diff options
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/vault.nix | 143 | ||||
-rw-r--r-- | pkgs/tools/security/vault/default.nix | 32 |
4 files changed, 166 insertions, 12 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 5ac5764cd7cb..84d89510679c 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -139,6 +139,7 @@ btsync = 113; minecraft = 114; #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; rippled = 116; murmur = 117; foundationdb = 118; @@ -415,6 +416,7 @@ btsync = 113; #minecraft = 114; # unused #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; #ripped = 116; # unused #murmur = 117; # unused foundationdb = 118; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3aeb1225ae5a..1f2fbb7d85c9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -558,6 +558,7 @@ ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix + ./services/security/vault.nix ./services/system/cgmanager.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix new file mode 100644 index 000000000000..146afec344ab --- /dev/null +++ b/nixos/modules/services/security/vault.nix @@ -0,0 +1,143 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.vault; + + configFile = pkgs.writeText "vault.hcl" '' + listener "tcp" { + address = "${cfg.address}" + ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then '' + tls_disable = "true" + '' else '' + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ''} + ${cfg.listenerExtraConfig} + } + storage "${cfg.storageBackend}" { + ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} + ${optionalString (cfg.storageConfig != null) cfg.storageConfig} + } + ${optionalString (cfg.telemetryConfig != "") '' + telemetry { + ${cfg.telemetryConfig} + } + ''} + ''; +in +{ + options = { + + services.vault = { + + enable = mkEnableOption "Vault daemon"; + + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = "The name of the ip interface to listen to"; + }; + + tlsCertFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/cert.pem"; + description = "TLS certificate file. TLS will be disabled unless this option is set"; + }; + + tlsKeyFile = mkOption { + type = types.nullOr types.str; + default = null; + example = "/path/to/your/key.pem"; + description = "TLS private key file. TLS will be disabled unless this option is set"; + }; + + listenerExtraConfig = mkOption { + type = types.lines; + default = '' + tls_min_version = "tls12" + ''; + description = "extra configuration"; + }; + + storageBackend = mkOption { + type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; + default = "inmem"; + description = "The name of the type of storage backend"; + }; + + storagePath = mkOption { + type = types.nullOr types.path; + default = if cfg.storageBackend == "file" then "/var/lib/vault" else null; + description = "Data directory for file backend"; + }; + + storageConfig = mkOption { + type = types.nullOr types.lines; + default = null; + description = "Storage configuration"; + }; + + telemetryConfig = mkOption { + type = types.lines; + default = ""; + description = "Telemetry configuration"; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); + message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig''; + } + { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file"); + message = ''You must set services.vault.storagePath only when using the "file" backend''; + } + ]; + + users.extraUsers.vault = { + name = "vault"; + group = "vault"; + uid = config.ids.uids.vault; + description = "Vault daemon user"; + }; + users.extraGroups.vault.gid = config.ids.gids.vault; + + systemd.services.vault = { + description = "Vault server daemon"; + + wantedBy = ["multi-user.target"]; + after = [ "network.target" ] + ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; + + restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. + + preStart = optionalString (cfg.storagePath != null) '' + install -d -m0700 -o vault -g vault "${cfg.storagePath}" + ''; + + serviceConfig = { + User = "vault"; + Group = "vault"; + PermissionsStartOnly = true; + ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = "read-only"; + AmbientCapabilities = "cap_ipc_lock"; + NoNewPrivileges = true; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + StartLimitInterval = "60s"; + StartLimitBurst = 3; + }; + + unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; + }; + }; + +} diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 0344fc0a74ee..9de6216ea594 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildGoPackage, fetchFromGitHub }: +{ stdenv, fetchFromGitHub, go, gox, removeReferencesTo }: let vaultBashCompletions = fetchFromGitHub { @@ -7,27 +7,35 @@ let rev = "e2f59b64be1fa5430fa05c91b6274284de4ea77c"; sha256 = "10m75rp3hy71wlmnd88grmpjhqy0pwb9m8wm19l0f463xla54frd"; }; -in buildGoPackage rec { +in stdenv.mkDerivation rec { name = "vault-${version}"; - version = "0.6.5"; - - goPackagePath = "github.com/hashicorp/vault"; + version = "0.7.3"; src = fetchFromGitHub { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb"; + sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; - buildFlagsArray = '' - -ldflags= - -X github.com/hashicorp/vault/version.GitCommit=${version} + nativeBuildInputs = [ go gox removeReferencesTo ]; + + buildPhase = '' + substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' + + mkdir -p src/github.com/hashicorp + ln -s $(pwd) src/github.com/hashicorp/vault + + GOPATH=$(pwd) make ''; - postInstall = '' - mkdir -p $bin/share/bash-completion/completions/ - cp ${vaultBashCompletions}/vault-bash-completion.sh $bin/share/bash-completion/completions/vault + installPhase = '' + mkdir -p $out/bin $out/share/bash-completion/completions + + cp pkg/*/* $out/bin/ + find $out/bin -type f -exec remove-references-to -t ${go} '{}' + + + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault ''; meta = with stdenv.lib; { |