diff --git a/bin/setup-vault b/bin/setup-vault
new file mode 100755
index 0000000..55c9a87
--- /dev/null
+++ b/bin/setup-vault
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -eux -o pipefail
+export VAULT_ADDR=http://127.0.0.1:8200
+export VAULT_TOKEN=secret
+
+while ! vault status; do
+  sleep 1
+done
+
+mkdir -p tmp
+
+# capabilities of our vault agent
+cat > tmp/policy-file.hcl <<EOF
+path "secret/data/*" {
+  capabilities = ["read"]
+}
+EOF
+vault policy write demo tmp/policy-file.hcl
+vault kv put secret/my-secret foo=bar
+
+# role for our vault agent
+vault auth enable approle
+vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo
+echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID
+echo -n $(vault write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID
diff --git a/epoll.go b/epoll.go
index ebadc5e..fa1a60e 100644
--- a/epoll.go
+++ b/epoll.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"errors"
 	"log"
 	"syscall"
 )
@@ -34,7 +35,7 @@ func (s *server) handleEpoll() {
 		ready := events[:n]
 		for _, event := range ready {
 			if event.Events&(syscall.EPOLLHUP|syscall.EPOLLERR) != 0 {
-				if err := s.epollDelete(int(event.Fd)); err != nil {
+				if err := s.epollDelete(int(event.Fd)); err != nil && !errors.Is(err, syscall.ENOENT) {
 					log.Printf("failed to remove socket from epoll: %s", err)
 				}
 				s.connectionClosed <- int(event.Fd)
diff --git a/watcher.go b/watcher.go
index 35248b9..57c47db 100644
--- a/watcher.go
+++ b/watcher.go
@@ -130,7 +130,7 @@ func (s *server) watch(inotifyFd int) {
 					} else {
 						log.Printf("Failed to send secret: %v", err)
 					}
-					if err := s.epollDelete(conn.fd); err != nil {
+					if err := s.epollDelete(conn.fd); err != nil && !errors.Is(err, syscall.ENOENT) {
 						log.Printf("failed to remove socket from epoll: %s", err)
 					}
 					if err := syscall.Shutdown(conn.fd, syscall.SHUT_RDWR); err != nil {