SSL Support

Disabling TLS was (dubiously) acceptable when studying for the Vault Associate exam. Deploying and subsequently unsealing a production Vault instance in clear text, however, is utterly unacceptable. Adopt the same strategy used in the recent commits to the Flarum role to implement SSL here.

i manually configured SSL for Vault and it made sense in that deployment to run the service rootfully (don't worry, i feel the appropriate amount of shame, i may be a heathen but i'm professional about it). Below is the working configuration for the systemd service file.

[Unit]
Description="Hashicorp Vault Secret Manager"
Documentation=https://www.vaultproject.io/docs
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.hcl

[Service]
User=root
Group=root
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

The configuration for vault itself was relatively straightforward.

disable_cache = true
disable_mlock = true
ui       = true
api_addr = "https://<ipv4-address>:443"
listener "tcp" {
  address       = "0.0.0.0:443"
  tls_cert_file = "/etc/vault/aliceseaborn-net.chain"
  tls_key_file  = "/etc/vault/aliceseaborn-net.key"
}
storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

Of course the firewall must also be updated to permit traffic on 443 and there is no need to open port 8200. These tasks have been added as child items.

аля