refactor(everything): overhaul to align with the template-formula

* see: https://github.com/saltstack-formulas/template-formula
* systemd unit
file:https://learn.hashicorp.com/vault/operations/ops-vault-ha-consul#vault-server-systemd-unit-file
* currently the self-signed certificate part has not been ported but
that can be done upon request

BREAKING CHANGE: This renames all states and the config file being
generated.

.kitchen.yml

@@ -59,21 +59,28 @@ suites:
       state_top:
         base:
           '*':
-            - vault.server
+            - vault
+      pillars:
+        top.sls:
+          base:
+            '*':
+              - vault
+        vault.sls:
+          vault:
+            dev_mode: True
   - name: prod_server
     provisioner:
       state_top:
         base:
           '*':
-            - vault.server
+            - vault
       pillars:
         top.sls:
           base:
             '*':
               - vault
         vault.sls:
           vault:
-            dev_mode: false
             tls_disable: 1
             self_signed_cert:
               enabled: true

README.rst

@@ -23,22 +23,27 @@ Install the vault binary
 
 Install and configure the vault server
 
-To use it, just include *vault.server* in your *top.sls*, and configure it using pillars:
+To use it, just include *vault* in your *top.sls*, and configure it using pillars:
 
 ::
 
   vault:
-    version: 0.7.0
-    listen_protocol: tcp
-    listen_port: 8200
-    listen_address: 0.0.0.0
-    tls_disable: 0
-    default_lease_ttl: 24h
-    max_lease_ttl: 24h
-    self_signed_cert:
-      enabled: false
-    backend: {}
-    dev_mode: true
+    version: 1.1.0
+    platform: linux_amd64
+    dev_mode: True
+    verify_download: True
+    config:
+      storage:
+        file:
+          path: /var/lib/vault/data
+      listener:
+        tcp:
+          address: "127.0.0.1:8200"
+          tls_disable: True
+          tls_cert_file: ""
+          tls_key_file: ""
+      default_lease_ttl: 768h
+      max_lease_ttl: 768h
 
 Issues
 ======

pillar.example

@@ -1,20 +1,25 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
 vault:
-  version: 0.7.0
-  listen_protocol: tcp
-  listen_port: 8200
-  listen_address: 0.0.0.0
-  tls_disable: 0
-  tls_cert_file: {}
-  tls_key_file: {}
-  default_lease_ttl: 4380h
-  max_lease_ttl: 43800h
-  self_signed_cert:
-    enabled: false
-  backend: {}
-  dev_mode: true
-  secure_download: true
-  user: root
-  group: root
+  version: 1.1.0
+  platform: linux_amd64
+  dev_mode: False
+  verify_download: True
+  config:
+    storage:
+      consul:
+        address: "127.0.0.1:8500"
+        path: "vault"
+    listener:
+      tcp:
+        address: "127.0.0.1:8200"
+        tls_disable: True
+        tls_cert_file: ""
+        tls_key_file: ""
+    default_lease_ttl: 768h
+    max_lease_ttl: 768h
+  hashicorp_key_id: 51852D87348FFC4C
   hashicorp_gpg_key: |
     -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: GnuPG v1
@@ -46,4 +51,4 @@ vault:
     oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
     =LYpS
     -----END PGP PUBLIC KEY BLOCK-----
-  hashicorp_key_id: 51852D87348FFC4C
+

vault/clean.sls

@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+include:
+  - .service.clean
+  - .config.clean
+  - .package.clean

vault/config/clean.sls

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+vault-config-clean-file-absent:
+  file.absent:
+    - name: /etc/vault

vault/config/init.sls

@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context -%}
+
+vault-config-init-file-serialize:
+  file.serialize:
+    - name: /etc/vault/conf.d/config.json
+    - encoding: utf-8
+    - formatter: json
+    - dataset: {{ vault.config | json }}
+    - user: root
+    - group: vault
+    - mode: 640
+    - makedirs: True
+    - watch_in:
+      - service: vault

vault/files/vault.service.j2

@@ -0,0 +1,20 @@
+{%- from "vault/map.jinja" import vault with context -%}
+[Unit]
+Description=Vault secret management tool
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User=vault
+Group=vault
+PIDFile=/var/run/vault/vault.pid
+ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %} -dev {% else %} -config=/etc/vault/conf.d {% endif %}
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+KillSignal=SIGTERM
+Restart=on-failure
+RestartSec=42s
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target

vault/init.sls

@@ -1,60 +1,7 @@
-{% from "vault/map.jinja" import vault with context %}
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
 
-{% set version = vault.version %}
-
-/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS:
-  file.managed:
-    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
-    - makedirs: true
-    - skip_verify: true
-
-/opt/vault/{{ version }}/bin:
-  archive.extracted:
-    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_linux_amd64.zip
-    - source_hash: /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
-    - enforce_toplevel: false
-    - require:
-      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
-
-/usr/local/bin/vault:
-  file.symlink:
-    - target: /opt/vault/{{ version }}/bin/vault
-    - force: true
-    - require:
-      - /opt/vault/{{ version }}/bin
-
-{% if vault.secure_download -%}
-/opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig:
-  file.managed:
-    - source: https://releases.hashicorp.com/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
-    - skip_verify: true
-    - require:
-      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
-
-
-/tmp/hashicorp.asc:
-  file.managed:
-    - source: salt://vault/files/hashicorp.asc.jinja
-    - template: jinja
-
-vault_gpg_pkg:
-  pkg.installed:
-    - name: {{ vault.gpg_pkg }}
-
-import key:
-  cmd.run:
-    - name: gpg --import /tmp/hashicorp.asc
-    - unless: gpg --list-keys {{ vault.hashicorp_key_id }}
-    - require:
-      - /tmp/hashicorp.asc
-      - vault_gpg_pkg
-
-verify shasums sig:
-  cmd.run:
-    - name: gpg --verify /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS
-    - require:
-      - /opt/vault/{{ version }}/vault_{{ version }}_SHA256SUMS.sig
-      - import key
-    - prereq:
-      - /usr/local/bin/vault
-{%- endif %}
+include:
+  - .package
+  - .config
+  - .service

vault/map.jinja

@@ -1,11 +1,15 @@
-{% import_yaml "vault/defaults.yaml" as defaults %}
-{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %}
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% import_yaml "vault/yaml/defaults.yaml" as defaults %}
+{% import_yaml "vault/yaml/osfamilymap.yaml" as osfamilymap %}
+{% import_yaml "vault/yaml/initfamilymap.yaml" as initfamilymap %}
 
 {% set vault = salt['grains.filter_by'](
-    defaults,
-    merge=salt['grains.filter_by'](
-      osfamilymap,
-      merge=salt['pillar.get']('vault', {}),
-    ),
-    base='vault')
- %}
+  defaults, merge=salt['grains.filter_by'](
+    osfamilymap, merge=salt['grains.filter_by'](
+      initfamilymap, grain='init', merge=salt['pillar.get']('vault', {}),
+      base='vault'),
+    base='vault'),
+  base='vault')
+%}

vault/package/clean.sls

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context %}
+
+vault-package-clean-file-absent:
+  file.absent:
+    - name: /opt/vault
+
+vault-package-clean-file-absent-data:
+  file.absent:
+    - name: /var/lib/vault
+
+vault-package-clean-cmd-run:
+  cmd.run:
+    - name: gpg --batch --yes --delete-key {{ vault.hashicorp_key_id }}
+
+vault-package-clean-user-absent:
+  user.absent:
+    - name: vault
+
+vault-package-clean-group-absent:
+  group.absent:
+    - name: vault

vault/package/gpg.sls

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context %}
+
+vault-package-gpg-file-managed:
+  file.managed:
+    - name: /opt/vault/hashicorp.asc
+    - contents: |
+        {{ vault.hashicorp_gpg_key | indent(8) }}
+    - makedirs: True
+
+vault-package-gpg-pkg-installed:
+  pkg.installed:
+    - name: {{ vault.gpg_pkg }}
+
+vault-package-gpg-cmd-run:
+  cmd.run:
+    - name: gpg --import /opt/vault/hashicorp.asc
+    - unless: gpg --list-keys {{ vault.hashicorp_key_id }}

vault/package/init.sls

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context %}
+
+include:
+  - .install
+{%- if vault.verify_download %}
+  - .gpg
+  - .signature
+{%- endif %}