From 3ec68c88ced0adaf280ce5fd74423ff56c257692 Mon Sep 17 00:00:00 2001
From: Martin Cholewa <martin.cholewa@post.cz>
Date: Thu, 22 Jan 2026 13:31:43 +0100
Subject: [PATCH] utm vagrant

---
 utm/Vagrantfile    | 176 +++++++++++++++++++++++++++++++++++++++++++++
 utm/VagrantfileBCK |   9 +++
 2 files changed, 185 insertions(+)
 create mode 100644 utm/Vagrantfile
 create mode 100644 utm/VagrantfileBCK

diff --git a/utm/Vagrantfile b/utm/Vagrantfile
new file mode 100644
index 0000000..1d178f4
--- /dev/null
+++ b/utm/Vagrantfile
@@ -0,0 +1,176 @@
+# Vagrantfile pro 3-node Vault cluster s Integrated Raft Storage
+NUM_NODES = 3
+NODE_MEMORY = 2048
+NODE_CPUS = 2
+NETWORK = "192.168.56"
+IP_START = 10
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "utm/ubuntu-24.04"
+  
+  # Globální konfig
+  config.vm.synced_folder ".", "/vagrant", create: true
+  config.ssh.username = "vagrant"
+  
+  # Shared provisioning pro všechny VMs
+  config.vm.provision "shell", inline: <<-SHELL
+    apt-get update
+    apt-get install -y curl wget unzip python3 python3-pip
+    
+    # Instalace Vault binary
+    VAULT_VERSION="1.16.1"
+    cd /tmp
+    wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_arm64.zip
+    unzip -o vault_${VAULT_VERSION}_linux_arm64.zip
+    mv vault /usr/local/bin/
+    chmod +x /usr/local/bin/vault
+    useradd --system --home /etc/vault.d --shell /bin/false vault || true
+    
+    # Systemd service pro Vault
+    cat > /etc/systemd/system/vault.service << 'EOF'
+[Unit]
+Description=HashiCorp Vault
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault.d/vault.hcl
+
+[Service]
+Type=notify
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitMEMLOCK=infinity
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=vault
+SyslogFacility=AUTH
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    
+    systemctl daemon-reload
+    systemctl enable vault
+  SHELL
+  
+  # Vytvoř 3 VM s Vaultem
+  (1..NUM_NODES).each do |i|
+    node_name = "vault#{i}"
+    node_ip = "#{NETWORK}.#{IP_START + i - 1}"
+    
+    config.vm.define node_name do |node|
+      node.vm.hostname = node_name
+      node.vm.network "private_network", ip: node_ip
+      
+      node.vm.provider "utm" do |utm|
+        utm.cpus = NODE_CPUS
+        utm.memory = NODE_MEMORY
+      end
+      
+      # Vault config per node
+      node.vm.provision "shell", inline: <<-SHELL
+        mkdir -p /etc/vault.d /opt/vault/data
+        chown -R vault:vault /etc/vault.d /opt/vault/data
+        chmod 700 /etc/vault.d /opt/vault/data
+        
+        cat > /etc/vault.d/vault.hcl << 'EOF'
+ui = true
+node_id = "#{node_name}"
+
+# Listener na 0.0.0.0:8200
+listener "tcp" {
+  address       = "0.0.0.0:8200"
+  tls_disable   = true
+  cluster_addr  = "#{node_ip}:8201"
+}
+
+# Integrated Raft Storage (bez Consulu)
+storage "raft" {
+  path = "/opt/vault/data"
+  node_id = "#{node_name}"
+}
+
+# API address (intra-cluster komunikace)
+api_addr = "http://#{node_ip}:8200"
+cluster_addr = "http://#{node_ip}:8201"
+
+# Telemetry
+telemetry {
+  prometheus_retention_time = "30s"
+  disable_hostname = false
+}
+EOF
+        
+        chown vault:vault /etc/vault.d/vault.hcl
+        chmod 640 /etc/vault.d/vault.hcl
+      SHELL
+      
+      # Spusti Vault service - jen na prvním nodu
+      if i == 1
+        node.vm.provision "shell", inline: <<-SHELL
+          systemctl start vault
+          sleep 2
+          vault status || true
+          
+          # Init cluster (jen poprvé)
+          export VAULT_ADDR="http://#{node_ip}:8200"
+          if ! vault operator raft list-peers 2>/dev/null | grep -q "vault1"; then
+            vault operator raft bootstrap-init-raft \
+              --leader-api-addr "http://#{node_ip}:8200" \
+              --recovery-shares 3 \
+              --recovery-threshold 2 || true
+          fi
+        SHELL
+      else
+        # Ostatní nody se připojí po inicializaci
+        node.vm.provision "shell", inline: <<-SHELL
+          sleep 5
+          systemctl start vault
+          sleep 2
+          
+          # Join raft cluster (po inicializaci)
+          export VAULT_ADDR="http://#{node_ip}:8200"
+          sleep 3
+          vault operator raft join "http://#{NETWORK}.#{IP_START}:8200" || true
+        SHELL
+      end
+    end
+  end
+  
+  # Post-up message
+  config.vm.post_up_message = <<-MSG
+    
+    ╔═══════════════════════════════════════════════════════════════╗
+    ║          3-Node Vault Cluster (Raft Storage)                 ║
+    ╚═══════════════════════════════════════════════════════════════╝
+    
+    Nodes:
+      • vault1: #{NETWORK}.#{IP_START}
+      • vault2: #{NETWORK}.#{IP_START + 1}
+      • vault3: #{NETWORK}.#{IP_START + 2}
+    
+    Příkazy:
+      vagrant ssh vault1           # Připoj se k prvnímu nodu
+      vault status                 # Check status (uvnitř VM)
+      vault operator raft list-peers  # Peer status
+      vault operator init              # Inicializuj (potřeba jen jednou!)
+    
+    Poznámky:
+      - Vault běží bez TLS (lab)
+      - Raft storage == keine Consul potřeba
+      - Port 8200 je dostupný na VM IP
+      - Data se ukládají do /opt/vault/data
+    
+    MSG
+end
+
diff --git a/utm/VagrantfileBCK b/utm/VagrantfileBCK
new file mode 100644
index 0000000..d931203
--- /dev/null
+++ b/utm/VagrantfileBCK
@@ -0,0 +1,9 @@
+Vagrant.configure("2") do |config|
+  config.vm.box = "utm/ubuntu-24.04"
+
+  config.vm.provider "utm" do |utm|
+    utm.cpus = 2
+    utm.memory = 2048
+  end
+end
+