feat(freebsd): add FreeBSD support

Author: Julien LEVIEIL

vault/config/clean.sls

@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+{% from "vault/map.jinja" import vault with context %}
 
 vault-config-clean-file-absent:
   file.absent:
-    - name: /etc/vault
+    - name: {{ vault.config_path }}/vault

vault/config/config.sls

@@ -5,7 +5,7 @@
 
 vault-config-config-file-serialize:
   file.serialize:
-    - name: /etc/vault/conf.d/config.json
+    - name: {{ vault.config_path }}/vault/conf.d/config.json
     - encoding: utf-8
     - formatter: json
     - dataset: {{ vault.config | json }}

vault/config/self-sign.sls

@@ -12,5 +12,5 @@ vault-config-self-signed-cmd-script:
     - source: salt://vault/files/cert-gen.sh.j2
     - template: jinja
     - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
-    - cwd: /etc/vault
-    - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem
+    - cwd: {{ vault.config_path }}/vault
+    - creates: {{ vault.config_path }}/vault/{{ vault.self_signed_cert.hostname }}.pem

vault/defaults.yaml

@@ -10,6 +10,7 @@ vault:
   verify_download: true
   self_signed_cert:
     enabled: false
+  config_path: /etc
   config:
     listener:
       tcp:

vault/files/vault.conf.j2

@@ -18,7 +18,7 @@ script
 {%- if vault.dev_mode %}
     -dev \
 {% else %}
-    -config="/etc/vault/conf.d/config.json" \
+    -config="{{ vault.config_path }}/vault/conf.d/config.json" \
 {% endif -%}
     >>/var/log/vault.log 2>&1
 end script

vault/files/vault.service.fbsd.j2

@@ -0,0 +1,89 @@
+{% from "vault/map.jinja" import vault with context -%}
+#!/bin/sh
+
+# PROVIDE: vault
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# vault_enable (bool):boolSet it to YES to enable vault.
+#toDefault is "NO".
+# vault_user (user):userSet user to run vault.
+#toDefault is "vault".
+# vault_group (group):groupSet group to run vault.
+#toDefault is "vault".
+# vault_config (dir):dirSet vault config file.
+#vaultDefault is "/usr/local/etc/vault/conf.d/vault.json".
+# vault_syslog_output_enable (bool):boolSet to enable syslog output.
+#boolSetDefault is "NO". See daemon(8).
+# vault_syslog_output_priority (str):strSet syslog priority if syslog enabled.
+#strSetDefault is "info". See daemon(8).
+# vault_syslog_output_facility (str):strSet syslog facility if syslog enabled.
+#strSetDefault is "daemon". See daemon(8).
+
+. /etc/rc.subr
+
+name=vault
+rcvar=vault_enable
+
+load_rc_config $name
+
+: ${vault_enable:="NO"}
+: ${vault_user:="vault"}
+: ${vault_group:="vault"}
+: ${vault_config:="{{ vault.config_path }}/vault/conf.d/config.json"}
+: ${vault_env:="HOME=/var/lib/vault"}
+
+DAEMON=$(/usr/sbin/daemon 2>&1 | grep -q syslog ; echo $?)
+if [ ${DAEMON} -eq 0 ]; then
+: ${vault_syslog_output_enable:="NO"}
+: ${vault_syslog_output_priority:="info"}
+: ${vault_syslog_output_facility:="daemon"}
+if checkyesno vault_syslog_output_enable; then
+  vault_syslog_output_flags="-t ${name} -T ${name}"
+
+  if [ -n "${vault_syslog_output_priority}" ]; then
+    vault_syslog_output_flags="${vault_syslog_output_flags} -s ${vault_syslog_output_priority}"
+  fi
+
+  if [ -n "${vault_syslog_output_facility}" ]; then
+    vault_syslog_output_flags="${vault_syslog_output_flags} -l ${vault_syslog_output_facility}"
+  fi
+fi
+else
+  vault_syslog_output_enable="NO"
+  vault_syslog_output_flags=""
+fi
+
+pidfile=/var/run/vault.pid
+procname="/usr/local/bin/vault"
+command="/usr/sbin/daemon"
+command_args="-f ${vault_syslog_output_flags} -p ${pidfile} /usr/bin/env ${vault_env} ${procname} server {% if vault.dev_mode %} -dev {% else %} -config=${vault_config} {% endif %}"
+
+extra_commands="reload monitor"
+monitor_cmd=vault_monitor
+start_precmd=vault_startprecmd
+{% if not vault.dev_mode %}
+required_files="$vault_config"
+{% endif %}
+
+vault_monitor()
+{
+  sig_reload=USR1
+  run_rc_command "reload"
+}
+
+vault_startprecmd()
+{
+  if [ ! -e ${pidfile} ]; then
+    install -o ${vault_user} -g ${vault_group} /dev/null ${pidfile};
+  fi
+
+  if [ ! -d ${vault_dir} ]; then
+    install -d -o ${vault_user} -g ${vault_group} ${vault_dir}
+  fi
+}
+
+run_rc_command "$1"

vault/files/vault.service.j2

@@ -8,7 +8,7 @@ After=network-online.target
 User=vault
 Group=vault
 PIDFile=/var/run/vault/vault.pid
-ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %} -dev {% else %} -config=/etc/vault/conf.d {% endif %}
+ExecStart=/usr/local/bin/vault server {% if vault.dev_mode %} -dev {% else %} -config={{ vault.config_path }}/vault/conf.d {% endif %}
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 KillSignal=SIGTERM

vault/osfamilymap.yaml

@@ -13,3 +13,11 @@ Arch:
 
 MacOS:
   platform: darwin_amd64
+
+FreeBSD:
+  gpg_pkg: gnupg
+  platform: freebsd_amd64
+  config_path: /usr/local/etc
+  service:
+    path: /usr/local/etc/rc.d/vault
+    source: salt://vault/files/vault.service.fbsd.j2

vault/package/install.sls

@@ -53,6 +53,7 @@ vault-package-install-file-symlink:
     - target: /opt/vault/bin/vault
     - force: true
 
+{% if grains['os_family'] != "FreeBSD" %}
 vault-package-install-pkg-installed:
   pkg.installed:
     - name: {{ vault.setcap_pkg }}
@@ -64,3 +65,21 @@ vault-package-install-cmd-run:
       - pkg: vault-package-install-pkg-installed
     - onchanges:
       - archive: vault-package-install-archive-extracted
+{% else %}
+vault-package-install-login-file:
+  file.replace:
+    - name: /etc/login.conf
+    - pattern: |
+        ^daemon:\\(?:\n|\r\n?)(.+)$(?:\n|\r\n?)^(\t):tc=default:
+    - flags: ['MULTILINE']
+    - repl: |
+        daemon:\\
+        \t:memorylocked=256M:\\
+        \t:tc=default:
+
+vault-package-install-cmd-run:
+  cmd.run:
+    - name: cap_mkdb /etc/login.conf
+    - onchanges:
+      - file: vault-package-install-login-file
+{% endif %}

vault/service/init.sls

@@ -8,7 +8,10 @@ vault-service-init-file-managed:
     - name: {{ vault.service.path }}
     - source: {{ vault.service.source }}
     - template: jinja
-{% if grains.init == 'upstart' %}
+{% if grains.os_family == "FreeBSD" %}
+    - mode: 555
+{% endif %}
+{% if grains.get('init', '') == 'upstart' %}
   cmd.run:
     - name: initctl reload-configuration
     - onchanges: