To start I’d probably spin up that VM, then run Boundary in dev mode (I know you said non-dev, but standing up a separate controller and worker on one VM is just going to take up extra resources for no real benefit for this case). That gets you the Postgres database automatically set up too if you want it. Besides that, run a single-node Vault so you can use it as a credential source. Then for an additional target, run a default NGINX Docker container.
Then you can set up several things:
- SSH target to localhost is already set up in dev mode
- HTTP targets to the Vault GUI and the NGINX container
- Postgres target to the postgres container that’s run automatically
- Dynamic credentials in Vault for the postgres container
- A credential source in Boundary that retrieves those dynamic credentials
If you want to take that further and still have room to squeeze it into the VM, set up an OIDC auth provider (I like dex backed by OpenLDAP at the moment but you can use anything you want that provides OIDC) and set up a few OIDC auth methods and managed groups in Boundary.
We also have the reference architectures repository if you want some more involved, detailed deployment examples.