diff options
author | Volth <volth@webmaster.ms> | 2017-06-27 19:32:11 +0000 |
---|---|---|
committer | Volth <volth@webmaster.ms> | 2017-06-27 20:22:53 +0000 |
commit | d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3 (patch) | |
tree | b71d1ebfc5cba74dfbec8045e79c614fa7af4d88 /nixos | |
parent | 4c428b4a6f8793e62889819e7e9877e6cbca6210 (diff) | |
download | nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.gz nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.bz2 nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.lz nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.xz nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.tar.zst nixlib-d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3.zip |
create directory only for "file" storage
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/security/vault.nix | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index dc06f89cce8c..2f4935ee1a32 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -57,7 +57,7 @@ in }; storageBackend = mkOption { - type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; + type = types.enum ["inmem" "inmem_transactional" "inmem_ha" "inmem_transactional_ha" "file_transactional" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; default = "inmem"; description = "The name of the type of storage backend"; }; @@ -65,7 +65,10 @@ in storageConfig = mkOption { type = types.lines; description = "Storage configuration"; - default = ""; + default = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then '' + path = "/var/lib/vault" + '' else '' + ''; }; telemetryConfig = mkOption { @@ -92,10 +95,18 @@ in wantedBy = ["multi-user.target"]; after = [ "network.target" ]; - preStart = '' - mkdir -m 0755 -p /var/lib/vault - chown -R vault:vault /var/lib/vault - + preStart = + optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") + (let + matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); + path = if matched == null then + throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' + else + head matched; + in '' + [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}" + '') + + '' # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then mkdir -p $(dirname ${cfg.tlsCertFile}) || true |