summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorVolth <volth@webmaster.ms>2017-06-27 19:32:11 +0000
committerVolth <volth@webmaster.ms>2017-06-27 20:22:53 +0000
commitd016ef1f5be81bfcb58ad745e2127d8ec9d52cc3 (patch)
treeb71d1ebfc5cba74dfbec8045e79c614fa7af4d88 /nixos
parent4c428b4a6f8793e62889819e7e9877e6cbca6210 (diff)
downloadnixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.gz
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.bz2
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.lz
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.xz
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.zst
nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.zip
create directory only for "file" storage
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/security/vault.nix23


1 files changed, 17 insertions, 6 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix
index dc06f89cce8c..2f4935ee1a32 100644
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@@ -57,7 +57,7 @@ in
       };
 
       storageBackend = mkOption {
-        type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"];
+        type = types.enum ["inmem" "inmem_transactional" "inmem_ha" "inmem_transactional_ha" "file_transactional" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"];
         default = "inmem";
         description = "The name of the type of storage backend";
       };
@@ -65,7 +65,10 @@ in
       storageConfig = mkOption {
         type = types.lines;
         description = "Storage configuration";
-        default = "";
+        default = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then ''
+                    path = "/var/lib/vault"
+                  '' else ''
+                  '';
       };
 
       telemetryConfig = mkOption {
@@ -92,10 +95,18 @@ in
       wantedBy = ["multi-user.target"];
       after = [ "network.target" ];
 
-      preStart = ''
-        mkdir -m 0755 -p /var/lib/vault
-        chown -R vault:vault /var/lib/vault
-
+      preStart =
+        optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional")
+          (let
+            matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);
+            path = if matched == null then
+                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''
+                   else
+                     head matched;
+          in ''
+            [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}"
+          '') +
+      ''
         # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
         if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
           mkdir -p $(dirname ${cfg.tlsCertFile}) || true

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-29 07:46:50 +0000