diff --git a/README.md b/README.md
index 2a28c24a02ecb6243635aeb130bd66cf51892318..ff101c202a22c0384d415346133633e97751780f 100644
--- a/README.md
+++ b/README.md
@@ -115,24 +115,16 @@ The services access Redis from their containers as `redis:6397`
### Hashicorp Vault
-When the vault is first started with docker-compose on your local machine,
-it's not yet initialized. To initialize it and get a vault token which can be used
-by the [signer](../signer) service, you should open the Vault UI and follow the
-initial steps to generate a token. The token then must be set as a value for the
-ENV variable VAULT_TOKEN in [signer.env](./env/signer.env)
-
-Vault UI is exposed at http://0.0.0.0:8200/ui/vault
-
-Setting Vault __(only for local env)__:
-1. On the first screen of the Vault Web UI enter "Key shares" = 1 and "Key threshold" = 1
-1. Click Initialize
-1. Save key/token
-1. Unseal Vault by using the key
-1. Sign in by using the token (the same one you need for VAULT_TOKEN env variable)
-1. On the "Secrets" tab click "Enable new engine" => "transit" => "next" => "Enable engine"
-1. Click "Create encryption key" enter name "key1"
-1. For "Type" use one of the options in [signer.env](./env/signer.env) for VAULT_SUPPORTED_KEYS
-1. Click "Create encryption key"
+The vault in the local docker-compose environment is started in
+[dev](https://developer.hashicorp.com/vault/docs/concepts/dev-server) server mode.
+It starts with a predefined root token with value `root` which should be given to the
+services which want to interact with the vault. The vault is automatically
+unsealed, so once running it should be ready for use.
+
+Vault UI is exposed at http://localhost:8200/ui/vault, and you can sign-in there with
+the `root` token.
+
+> Warning: Never use Vault DEV mode in production!
### License
diff --git a/docker-compose.yml b/docker-compose.yml
index 2b37c7aa43cc8a4e946f6219254568b22ac79c2d..3600dc78c66a3ac5e43d053e129dc25a96b50ee4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -93,6 +93,7 @@ services:
- "2112:2112"
depends_on:
- vault
+ - vault-init
didresolver:
container_name: didresolver
@@ -151,9 +152,8 @@ services:
container_name: vault
image: vault:1.10.3
environment:
- VAULT_ADDR: ":8200"
+ VAULT_ADDR: "http://0.0.0.0:8200"
VAULT_API_ADDR: "http://0.0.0.0:8200"
- VAULT_DEV_ROOT_TOKEN_ID: root
ports:
- "8200:8200"
volumes:
@@ -161,7 +161,17 @@ services:
- ./vault:/vault/config:rw
cap_add:
- IPC_LOCK
- entrypoint: vault server -config=/vault/config/config.json
+ entrypoint: vault server -dev -dev-listen-address="0.0.0.0:8200" -dev-root-token-id="root"
+
+ vault-init:
+ container_name: vault-init
+ image: vault:1.10.3
+ volumes:
+ - ./vault/vault-init.sh:/vault-init.sh
+ depends_on:
+ - vault
+ restart: "no"
+ entrypoint: sh -c "/vault-init.sh"
nats:
hostname: nats
diff --git a/env/signer.env b/env/signer.env
index d8b600890e4a7f3a032576e3f060c63dd6185464..ca37a56055b28d5a0f859960cd55c1b8d3afd037 100644
--- a/env/signer.env
+++ b/env/signer.env
@@ -5,7 +5,7 @@ HTTP_IDLE_TIMEOUT="120s"
HTTP_READ_TIMEOUT="10s"
HTTP_WRITE_TIMEOUT="10s"
VAULT_ADDR="http://vault:8200"
-VAULT_TOKEN=
+VAULT_TOKEN=root
VAULT_SIGNING_KEY="key1"
VAULT_SUPPORTED_KEYS="ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521"
CREDENTIAL_ISSUER="did:web:17a1-2a00-4802-2c0-9295-59ff-6a60-b735-32ea.eu.ngrok.io:policy:policy:example:returnDID:1.0:evaluation"
diff --git a/vault/vault-init.sh b/vault/vault-init.sh
new file mode 100755
index 0000000000000000000000000000000000000000..529885cd3c80227b7da10c578edd11e8f042df07
--- /dev/null
+++ b/vault/vault-init.sh
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+set -e
+
+export VAULT_ADDR=http://vault:8200
+
+# give some time for Vault to start and be ready
+sleep 3
+
+vault login root
+
+# enable vault transit engine
+vault secrets enable transit
+
+# create key1 with type ed25519
+vault write -f transit/keys/key1 type=ed25519
+
+# create key2 with type ecdsa-p256
+vault write -f transit/keys/key2 type=ecdsa-p256