = \\\"/mnt/certs/key.pem\\\"
#}
#\" >> /usr/local/etc/vault.hcl

##### removed
#	# using this payload.json approach to avoid nested single and double quotes for expansion
#    echo \"{
#  \\\"common_name\\\": \\\"\$IP\\\",
#  \\\"alt_names\\\": \\\"\$NODENAME\\\",
#  \\\"ttl\\\": \\\"24h\\\",
#  \\\"ip_sans\\\": \\\"\$IP,127.0.0.1\\\",
#  \\\"format\\\": \\\"pem\\\"
#}\" > /mnt/templates/payload.json
#####

    # new payload approach, using jo to generate json
    /usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json

    # generate certificates to use
    # we use curl to get the certificates in json format as the issue command only has formats: pem, pem_bundle, der
    # but no json format except via the API
    if [ -s /root/login.token ]; then
        HEADER=\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json http://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
        cd /mnt/certs
        # concat the root CA and intermediary CA into combined file
        cat CA_cert.pem ca.pem > combinedca.pem
        # steps here to hash ca
        ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
        ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
        cd /root
        # set permissions on /mnt/certs for vault
        chown -R vault:wheel /mnt/certs
        # validate the certificates
        echo \"Validating client certificate\"
        if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
        fi
    fi

    # if we get a successful private key, update vault.hcl and restart vault
    if [ -s /mnt/certs/key.pem ]; then
        # enable TLS by removing the config line disabling it
        /usr/bin/sed -i .orig 's/tls_disable = 1/tls_disable = 0/g' /usr/local/etc/vault.hcl

        # update http to https, this will include leader_api_addr
        /usr/bin/sed -i .orig '/api_addr/s/http/https/' /usr/local/etc/vault.hcl
        /usr/bin/sed -i .orig '/cluster_addr/s/http/https/' /usr/local/etc/vault.hcl

        # remove the comment #xyz# to enable certificates
        /usr/bin/sed -i .orig 's/#xyz#tls/tls/g' /usr/local/etc/vault.hcl
        /usr/bin/sed -i .orig 's/#xyz#leader/leader/g' /usr/local/etc/vault.hcl

        # enable consul components
        /usr/bin/sed -i .orig 's/#brb#//g' /usr/local/etc/vault.hcl

        # optional remote logging
        if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
            if [ -f /root/syslog-ng.conf ]; then
                /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
                cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
                # stop syslogd
                service syslogd onestop || true
                # setup sysrc entries to start and set parameters to accept logs from remote subnet
                sysrc syslogd_enable=\"NO\"
                sysrc syslog_ng_enable=\"YES\"
                #sysrc syslog_ng_flags=\"-u daemon\"
                sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
                /usr/local/etc/rc.d/syslog-ng start
                echo \"syslog-ng setup complete\"
            else
                echo \"/root/syslog-ng.conf is missing?\"
            fi
        else
            echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
        fi

        ## start consul config
        # make consul configuration directory and set permissions
        mkdir -p /usr/local/etc/consul.d
        chmod 750 /usr/local/etc/consul.d

        # Create the consul agent config file with imported variables
        echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\":  \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
  \\\"a_record_limit\\\": 3,
  \\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\": false,
\\\"verify_incoming_rpc\\\":true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \$GOSSIPKEY,
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"service\\\": {
  \\\"name\\\": \\\"node-exporter\\\",
  \\\"tags\\\": [\\\"_app=vault\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\"],
  \\\"port\\\": 9100
}
}\" > /usr/local/etc/consul.d/agent.json

        # set owner and perms on agent.json
        chown consul:wheel /usr/local/etc/consul.d/agent.json
        chmod 640 /usr/local/etc/consul.d/agent.json

        # enable consul
        sysrc consul_enable=\"YES\"

        # set load parameter for consul config
        sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
        #sysrc consul_datadir=\"/var/db/consul\"

        # Workaround for bug in rc.d/consul script:
        sysrc consul_group=\"wheel\"

        # setup consul logs, might be redundant if not specified in agent.json above
        mkdir -p /var/log/consul
        touch /var/log/consul/consul.log
        chown -R consul:wheel /var/log/consul

        # add the consul user to the wheel group, this seems to be required for
        # consul to start on this instance. May need to figure out why.
        # I'm not entirely sure this is the correct way to do it
        /usr/sbin/pw usermod consul -G wheel

        ## end consul

        # start consul agent
        /usr/local/etc/rc.d/consul start

        # node exporter needs tls setup
        echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

        # enable node_exporter service
        sysrc node_exporter_enable=\"YES\"
        sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"

        # start node_exporter
        /usr/local/etc/rc.d/node_exporter start

        # restart vault, requires SIGHUP
        echo \"We must restart vault to enable https\"
        /usr/local/etc/rc.d/vault restart
    fi

    # there is a problem with generating client certs too early after vault restart
    # we need a strategic delay, like with most vault issues, otherwise initial certificates will get error
    #ERR#  unable to load certificate
    #ERR#  34374492160:error:0909006C:PEM routines:get_name:no start line:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
    #
    echo \"\"
    echo \"Strategic delay. Please wait 20s\"
    sleep 5
    echo \"\"
    echo \"In a moment certificates will be generated for 253 hosts in the network \$SFTPNETWORK. This will take a while to complete.\"
    sleep 5
    echo \"\"
    echo \"Starting in 10s.   >>> Did you know a group of cats is called a clowder?\"
    sleep 5
    echo \"\"
    echo \"Starting in 5s.    >>> Sysadmin Day is always on the last Friday of July!\"
    sleep 5
    # setup temp certs for client first login
    # destination is /tmpcerts/$IP/cert.pem | /tmpcerts/$IP/key.pem | | /tmpcerts/$IP/cat.pem
    echo \"\"
    echo \"Building SFTPNETWORK list\"
    echo \"\"
    TRIMNETWORK=\$(echo \$SFTPNETWORK | sed 's/\.[0-9]*$//')
    SEQNETWORK=\$(/usr/bin/seq -f \"\$TRIMNETWORK.%g\" 1 253)
    # diagnostic
    echo \$SEQNETWORK > /tmpcerts/iplist.txt
    # generate certificates per host
    for sftphost in \$SEQNETWORK; do
        mkdir -p /tmpcerts/\$sftphost
        # use jo to generate payload.json file
        /usr/local/bin/jo -p common_name=\$sftphost ttl=2h ip_sans=\"\$sftphost,127.0.0.1\" format=pem > /tmpcerts/\$sftphost/payload.json
        if [ -s /root/login.token ]; then
            echo \"Generating 2 hour ttl client cert for ip \$sftphost in /tmpcerts/\$sftphost/...\"
            HEADER=\$(/bin/cat /root/login.token)
            /usr/local/bin/curl --silent --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/tmpcerts/\$sftphost/payload.json https://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /tmpcerts/\$sftphost/vaultissue.json
            # extract the required certificates to individual files
            /usr/local/bin/jq -r '.data.certificate' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/cert.pem
            /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\$sftphost/vaultissue.json >> /tmpcerts/\$sftphost/cert.pem
            /usr/local/bin/jq -r '.data.private_key' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/key.pem
            /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\$sftphost/vaultissue.json > /tmpcerts/\$sftphost/ca.pem
            # concat the root CA and intermediary CA into combined file
            cat /mnt/certs/CA_cert.pem /tmpcerts/\$sftphost/ca.pem > /tmpcerts/\$sftphost/combinedca.pem
            chown -R \$SFTPUSER:wheel /tmpcerts/\$sftphost/
            # validate the certificates
            echo \"Validating client certificate\"
            if [ -s /tmpcerts/\$sftphost/combinedca.pem ] && [ -s /tmpcerts/\$sftphost/cert.pem ]; then
                /usr/bin/openssl verify -CAfile /tmpcerts/\$sftphost/combinedca.pem /tmpcerts/\$sftphost/cert.pem
            fi
        fi
    done

    echo \"Creating auto-login script\"
    # setup auto-login script
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
if [ -s /root/login.token ]; then
    /bin/cat /root/login.token | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
fi
\" > /root/cli-vault-auto-login.sh

    # make executable
    chmod +x /root/cli-vault-auto-login.sh

    echo \"Creating script to issue pki tokens\"
    # setup script to issue pki tokens
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault token create -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -policy=default -policy=pki -wrap-ttl=24h
\" > /root/issue-pki-token.sh

    # make executable
    chmod +x /root/issue-pki-token.sh

    echo \"Creating certificate rotation script\"
    # setup certificate rotation script
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    # we're using tls-client-validation so need cert, key, cacert, along with a login token, and payload.json file
    # we'll pass all this to the vault leader api and get back a json file with certificate data embedded
    # this payload.json was created in the setup of the server
    /usr/local/bin/curl --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    # extract the required certificates to individual files
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    cd /mnt/certs
    # concat the root CA and intermediary CA into combined file
    cat CA_cert.pem ca.pem > combinedca.pem
    # steps here to hash ca files for ca-dir usage
    ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
    ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
    cd /root
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /bin/pkill -HUP vault
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi

    echo \"Adding vault-status.sh script\"
    # setup a quick way to check vault status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault status -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/vault-status.sh

    chmod +x /root/vault-status.sh

    echo \"Adding raft-status.sh script\"
    # setup a quick way to check raft status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault operator raft list-peers -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/raft-status.sh

    # make executable
    chmod +x /root/raft-status.sh

    # add script to regenerate 2h temp certs
    echo \"Adding gen-temp-certs.sh script to regenerate temporary certificates\"

    echo \"#!/bin/sh
MYNETWORK=\$SFTPNETWORK
TRIMNETWORK=\\\$(echo \\\$MYNETWORK | sed 's/\.[0-9]*$//')
SEQNETWORK=\\\$(/usr/bin/seq -f \\\"\\\$TRIMNETWORK.%g\\\" 1 253)
# diagnostic
echo \\\$SEQNETWORK > /tmpcerts/iplist.txt
# generate certificates per host
for sftphost in \\\$SEQNETWORK; do
    mkdir -p /tmpcerts/\\\$sftphost
    /usr/local/bin/jo -p common_name=\\\$sftphost ttl=2h ip_sans=\\\"\\\$sftphost,127.0.0.1\\\" format=pem > /tmpcerts/\\\$sftphost/payload.json
    if [ -s /root/login.token ]; then
        echo \\\"Re-generating 2 hour ttl client cert for ip \\\$sftphost in /tmpcerts/\\\$sftphost/...\\\"
        HEADER=\\\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --silent --cacert /mnt/certs/ca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem \
         --header \\\"X-Vault-Token: \\\$HEADER\\\" \
         --request POST --data @/tmpcerts/\\\$sftphost/payload.json \
         https://\$IP:8200/v1/pki_int/issue/\$DATACENTER > /tmpcerts/\\\$sftphost/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/cert.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\\\$sftphost/vaultissue.json >> /tmpcerts/\\\$sftphost/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /tmpcerts/\\\$sftphost/vaultissue.json > /tmpcerts/\\\$sftphost/ca.pem
        # concat the root CA and intermediary CA into combined file
        cat /mnt/certs/CA_cert.pem /tmpcerts/\\\$sftphost/ca.pem > /tmpcerts/\\\$sftphost/combinedca.pem
        chown -R \$SFTPUSER:wheel /tmpcerts/\\\$sftphost/
        # validate the certificates
        echo \\\"Validating client certificate\\\"
        if [ -s /tmpcerts/\\\$sftphost/combinedca.pem ] && [ -s /tmpcerts/\\\$sftphost/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /tmpcerts/\\\$sftphost/combinedca.pem /tmpcerts/\\\$sftphost/cert.pem
        fi
    fi
done
\" > /root/gen-temp-certs.sh

    # make executable
    chmod +x /root/gen-temp-certs.sh

###### not working
#    # setup token renewals
#    echo \"
#if [ -s /root/login.token ]; then
#    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
#    echo \\\$LOGINTOKEN | /usr/local/bin/vault token renew -address=https://\$VAULTLEADER:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
#else
#    echo "/root/login.token does not contain a token to be renewed."
#fi
#\" > /root/token-renew.sh
#
#    if [ -f /root/token-renew.sh ]; then
#        chmod +x /root/token-renew.sh
#    fi
########

    # end leader config
    ;;

    ### Vault type: RAFT cluster follower
    follower)

    # some basic ssh setup
    echo \"Initialising ssh settings\"
    mkdir -p /root/.ssh
    chmod 700 /root/.ssh
    touch /root/.ssh/authorized_keys

    if [ -f /root/sshkey ] && [ ! -f /root/.ssh/id_rsa ]; then
        cp /root/sshkey /root/.ssh/id_rsa
        chmod 600 /root/.ssh/id_rsa
        ssh-keygen -f /root/.ssh/id_rsa -y > /root/.ssh/id_rsa.pub
    fi

    # setup temp directory for temp certs
    mkdir -p /tmp/tmpcerts

    # echo a message to user
    echo \"\"
    echo \"########################### IMPORTANT NOTICE ###########################\"
    echo \"\"
    echo \"Make sure to copy in id_rsa from vault leader certuser instance!\"
    echo \"\"
    echo \"########################################################################\"
    echo \"\"
    # end client

    # retrieve first round of certificates from vault leader via sftp
    echo \"Get first round of certificates from vault leader via sftp\"
    if [ -f /root/.ssh/id_rsa ]; then
        cd /tmp/tmpcerts
        # wildcard retrieval works manually but not in the script, so we specify each file to retrieve
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/cert.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/key.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/ca.pem
        /usr/bin/sftp -P 8888 -o StrictHostKeyChecking=no -q \$SFTPUSER@\$VAULTLEADER:\$IP/combinedca.pem
    fi

    #set vault variables
    export VAULT_CLIENT_TIMEOUT=300s
    export VAULT_MAX_RETRIES=5

    #begin vault config
    echo \"disable_mlock = true
ui = true
# enable when vnet interface in use by pot
#listener \\\"tcp\\\" {
#  address = \\\"127.0.0.1:8200\\\"
#  tls_disable = 1
#}
listener \\\"tcp\\\" {
  address = \\\"\$IP:8200\\\"
  cluster_address = \\\"\$IP:8201\\\"
  telemetry {
    unauthenticated_metrics_access = true
  }
  # set to zero/false to enable TLS only
  tls_disable = false
  tls_require_and_verify_client_cert = true
  tls_skip_verify = false
  tls_client_ca_file = \\\"/mnt/certs/ca.pem\\\"
  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
  tls_key_file = \\\"/mnt/certs/key.pem\\\"
}
# make sure you create a zfs partition and mount it into /mnt
# if you want persistent vault data
# if using another directory update this path accordingly
storage \\\"raft\\\" {
  path    = \\\"/mnt/vault/\\\"
  node_id = \\\"\$NODENAME\\\"
  retry_join {
    leader_api_addr = \\\"https://\$VAULTLEADER:8200\\\"
    leader_ca_cert_file = \\\"/mnt/certs/ca.pem\\\"
    leader_client_cert_file = \\\"/mnt/certs/cert.pem\\\"
    leader_client_key_file = \\\"/mnt/certs/key.pem\\\"
  }
  autopilot_reconcile_interval = \\\"5s\\\"
}
seal \\\"transit\\\" {
  address = \\\"http://\$UNSEALIP:8200\\\"
  disable_renewal = \\\"false\\\"
  key_name = \\\"autounseal\\\"
  mount_path = \\\"transit/\\\"
  token = \\\"UNWRAPPEDTOKEN\\\"
}
telemetry {
  disable_hostname = true
  prometheus_retention_time = \\\"24h\\\"
}
#brb#service_registration \\\"consul\\\" {
#brb#  address = \\\"\$IP:8500\\\"
#brb#  scheme = \\\"http\\\"
#brb#  service = \\\"vault\\\"
#brb#  tls_ca_file = \\\"/mnt/certs/combinedca.pem\\\"
#brb#  tls_cert_file = \\\"/mnt/certs/cert.pem\\\"
#brb#  tls_key_file = \\\"/mnt/certs/key.pem\\\"
#brb#}
pid_file = \\\"/var/run/vault.pid\\\"
log_format = \\\"standard\\\"
log_level = \\\"Debug\\\"
api_addr = \\\"https://\$IP:8200\\\"
cluster_addr = \\\"https://\$IP:8201\\\"
#template {
#  source = \\\"/mnt/templates/cert.tpl\\\"
#  destination = \\\"/mnt/certs/cert.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/ca.tpl\\\"
#  destination = \\\"/mnt/certs/ca.pem\\\"
#}
#template {
#  source = \\\"/mnt/templates/key.tpl\\\"
#  destination = \\\"/mnt/certs/key.pem\\\"
#}
\" > /usr/local/etc/vault.hcl

    # setup template files for certificates
    # not currently enabled via vault, using cron job to renew, combined, hashes combinedca.pem
    echo \"{{- /* /mnt/templates/cert.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.certificate }}{{ end }}
\" > /mnt/templates/cert.tpl

    echo \"{{- /* /mnt/templates/ca.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" }}
{{ .Data.issuing_ca }}{{ end }}
\" > /mnt/templates/ca.tpl

    echo \"{{- /* /mnt/templates/key.tpl */ -}}
{{ with secret \\\"pki_int/issue/\$DATACENTER\\\" \\\"common_name=\$IP\\\" \\\"ttl=24h\\\" \\\"alt_names=\$NODENAME\\\" \\\"ip_sans=\$IP\\\" }}
{{ .Data.private_key }}{{ end }}
\" > /mnt/templates/key.tpl

    # set permissions on /mnt for vault data
    chown -R vault:wheel /mnt

    # setup rc.conf entries
    # we do not set vault_user=vault because vault will not start
    sysrc vault_enable=yes
    sysrc vault_login_class=root
    sysrc vault_syslog_output_enable=\"YES\"
    sysrc vault_syslog_output_priority=\"warn\"

    # if we need to autounseal with passed in unwrap token
    # vault unwrap [options] [TOKEN]
    /usr/local/bin/vault unwrap -address=http://\$UNSEALIP:8200 -format=json \$UNSEALTOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/unwrapped.token
    if [ -s /root/unwrapped.token ]; then
        THIS_TOKEN=\$(/bin/cat /root/unwrapped.token)
        /usr/bin/sed -i .orig \"/UNWRAPPEDTOKEN/s/UNWRAPPEDTOKEN/\$THIS_TOKEN/g\" /usr/local/etc/vault.hcl
    fi

    # new CA cert retrieval process with curl
    echo \"Retrieving CA certificates from Vault leader\"
    # get the root CA, we're not able to do any tls verification at this stage
    /usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/CA_cert.pem https://\$VAULTLEADER:8200/v1/pki/ca/pem
    # append a new line to the file, as will concat together later with another file
    if [ -s /mnt/certs/CA_cert.pem ]; then
        echo \"\" >> /mnt/certs/CA_cert.pem
    fi
    # get the intermediate CA, we're not able to do any tls verification at this stage
    /usr/local/bin/curl --cacert /tmp/tmpcerts/ca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem -o /mnt/certs/intermediate.cert.pem https://\$VAULTLEADER:8200/v1/pki_int/ca/pem
    # append a new line to the file, as will concat together later with another file
    if [ -s /mnt/certs/intermediate.cert.pem ]; then
        echo \"\" >> /mnt/certs/intermediate.cert.pem
    fi
    # validate the certificates
    echo \"Validating CA certificates\"
    if [ -s /mnt/certs/CA_cert.pem ] && [ -s /mnt/certs/intermediate.cert.pem ]; then
        /usr/bin/openssl verify -CAfile /mnt/certs/CA_cert.pem /mnt/certs/intermediate.cert.pem
    fi

    # login to unseal vault to get a root token to login to the leader node
    echo \"Logging in to unseal vault to unseal\"
    /usr/local/bin/vault login -address=http://\$UNSEALIP:8200 -format=json \$THIS_TOKEN | /usr/local/bin/jq -r '.auth.client_token' > /root/this.token
    echo \"Unseal login success. Please wait\"
    sleep 5

    # login to the vault leader with full tls validation of client
    echo \"Logging in to vault leader instance to authenticate\"
    echo \"\$LEADERTOKEN\" | /usr/local/bin/vault login -address=https://\$VAULTLEADER:8200 -client-cert=/tmp/tmpcerts/cert.pem -client-key=/tmp/tmpcerts/key.pem -ca-cert=/mnt/certs/intermediate.cert.pem -method=token -field=token token=- > /root/login.token
    echo \"Login success. Please wait\"
    sleep 5

    # if a root login token exists with file size greater than zero, then setup a payload.json file for certificate request
    if [ -s /root/login.token ]; then
        # generate certificates to use
        # using this payload.json approach to avoid nested single and double quotes for expansion
        # new way of generating payload.json with jo
        /usr/local/bin/jo -p common_name=\$IP alt_names=\$NODENAME ttl=24h ip_sans=\"\$IP,127.0.0.1\" format=pem > /mnt/templates/payload.json

        # we use curl to get the certificates in json format from vault leader api, as vaults cli's issue command only has the formats: pem, pem_bundle, der
        # but no json format with everything in one file
        echo \"Generating certificates to use from Vault leader\"
        HEADER=\$(/bin/cat /root/login.token)
        /usr/local/bin/curl --cacert /tmp/tmpcerts/combinedca.pem --cert /tmp/tmpcerts/cert.pem --key /tmp/tmpcerts/key.pem --header \"X-Vault-Token: \$HEADER\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
        # extract the required certificates to individual files
        /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
        # append the ca cert to the cert
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
        /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
        /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
        cd /mnt/certs
        # concat the root CA and intermediary CA into combined file
        cat /mnt/certs/CA_cert.pem /mnt/certs/ca.pem > /mnt/certs/combinedca.pem
        # steps here to hash ca, required for syslog-ng
        ln -s ca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
        ln -s combinedca.pem hash/\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
        cd /root
        # set permissions on /mnt/certs for vault
        chown -R vault:wheel /mnt/certs

        # validate the certificates
        echo \"Validating client certificate\"
        if [ -s /mnt/certs/combinedca.pem ] && [ -s /mnt/certs/cert.pem ]; then
            /usr/bin/openssl verify -CAfile /mnt/certs/combinedca.pem /mnt/certs/cert.pem
        fi

        # enable consul components
        /usr/bin/sed -i .orig 's/#brb#//g' /usr/local/etc/vault.hcl

        # optional remote logging
        if [ ! -z \$REMOTELOG ] && [ \$REMOTELOG != \"null\" ]; then
            if [ -f /root/syslog-ng.conf ]; then
                /usr/bin/sed -i .orig \"s/REMOTELOGIP/\$REMOTELOG/g\" /root/syslog-ng.conf
                cp -f /root/syslog-ng.conf /usr/local/etc/syslog-ng.conf
                # stop syslogd
                service syslogd onestop || true
                # setup sysrc entries to start and set parameters to accept logs from remote subnet
                sysrc syslogd_enable=\"NO\"
                sysrc syslog_ng_enable=\"YES\"
                #sysrc syslog_ng_flags=\"-u daemon\"
                sysrc syslog_ng_flags=\"-R /tmp/syslog-ng.persist\"
                /usr/local/etc/rc.d/syslog-ng start
                echo \"syslog-ng setup complete\"
            else
                echo \"/root/syslog-ng.conf is missing?\"
            fi
        else
            echo \"REMOTELOG parameter is not set to an IP address. syslog-ng won't operate.\"
        fi

        ## start consul config
        # make consul configuration directory and set permissions
        mkdir -p /usr/local/etc/consul.d
        chmod 750 /usr/local/etc/consul.d

        # Create the consul agent config file with imported variables
        echo \"{
\\\"advertise_addr\\\": \\\"\$IP\\\",
\\\"datacenter\\\": \\\"\$DATACENTER\\\",
\\\"node_name\\\": \\\"\$NODENAME\\\",
\\\"data_dir\\\":  \\\"/var/db/consul\\\",
\\\"dns_config\\\": {
 \\\"a_record_limit\\\": 3,
 \\\"enable_truncate\\\": true
},
\\\"verify_incoming\\\": true,
\\\"verify_outgoing\\\": true,
\\\"verify_server_hostname\\\": false,
\\\"verify_incoming_rpc\\\":true,
\\\"ca_file\\\": \\\"/mnt/certs/combinedca.pem\\\",
\\\"cert_file\\\": \\\"/mnt/certs/cert.pem\\\",
\\\"key_file\\\": \\\"/mnt/certs/key.pem\\\",
\\\"log_file\\\": \\\"/var/log/consul/\\\",
\\\"log_level\\\": \\\"WARN\\\",
\\\"encrypt\\\": \$GOSSIPKEY,
\\\"start_join\\\": [ \$CONSULSERVERS ],
\\\"service\\\": {
 \\\"name\\\": \\\"node-exporter\\\",
 \\\"tags\\\": [\\\"_app=vault\\\", \\\"_service=node-exporter\\\", \\\"_hostname=\$NODENAME\\\"],
 \\\"port\\\": 9100
 }
}\" > /usr/local/etc/consul.d/agent.json

        # set owner and perms on agent.json
        chown consul:wheel /usr/local/etc/consul.d/agent.json
        chmod 640 /usr/local/etc/consul.d/agent.json

        # enable consul
        sysrc consul_enable=\"YES\"

        # set load parameter for consul config
        sysrc consul_args=\"-config-file=/usr/local/etc/consul.d/agent.json\"
        #sysrc consul_datadir=\"/var/db/consul\"

        # Workaround for bug in rc.d/consul script:
        sysrc consul_group=\"wheel\"

        # setup consul logs, might be redundant if not specified in agent.json above
        mkdir -p /var/log/consul
        touch /var/log/consul/consul.log
        chown -R consul:wheel /var/log/consul

        # add the consul user to the wheel group, this seems to be required for
        # consul to start on this instance. May need to figure out why.
        # not entirely sure this is the correct way to do it
        /usr/sbin/pw usermod consul -G wheel

        ## end consul

        # node exporter needs tls setup
        echo \"tls_server_config:
  cert_file: /mnt/certs/cert.pem
  key_file: /mnt/certs/key.pem
\" > /usr/local/etc/node-exporter.yml

        # enable node_exporter service
        sysrc node_exporter_enable=\"YES\"
        sysrc node_exporter_args=\"--web.config=/usr/local/etc/node-exporter.yml\"

        # start consul agent
        /usr/local/etc/rc.d/consul start

        # start node_exporter
        /usr/local/etc/rc.d/node_exporter start

        # start vault
        echo \"Starting Vault Follower\"
        /usr/local/etc/rc.d/vault start
        sleep 6

        # join the raft cluster
        echo \"Joining the raft cluster\"
        # we're using tls-client-validation so cert, key, cacert required
        /usr/local/bin/vault operator raft join -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
        # we need to wait a period for the cluster to initialise correctly and elect leader
        # cluster requires 10 seconds to bootstrap, even if single server, we can only login after 10 seconds
        # syslog-ng flow control adds a lot of overhead, so longer delay is required if enabled. 30s at least
        echo \"Please wait for raft cluster to contemplate self... (30s)\"
        sleep 30

        # login to the local vault instance to initialise the follower node
        echo \"Logging in to local vault instance\"
        # we're using tls-client-validation so need cert, key, cacert and a login token
        echo \"\$LEADERTOKEN\" | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem -method=token -field=token token=- > /root/login.token

        if [ -s /root/login.token ]; then
            TOKENOUT=\$(/bin/cat /root/login.token)
            echo \"Your token is \$TOKENOUT\"
            echo \"Also available in /root/login.token\"
        fi
    else
        echo \"ERROR: There was a problem logging into the vault leader and no certificates were retrieved. Vault not started.\"
    fi

    # setup auto-login script
    echo \"Setting up auto-login script\"
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
if [ -s /root/login.token ]; then
    /bin/cat /root/login.token | /usr/local/bin/vault login -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
fi\" > /root/cli-vault-auto-login.sh

    # set executable perms
    chmod +x /root/cli-vault-auto-login.sh

    # setup certificate rotation script
    echo \"Setting up certificate rotation script\"
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
if [ -s /root/login.token ]; then
    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
    HEADER=\\\$(echo \\\"X-Vault-Token: \\\"\\\$LOGINTOKEN)
    /usr/local/bin/curl --cacert /mnt/certs/combinedca.pem --cert /mnt/certs/cert.pem --key /mnt/certs/key.pem --header \\\"\\\$HEADER\\\" --request POST --data @/mnt/templates/payload.json https://\$VAULTLEADER:8200/v1/pki_int/issue/\$DATACENTER > /mnt/certs/vaultissue.json
    # extract the required certificates to individual files
    /usr/local/bin/jq -r '.data.certificate' /mnt/certs/vaultissue.json > /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json >> /mnt/certs/cert.pem
    /usr/local/bin/jq -r '.data.private_key' /mnt/certs/vaultissue.json > /mnt/certs/key.pem
    /usr/local/bin/jq -r '.data.issuing_ca' /mnt/certs/vaultissue.json > /mnt/certs/ca.pem
    cd /mnt/certs
    # concat the root CA and intermediary CA into combined file
    cat CA_cert.pem ca.pem > combinedca.pem
    # steps here to hash ca
    ln -s ca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/ca.pem).0
    ln -s combinedca.pem hash\$(/usr/bin/openssl x509 -subject_hash -noout -in /mnt/certs/combinedca.pem).0
    cd /root
    # set permissions on /mnt/certs for vault
    chown -R vault:wheel /mnt/certs
    # restart services
    /bin/pkill -HUP vault
    /usr/local/etc/rc.d/consul restart
    /usr/local/etc/rc.d/syslog-ng restart
else
    echo "/root/login.token does not contain a token. Certificates cannot be renewed."
fi
\" > /root/rotate-certs.sh

    if [ -f /root/rotate-certs.sh ]; then
        echo \"Adding cron job\"
        # make executable
        chmod +x /root/rotate-certs.sh
        # add a crontab entry for every hour
        echo \"0 * * * * root /root/rotate-certs.sh >> /mnt/rotate-cert.log 2>&1\" >> /etc/crontab
    fi

    echo \"Adding vault-status.sh script\"
    # setup a quick way to check vault status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault status -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/vault-status.sh

    # make executable
    chmod +x /root/vault-status.sh

    echo \"Adding raft-status.sh script\"
    # setup a quick way to check raft status
    echo \"#!/bin/sh
export VAULT_CLIENT_TIMEOUT=300s
export VAULT_MAX_RETRIES=5
# redundant as also using in command line
export VAULT_CLIENT_CERT=/mnt/certs/cert.pem
export VAULT_CLIENT_KEY=/mnt/certs/key.pem
/usr/local/bin/vault operator raft list-peers -address=https://\$IP:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem
\" > /root/raft-status.sh

    # make executable
    chmod +x /root/raft-status.sh

######## not working
#    # setup token renewals
#    echo \"
#if [ -s /root/login.token ]; then
#    LOGINTOKEN=\\\$(/bin/cat /root/login.token)
#    echo \\\$LOGINTOKEN | /usr/local/bin/vault token renew -address=https://\$VAULTLEADER:8200 -client-cert=/mnt/certs/cert.pem -client-key=/mnt/certs/key.pem -ca-cert=/mnt/certs/combinedca.pem token=-
#else
#    echo "/root/login.token does not contain a token to be renewed."
#fi
#\" > /root/token-renew.sh
#
#    if [ -f /root/token-renew.sh ]; then
#        chmod +x /root/token-renew.sh
#    fi
#######

    # end follower config
    ;;

    # catch all, exit because bad VAULTTYPE
    *)
    echo \"there is a problem with the VAULTTYPE variable - set to unseal or leader or cluster\"
    exit 1
    # end catchall config
    ;;

esac

# end vault case statements #

# ADJUST THIS: START THE SERVICES AGAIN AFTER CONFIGURATION

# Do not touch this:
touch /usr/local/etc/pot-is-seasoned

# If this pot flavour is blocking (i.e. it should not return), there is no /tmp/environment.sh
# created by pot and we now after configuration block indefinitely
if [ \"\$RUNS_IN_NOMAD\" = \"true\" ]
then
    /bin/sh /etc/rc
    tail -f /dev/null
fi
" > /usr/local/bin/cook

# ----------------- END COOK ------------------


# ---------- NO NEED TO EDIT BELOW ------------

step "Make cook script executable"
if [ -e /usr/local/bin/cook ]
then
    echo "setting executable bit on /usr/local/bin/cook" | tee -a $COOKLOG
    chmod u+x /usr/local/bin/cook
else
    exit_error "there is no /usr/local/bin/cook to make executable"
fi

#
# There are two ways of running a pot jail: "Normal", non-blocking mode and
# "Nomad", i.e. blocking mode (the pot start command does not return until
# the jail is stopped).
# For the normal mode, we create a /usr/local/etc/rc.d script that starts
# the "cook" script generated above each time, for the "Nomad" mode, the cook
# script is started by pot (configuration through flavour file), therefore
# we do not need to do anything here.
#

# Create rc.d script for "normal" mode:
step "Create rc.d script to start cook"
echo "creating rc.d script to start cook" | tee -a $COOKLOG

echo "#!/bin/sh
#
# PROVIDE: cook
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
. /etc/rc.subr
name=\"cook\"
rcvar=\"cook_enable\"
load_rc_config \$name
: \${cook_enable:=\"NO\"}
: \${cook_env:=\"\"}
command=\"/usr/local/bin/cook\"
command_args=\"\"
run_rc_command \"\$1\"
" > /usr/local/etc/rc.d/cook

step "Make rc.d script to start cook executable"
if [ -e /usr/local/etc/rc.d/cook ]
then
  echo "Setting executable bit on cook rc file" | tee -a $COOKLOG
  chmod u+x /usr/local/etc/rc.d/cook
else
  exit_error "/usr/local/etc/rc.d/cook does not exist"
fi

if [ "$RUNS_IN_NOMAD" != "true" ]
then
  step "Enable cook service"
  # This is a non-nomad (non-blocking) jail, so we need to make sure the script
  # gets started when the jail is started:
  # Otherwise, /usr/local/bin/cook will be set as start script by the pot flavour
  echo "enabling cook" | tee -a $COOKLOG
  service cook enable
fi

# -------------------- DONE ---------------
exit_ok

vault/vault+1:
vault/vault+1.sh:

vault/vault+2:
vault/vault+2.sh:

vault/vault+3:
vault/vault+3.sh:

vault/vault+4:
vault/vault+4.sh:
Password:===>  Creating a new pot
===>  pot name : vault-amd64-12_2
===>  type : single
===>  base : 12.2
===>  pot_base :
===>  level : 0
===>  network-type : public-bridge
===>  network-stack: ipv4
===>  ip : 10.192.0.4
===>  bridge :
===>  dns : inherit
===>  flavours : fbsd-update vault vault+1 vault+2 vault+3 vault+4
===>  Fetching FreeBSD 12.2
===>  Extract the tarball
=====>  Flavour: fbsd-update
=====>  Starting vault-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
defaultrouter: NO -> 10.192.0.1
===>  Starting the pot vault-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:30:8a:64:ec:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Generating host.conf.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug  4 18:52:50 UTC 2021
/usr/local/etc/pot/flavours/fbsd-update.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/tmp/fbsd-update.sh
=====>  Executing fbsd-update script on vault-amd64-12_2
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching public key from update1.freebsd.org... done.
Fetching metadata signature for 12.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 76 patches.....10....20....30....40....50....60....70... done.
Applying patches... done.
Fetching 1 files...  done.
The following files will be removed as part of updating to
12.2-RELEASE-p9:
/etc/ssl/certs/2c543cd1.0
/etc/ssl/certs/2e4eed3c.0
/etc/ssl/certs/480720ec.0
/etc/ssl/certs/7d0b38bd.0
/etc/ssl/certs/8867006a.0
/etc/ssl/certs/ad088e1d.0
/etc/ssl/certs/b204d74a.0
/etc/ssl/certs/ba89ed3b.0
/etc/ssl/certs/c089bbbd.0
/etc/ssl/certs/e2799e36.0
/usr/share/certs/trusted/GeoTrust_Global_CA.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA.pem
/usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem
The following files will be added as part of updating to
12.2-RELEASE-p9:
/etc/ssl/blacklisted/2c543cd1.0
/etc/ssl/blacklisted/2e4eed3c.0
/etc/ssl/blacklisted/480720ec.0
/etc/ssl/blacklisted/7d0b38bd.0
/etc/ssl/blacklisted/8867006a.0
/etc/ssl/blacklisted/ad088e1d.0
/etc/ssl/blacklisted/b204d74a.0
/etc/ssl/blacklisted/ba89ed3b.0
/etc/ssl/blacklisted/c089bbbd.0
/etc/ssl/blacklisted/e2799e36.0
/etc/ssl/certs/3fb36b73.0
/usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
/usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
/usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
/usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
/usr/share/certs/trusted/NAVER_Global_Root_Certification_Authority.pem
The following files will be updated as part of updating to
12.2-RELEASE-p9:
/bin/freebsd-version
/lib/libcasper.so.1
/lib/libcrypto.so.111
/lib/libzfs.so.3
/lib/libzfs_core.so.2
/lib/libzpool.so.2
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
/rescue/clri
/rescue/cp
/rescue/csh
/rescue/date
/rescue/dd
/rescue/devfs
/rescue/df
/rescue/dhclient
/rescue/disklabel
/rescue/dmesg
/rescue/dump
/rescue/dumpfs
/rescue/dumpon
/rescue/echo
/rescue/ed
/rescue/ex
/rescue/expr
/rescue/fastboot
/rescue/fasthalt
/rescue/fdisk
/rescue/fsck
/rescue/fsck_4.2bsd
/rescue/fsck_ffs
/rescue/fsck_msdosfs
/rescue/fsck_ufs
/rescue/fsdb
/rescue/fsirand
/rescue/gbde
/rescue/geom
/rescue/getfacl
/rescue/glabel
/rescue/gpart
/rescue/groups
/rescue/gunzip
/rescue/gzcat
/rescue/gzip
/rescue/halt
/rescue/head
/rescue/hostname
/rescue/id
/rescue/ifconfig
/rescue/init
/rescue/ipf
/rescue/iscsictl
/rescue/iscsid
/rescue/kenv
/rescue/kill
/rescue/kldconfig
/rescue/kldload
/rescue/kldstat
/rescue/kldunload
/rescue/ldconfig
/rescue/less
/rescue/link
/rescue/ln
/rescue/ls
/rescue/lzcat
/rescue/lzma
/rescue/md5
/rescue/mdconfig
/rescue/mdmfs
/rescue/mkdir
/rescue/mknod
/rescue/more
/rescue/mount
/rescue/mount_cd9660
/rescue/mount_msdosfs
/rescue/mount_nfs
/rescue/mount_nullfs
/rescue/mount_udf
/rescue/mount_unionfs
/rescue/mt
/rescue/mv
/rescue/nc
/rescue/newfs
/rescue/newfs_msdos
/rescue/nos-tun
/rescue/pgrep
/rescue/ping
/rescue/ping6
/rescue/pkill
/rescue/poweroff
/rescue/ps
/rescue/pwd
/rescue/rcorder
/rescue/rdump
/rescue/realpath
/rescue/reboot
/rescue/red
/rescue/rescue
/rescue/restore
/rescue/rm
/rescue/rmdir
/rescue/route
/rescue/routed
/rescue/rrestore
/rescue/rtquery
/rescue/rtsol
/rescue/savecore
/rescue/sed
/rescue/setfacl
/rescue/sh
/rescue/shutdown
/rescue/sleep
/rescue/spppcontrol
/rescue/stty
/rescue/swapon
/rescue/sync
/rescue/sysctl
/rescue/tail
/rescue/tar
/rescue/tcsh
/rescue/tee
/rescue/test
/rescue/tunefs
/rescue/umount
/rescue/unlink
/rescue/unlzma
/rescue/unxz
/rescue/unzstd
/rescue/vi
/rescue/whoami
/rescue/xz
/rescue/xzcat
/rescue/zcat
/rescue/zdb
/rescue/zfs
/rescue/zpool
/rescue/zstd
/rescue/zstdcat
/rescue/zstdmt
/sbin/ipfw
/sbin/rtsol
/sbin/zpool
/usr/bin/lldb
/usr/bin/zinject
/usr/bin/ztest
/usr/include/net/if_var.h
/usr/include/openssl/asn1err.h
/usr/include/sys/filedesc.h
/usr/include/sys/jail.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libpam.a
/usr/lib/libradius.a
/usr/lib/libradius.so.4
/usr/lib/libradius_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.111
/usr/lib/libssl_p.a
/usr/lib/libzfs.a
/usr/lib/libzfs_core.a
/usr/lib/libzfs_core_p.a
/usr/lib/libzfs_p.a
/usr/lib/libzpool.a
/usr/lib/pam_login_access.so.6
/usr/sbin/freebsd-update
/usr/sbin/rtsold
/usr/sbin/zdb
/usr/sbin/zfsd
/usr/sbin/zhack
/usr/share/man/man2/jail.2.gz
/usr/share/man/man2/jail_attach.2.gz
/usr/share/man/man2/jail_get.2.gz
/usr/share/man/man2/jail_remove.2.gz
/usr/share/man/man2/jail_set.2.gz
/usr/share/zoneinfo/Africa/Accra
/usr/share/zoneinfo/Africa/Addis_Ababa
/usr/share/zoneinfo/Africa/Algiers
/usr/share/zoneinfo/Africa/Asmara
/usr/share/zoneinfo/Africa/Asmera
/usr/share/zoneinfo/Africa/Bangui
/usr/share/zoneinfo/Africa/Brazzaville
/usr/share/zoneinfo/Africa/Casablanca
/usr/share/zoneinfo/Africa/Dar_es_Salaam
/usr/share/zoneinfo/Africa/Djibouti
/usr/share/zoneinfo/Africa/Douala
/usr/share/zoneinfo/Africa/El_Aaiun
/usr/share/zoneinfo/Africa/Juba
/usr/share/zoneinfo/Africa/Kampala
/usr/share/zoneinfo/Africa/Kinshasa
/usr/share/zoneinfo/Africa/Lagos
/usr/share/zoneinfo/Africa/Libreville
/usr/share/zoneinfo/Africa/Luanda
/usr/share/zoneinfo/Africa/Malabo
/usr/share/zoneinfo/Africa/Mogadishu
/usr/share/zoneinfo/Africa/Nairobi
/usr/share/zoneinfo/Africa/Niamey
/usr/share/zoneinfo/Africa/Porto-Novo
/usr/share/zoneinfo/America/Belize
/usr/share/zoneinfo/America/Dawson
/usr/share/zoneinfo/America/Grand_Turk
/usr/share/zoneinfo/America/Nassau
/usr/share/zoneinfo/America/Whitehorse
/usr/share/zoneinfo/Antarctica/Casey
/usr/share/zoneinfo/Antarctica/Macquarie
/usr/share/zoneinfo/Asia/Gaza
/usr/share/zoneinfo/Asia/Hebron
/usr/share/zoneinfo/Asia/Jerusalem
/usr/share/zoneinfo/Asia/Tel_Aviv
/usr/share/zoneinfo/Atlantic/Bermuda
/usr/share/zoneinfo/Australia/ACT
/usr/share/zoneinfo/Australia/Adelaide
/usr/share/zoneinfo/Australia/Brisbane
/usr/share/zoneinfo/Australia/Broken_Hill
/usr/share/zoneinfo/Australia/Canberra
/usr/share/zoneinfo/Australia/Currie
/usr/share/zoneinfo/Australia/Darwin
/usr/share/zoneinfo/Australia/Eucla
/usr/share/zoneinfo/Australia/Hobart
/usr/share/zoneinfo/Australia/Lindeman
/usr/share/zoneinfo/Australia/Melbourne
/usr/share/zoneinfo/Australia/NSW
/usr/share/zoneinfo/Australia/North
/usr/share/zoneinfo/Australia/Perth
/usr/share/zoneinfo/Australia/Queensland
/usr/share/zoneinfo/Australia/South
/usr/share/zoneinfo/Australia/Sydney
/usr/share/zoneinfo/Australia/Tasmania
/usr/share/zoneinfo/Australia/Victoria
/usr/share/zoneinfo/Australia/West
/usr/share/zoneinfo/Australia/Yancowinna
/usr/share/zoneinfo/Canada/Yukon
/usr/share/zoneinfo/Europe/Budapest
/usr/share/zoneinfo/Europe/Monaco
/usr/share/zoneinfo/Europe/Paris
/usr/share/zoneinfo/Europe/Volgograd
/usr/share/zoneinfo/Indian/Antananarivo
/usr/share/zoneinfo/Indian/Comoro
/usr/share/zoneinfo/Indian/Mahe
/usr/share/zoneinfo/Indian/Mayotte
/usr/share/zoneinfo/Israel
/usr/share/zoneinfo/Pacific/Efate
/usr/share/zoneinfo/Pacific/Fiji
/usr/share/zoneinfo/zone.tab
/usr/share/zoneinfo/zone1970.tab
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
 done.
=====>  Stop the pot vault-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/dev
=====>  Flavour: vault
=====>  Executing vault pot commands on vault-amd64-12_2
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
/usr/local/etc/pot/flavours/vault.d/syslog-ng.conf -> /mnt/data/pot/jails/vault-amd64-12_2/m/root/syslog-ng.conf
=====>  Source /usr/local/etc/pot/flavours/vault.d/syslog-ng.conf copied in the pot vault-amd64-12_2
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  /mnt/data/pot/jails/vault-amd64-12_2/m/dev is already unmounted
=====>  Starting vault-amd64-12_2 pot for the initial bootstrap
=====>  mount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
defaultrouter: 10.192.0.1 -> 10.192.0.1
===>  Starting the pot vault-amd64-12_2
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Starting Network: lo0 epair0b.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:9d:fb:c8:2a:0b
	inet 10.192.0.4 netmask 0xffc00000 broadcast 10.255.255.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 10.192.0.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Updating /var/run/os-release done.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Wed Aug  4 18:54:05 UTC 2021
/usr/local/etc/pot/flavours/vault.sh -> /mnt/data/pot/jails/vault-amd64-12_2/m/tmp/vault.sh
=====>  Executing vault script on vault-amd64-12_2
Creating /var/log/cook.log
Step 1: Bootstrap package repo
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Installing pkg-1.16.3...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Extracting pkg-1.16.3: .......... done
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Step 2: Touch /etc/rc.conf
Step 3: Remove ifconfig_epair0b from config
Step 4: Disable sendmail
sendmail disabled in /etc/rc.conf
sendmail_submit disabled in /etc/rc.conf
sendmail_msp_queue disabled in /etc/rc.conf
Step 5: Enable SSH
sshd_enable: NO -> YES
Step 6: Create /usr/local/etc/rc.d
Step 7: Install package consul
Updating FreeBSD repository catalogue...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching meta.conf: . done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] Fetching packagesite.txz: .......... done
Processing entries: .......... done
FreeBSD repository update completed. 30842 packages processed.
All repositories are up to date.
Updating database digests format: . done
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	consul: 1.9.5

Number of packages to be installed: 1

The process will require 78 MiB more space.
27 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching consul-1.9.5.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing consul-1.9.5...
===> Creating groups.
Creating group 'consul' with gid '469'.
===> Creating users
Creating user 'consul' with uid '469'.
===> Creating homedir(s)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting consul-1.9.5: ..... done
Step 8: Install package sudo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.7p1

Number of packages to be installed: 3

The process will require 7 MiB more space.
2 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching sudo-1.9.7p1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching gettext-runtime-0.21.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching indexinfo-0.3.1.txz: . done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Installing indexinfo-0.3.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting indexinfo-0.3.1: .... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Installing gettext-runtime-0.21...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting gettext-runtime-0.21: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Installing sudo-1.9.7p1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting sudo-1.9.7p1: .......... done
Step 9: Install package node_exporter
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	node_exporter: 1.1.2

Number of packages to be installed: 1

The process will require 11 MiB more space.
3 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching node_exporter-1.1.2.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing node_exporter-1.1.2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting node_exporter-1.1.2: .......... done
=====
Message from node_exporter-1.1.2:

--
If upgrading from a version of node_exporter <0.15.0 you'll need to update any
custom command line flags that you may have set as it now requires a
double-dash (--flag) instead of a single dash (-flag).
The collector flags in 0.15.0 have now been replaced with individual boolean
flags and the -collector.procfs` and -collector.sysfs` flags have been renamed
to --path.procfs and --path.sysfs respectively.
Step 10: Install package jq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jq: 1.6
	oniguruma: 6.9.7.1

Number of packages to be installed: 2

The process will require 2 MiB more space.
498 KiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Fetching jq-1.6.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Fetching oniguruma-6.9.7.1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Installing oniguruma-6.9.7.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/2] Extracting oniguruma-6.9.7.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Installing jq-1.6...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/2] Extracting jq-1.6: .......... done
Step 11: Install package jo
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	jo: 1.4

Number of packages to be installed: 1

19 KiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching jo-1.4.txz: ... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing jo-1.4...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting jo-1.4: ...... done
Step 12: Install package curl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ca_root_nss: 3.63
	curl: 7.77.0
	libnghttp2: 1.43.0

Number of packages to be installed: 3

The process will require 5 MiB more space.
2 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Fetching curl-7.77.0.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Fetching libnghttp2-1.43.0.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Fetching ca_root_nss-3.63.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Installing libnghttp2-1.43.0...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/3] Extracting libnghttp2-1.43.0: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Installing ca_root_nss-3.63...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/3] Extracting ca_root_nss-3.63: ........ done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Installing curl-7.77.0...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/3] Extracting curl-7.77.0: .......... done
=====
Message from ca_root_nss-3.63:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.


This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem
Step 13: Install package openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl: 1.1.1k_1,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
4 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching openssl-1.1.1k_1,1.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing openssl-1.1.1k_1,1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting openssl-1.1.1k_1,1: .......... done
Step 14: Install package syslog-ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 11 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	e2fsprogs-libuuid: 1.46.2
	glib: 2.66.8,2
	json-c: 0.15_1
	libffi: 3.3_1
	libiconv: 1.16
	libxml2: 2.9.12
	mpdecimal: 2.5.1
	pcre: 8.44
	python38: 3.8.10
	readline: 8.1.1
	syslog-ng: 3.32.1

Number of packages to be installed: 11

The process will require 160 MiB more space.
24 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Fetching syslog-ng-3.32.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Fetching e2fsprogs-libuuid-1.46.2.txz: ..... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Fetching pcre-8.44.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Fetching json-c-0.15_1.txz: ........ done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Fetching glib-2.66.8,2.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Fetching libxml2-2.9.12.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Fetching python38-3.8.10.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Fetching mpdecimal-2.5.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Fetching readline-8.1.1.txz: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Fetching libffi-3.3_1.txz: ..... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Fetching libiconv-1.16.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Installing mpdecimal-2.5.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/11] Extracting mpdecimal-2.5.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Installing readline-8.1.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [2/11] Extracting readline-8.1.1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Installing libffi-3.3_1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [3/11] Extracting libffi-3.3_1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Installing pcre-8.44...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [4/11] Extracting pcre-8.44: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Installing libxml2-2.9.12...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [5/11] Extracting libxml2-2.9.12: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Installing python38-3.8.10...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [6/11] Extracting python38-3.8.10: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Installing libiconv-1.16...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [7/11] Extracting libiconv-1.16: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Installing e2fsprogs-libuuid-1.46.2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [8/11] Extracting e2fsprogs-libuuid-1.46.2: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Installing json-c-0.15_1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [9/11] Extracting json-c-0.15_1: .......... done
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Installing glib-2.66.8,2...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [10/11] Extracting glib-2.66.8,2: .......... done
No schema files found: doing nothing.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Installing syslog-ng-3.32.1...
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [11/11] Extracting syslog-ng-3.32.1: .......... done
=====
Message from python38-3.8.10:

--
Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py38-gdbm       databases/py-gdbm@py38
py38-sqlite3    databases/py-sqlite3@py38
py38-tkinter    x11-toolkits/py-tkinter@py38
=====
Message from syslog-ng-3.32.1:

--
syslog-ng is now installed!  To replace FreeBSD's standard syslogd
(/usr/sbin/syslogd), complete these steps:

1. Create a configuration file named /usr/local/etc/syslog-ng.conf
   (a sample named syslog-ng.conf.sample has been included in
   /usr/local/etc). Note that this is a change in 2.0.2
   version, previous ones put the config file in
   /usr/local/etc/syslog-ng/syslog-ng.conf, so if this is an update
   move that file in the right place

2. Configure syslog-ng to start automatically by adding the following
   to /etc/rc.conf:

        syslog_ng_enable="YES"

3. Prevent the standard FreeBSD syslogd from starting automatically by
   adding a line to the end of your /etc/rc.conf file that reads:

        syslogd_enable="NO"

4. Shut down the standard FreeBSD syslogd:

     kill `cat /var/run/syslog.pid`

5. Start syslog-ng:

     /usr/local/etc/rc.d/syslog-ng start
Step 15: Install package vault
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	vault: 1.7.3

Number of packages to be installed: 1

The process will require 149 MiB more space.
49 MiB to be downloaded.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Fetching vault-1.7.3.txz: .......... done
Checking integrity... done (0 conflicting)
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Installing vault-1.7.3...
===> Creating groups.
Creating group 'vault' with gid '471'.
===> Creating users
Creating user 'vault' with uid '471'.
[vault-amd64-12_2.vsf00001.cpt.za.honeyguide.net] [1/1] Extracting vault-1.7.3: ..... done
=====
Message from vault-1.7.3:

--
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:

pw usermod -L daemon -n vault

or delete the user and reinstall the package.

You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 1024M or more and run:

cap_mkdb /etc/login.conf

Or to disable mlock, add:

disable_mlock = 1

to /usr/local/etc/vault.hcl
Step 16: Add vault user to daemon class
Step 17: Clean package installation
Checking integrity... done (0 conflicting)
Nothing to do.
The following package files will be deleted:
	/var/cache/pkg/python38-3.8.10.txz
	/var/cache/pkg/mpdecimal-2.5.1~1d25bc877b.txz
	/var/cache/pkg/gettext-runtime-0.21.txz
	/var/cache/pkg/openssl-1.1.1k_1,1.txz
	/var/cache/pkg/vault-1.7.3~cd2b978f50.txz
	/var/cache/pkg/libnghttp2-1.43.0.txz
	/var/cache/pkg/readline-8.1.1~c6e0b75a5a.txz
	/var/cache/pkg/libiconv-1.16.txz
	/var/cache/pkg/libxml2-2.9.12.txz
	/var/cache/pkg/glib-2.66.8,2~e7f710500f.txz
	/var/cache/pkg/curl-7.77.0.txz
	/var/cache/pkg/gettext-runtime-0.21~778e7e5b6e.txz
	/var/cache/pkg/jo-1.4~a7177d81a0.txz
	/var/cache/pkg/ca_root_nss-3.63.txz
	/var/cache/pkg/syslog-ng-3.32.1.txz
	/var/cache/pkg/sudo-1.9.7p1.txz
	/var/cache/pkg/python38-3.8.10~b529305b59.txz
	/var/cache/pkg/libffi-3.3_1~57ea96fce2.txz
	/var/cache/pkg/consul-1.9.5.txz
	/var/cache/pkg/indexinfo-0.3.1.txz
	/var/cache/pkg/indexinfo-0.3.1~cd1aa182f5.txz
	/var/cache/pkg/mpdecimal-2.5.1.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2.txz
	/var/cache/pkg/consul-1.9.5~a117e971c4.txz
	/var/cache/pkg/pcre-8.44~eb4a39393e.txz
	/var/cache/pkg/e2fsprogs-libuuid-1.46.2~c4333f6349.txz
	/var/cache/pkg/jq-1.6~c6066b435f.txz
	/var/cache/pkg/json-c-0.15_1~ff906a5de2.txz
	/var/cache/pkg/json-c-0.15_1.txz
	/var/cache/pkg/syslog-ng-3.32.1~4aba4f80c8.txz
	/var/cache/pkg/node_exporter-1.1.2.txz
	/var/cache/pkg/libnghttp2-1.43.0~a371ad62f9.txz
	/var/cache/pkg/curl-7.77.0~c5c09bf73b.txz
	/var/cache/pkg/libiconv-1.16~d5dea9e62b.txz
	/var/cache/pkg/oniguruma-6.9.7.1.txz
	/var/cache/pkg/node_exporter-1.1.2~05f1a82760.txz
	/var/cache/pkg/sudo-1.9.7p1~683cf599ea.txz
	/var/cache/pkg/ca_root_nss-3.63~dbafb0f738.txz
	/var/cache/pkg/jo-1.4.txz
	/var/cache/pkg/jq-1.6.txz
	/var/cache/pkg/vault-1.7.3.txz
	/var/cache/pkg/glib-2.66.8,2.txz
	/var/cache/pkg/libxml2-2.9.12~9b537b9fce.txz
	/var/cache/pkg/openssl-1.1.1k_1,1~89d9dc53f3.txz
	/var/cache/pkg/oniguruma-6.9.7.1~4185029456.txz
	/var/cache/pkg/libffi-3.3_1.txz
	/var/cache/pkg/readline-8.1.1.txz
	/var/cache/pkg/pcre-8.44.txz
The cleanup will free 111 MiB
Deleting files: .......... done
All done
Step 18: Remove pre-existing cook script (if any)
Step 19: Create cook script
Step 20: Make cook script executable
setting executable bit on /usr/local/bin/cook
Step 21: Create rc.d script to start cook
creating rc.d script to start cook
Step 22: Make rc.d script to start cook executable
Setting executable bit on cook rc file
Step 23: Enable cook service
enabling cook
cook enabled in /etc/rc.conf
=====>  Stop the pot vault-amd64-12_2
=====>  Remove epair0[a|b] network interfaces
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/tmp
=====>  unmount /mnt/data/pot/jails/vault-amd64-12_2/m/dev
=====>  Flavour: vault+1
=====>  Executing vault+1 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+1
=====>  Flavour: vault+2
=====>  Executing vault+2 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+2
=====>  Flavour: vault+3
=====>  Executing vault+3 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+3
=====>  Flavour: vault+4
=====>  Executing vault+4 pot commands on vault-amd64-12_2
=====>  No shell script available for the flavour vault+4

This site © Honeyguide Group (Pty) Ltd, all the hosted software their respective license owners 2020 - 2021 - Disclaimer