diff options
author | Charles Strahan <charles@cstrahan.com> | 2017-07-11 15:02:29 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-11 15:02:29 -0400 |
commit | c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe (patch) | |
tree | a95d1718e756e40c73464466e88aca0f64b2975e /nixos/modules | |
parent | 451b23beb2db4e0a3c39469537dea4c481984585 (diff) | |
parent | 334e85e75abdfd87dd948ac226ed6c00d1143023 (diff) | |
download | nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar.gz nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar.bz2 nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar.lz nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar.xz nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.tar.zst nixlib-c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe.zip |
Merge pull request #26907 from volth/vault
vault: 0.6.5 -> 0.7.3 with service
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/vault.nix | 143 |
3 files changed, 146 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 5ac5764cd7cb..84d89510679c 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -139,6 +139,7 @@ btsync = 113; minecraft = 114; #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; rippled = 116; murmur = 117; foundationdb = 118; @@ -415,6 +416,7 @@ btsync = 113; #minecraft = 114; # unused #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; #ripped = 116; # unused #murmur = 117; # unused foundationdb = 118; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3aeb1225ae5a..1f2fbb7d85c9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -558,6 +558,7 @@ ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix + ./services/security/vault.nix ./services/system/cgmanager.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix new file mode 100644 index 000000000000..146afec344ab --- /dev/null +++ b/nixos/modules/services/security/vault.nix @@ -0,0 +1,143 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.vault; + + configFile = pkgs.writeText "vault.hcl" '' + listener "tcp" { + address = "${cfg.address}" + ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then '' + tls_disable = "true" + '' else '' + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ''} + ${cfg.listenerExtraConfig} + } + storage "${cfg.storageBackend}" { + ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} + ${optionalString (cfg.storageConfig != null) cfg.storageConfig} + } + ${optionalString (cfg.telemetryConfig != "") '' + telemetry { + ${cfg.telemetryConfig} + } + ''} + ''; +in +{ + options = { + + services.vault = { + + enable = mkEnableOption "Vault daemon"; + + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = "The name of the ip interface to listen to"; + }; + + tlsCertFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/cert.pem"; + description = "TLS certificate file. TLS will be disabled unless this option is set"; + }; + + tlsKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/key.pem"; + description = "TLS private key file. TLS will be disabled unless this option is set"; + }; + + listenerExtraConfig = mkOption { + type = types.lines; + default = '' + tls_min_version = "tls12" + ''; + description = "extra configuration"; + }; + + storageBackend = mkOption { + type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; + default = "inmem"; + description = "The name of the type of storage backend"; + }; + + storagePath = mkOption { + type = types.nullOr types.path; + default = if cfg.storageBackend == "file" then "/var/lib/vault" else null; + description = "Data directory for file backend"; + }; + + storageConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = "Storage configuration"; + }; + + telemetryConfig = mkOption { + type = types.lines; + default = ""; + description = "Telemetry configuration"; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); + message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig''; + } + { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file"); + message = ''You must set services.vault.storagePath only when using the "file" backend''; + } + ]; + + users.extraUsers.vault = { + name = "vault"; + group = "vault"; + uid = config.ids.uids.vault; + description = "Vault daemon user"; + }; + users.extraGroups.vault.gid = config.ids.gids.vault; + + systemd.services.vault = { + description = "Vault server daemon"; + + wantedBy = ["multi-user.target"]; + after = [ "network.target" ] + ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; + + restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. + + preStart = optionalString (cfg.storagePath != null) '' + install -d -m0700 -o vault -g vault "${cfg.storagePath}" + ''; + + serviceConfig = { + User = "vault"; + Group = "vault"; + PermissionsStartOnly = true; + ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = "read-only"; + AmbientCapabilities = "cap_ipc_lock"; + NoNewPrivileges = true; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + StartLimitInterval = "60s"; + StartLimitBurst = 3; + }; + + unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; + }; + }; + +} |