Quick Commands

# edit + deploy
git status
git add -A
git commit -m "docs: update"
git push

# rebuild static blog output (local)
cd site
npm ci --no-audit --no-fund
npm run build

# VPS: pull only
# (on server)
git pull --ff-only

Vault Admin Setup

Perfect πŸ‘ I'll start with Doc 1: Vault Admin Setup in English, then we continue step by step until you have all 6 docs clean and ready to archive.

Doc 1 – Vault Admin Setup

Purpose

This document describes how to set up administrative access in Vault, prepare policies, and generate tokens for managing the PKI backend and application AppRoles.

1. Initialize Vault and Load Root Token

When Vault is initialized, a vault-init.json file is created with the root_token.

export VAULT_ADDR="http://127.0.0.1:22300"
export VAULT_TOKEN=$(jq -r '.root_token' ~/vault/secrets/vault-init.json)
export VAULT_TOKEN="$(jq -r '.root_token' "$HOME/vault/secrets/vault-init.json")"

This token has full privileges and is required for provisioning.

2. Create the Admin Policy (admin-pki)

The admin-pki policy allows administrators to manage PKI roles, AppRoles, tokens, and ACL policies.

Policy definition:

# Manage all PKI backends
path "pki-test/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage policies
path "sys/policies/acl/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Manage authentication backends
path "auth/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage tokens
path "auth/token/*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Read system mounts
path "sys/mounts" {
  capabilities = ["read", "list"]
}

path "sys/mounts/*" {
  capabilities = ["read", "list"]
}

Apply policy:

vault policy write admin-pki admin-pki.hcl

3. Create an Admin Token

Generate a short-lived admin token (24h in this example) with the admin-pki policy.

vault token create -policy=admin-pki -ttl=24h

Sample output:

Key                  Value
---                  -----
token                hvs.XXXX....
token_accessor       MLOzzMna0fKJUpQtUc5VqsMV
token_duration       24h
token_renewable      true
token_policies       ["admin-pki" "default"]

4. Verify Token Permissions

Check what policies are attached:

vault token lookup

Verify that admin-pki is present.