From 442f76d72a422aa44a3ff744d8d6c1d61f500354 Mon Sep 17 00:00:00 2001 From: Katyucha Date: Wed, 7 Jun 2017 22:31:40 +0200 Subject: Vault: 0.6.5 -> 0.7.2 with services --- pkgs/tools/security/vault/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pkgs/tools') diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 0344fc0a74ee..6e8128ec00f2 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -9,7 +9,7 @@ let }; in buildGoPackage rec { name = "vault-${version}"; - version = "0.6.5"; + version = "0.7.2"; goPackagePath = "github.com/hashicorp/vault"; @@ -17,7 +17,7 @@ in buildGoPackage rec { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb"; + sha256 = "1kclpyb9a9y5zjvrlbxnkac4fl3lwqsr98v4yydf9ihl5v7wy4f5"; }; buildFlagsArray = '' -- cgit 1.4.1 From 4c428b4a6f8793e62889819e7e9877e6cbca6210 Mon Sep 17 00:00:00 2001 From: Volth Date: Tue, 27 Jun 2017 14:54:25 +0000 Subject: vault: run as an unpivileged user --- nixos/modules/misc/ids.nix | 2 + nixos/modules/services/security/vault.nix | 269 +++++++++++------------------- pkgs/tools/security/vault/default.nix | 4 +- 3 files changed, 101 insertions(+), 174 deletions(-) (limited to 'pkgs/tools') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 22059bb7fbbb..4c4e7cfe0d1d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -139,6 +139,7 @@ btsync = 113; minecraft = 114; #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; rippled = 116; murmur = 117; foundationdb = 118; @@ -415,6 +416,7 @@ btsync = 113; #minecraft = 114; # unused #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; #ripped = 116; # unused #murmur = 117; # unused foundationdb = 118; diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index eae3a8ca6188..dc06f89cce8c 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -1,207 +1,132 @@ -{ config, lib, pkgs, utils, ... }: +{ config, lib, pkgs, ... }: with lib; let - - inherit (pkgs) vault; - cfg = config.services.vault; - + configFile = pkgs.writeText "vault.hcl" '' listener "tcp" { - address = "${cfg.listener.address}" - - ${optionalString (cfg.listener.cluster_address != null)'' - cluster_address = "${cfg.listener.cluster_address}" - ''} - - ${optionalString (cfg.listener.tls_cert_file != null)'' - tls_cert_file = "${cfg.listener.tls_cert_file}" - ''} - - ${optionalString (cfg.listener.tls_key_file != null)'' - tls_key_file = "${cfg.listener.tls_key_file}" - ''} - - ${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" } - - tls_min_version = "${cfg.listener.tls_min_version}" - - ${optionalString (cfg.listener.tls_cipher_suites != null)'' - tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" - ''} - - tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}" - - tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}" - + address = "${cfg.address}" + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ${cfg.listenerExtraConfig} } - - storage "${cfg.storage.backend}" { - ${cfg.storage.extraConfig} + storage "${cfg.storageBackend}" { + ${cfg.storageConfig} } - - ${if cfg.telemetry.extraConfig != "" then " - telemetry { - ${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} - ${cfg.telemetry.extraConfig} - }" else ""} - + ${optionalString (cfg.telemetryConfig != "") '' + telemetry { + ${cfg.telemetryConfig} + } + ''} ''; - in { options = { services.vault = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enables the vault daemon. - ''; - }; - - listener = { - - address = mkOption { - type = types.str; - default = "127.0.0.1:8200"; - description = '' - The name of the ip interface to listen to. - ''; - }; - - cluster_address = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The name of the address to bind to for cluster server-to-server requests. - ''; - }; - - tls_cert_file = mkOption { - type = types.str; - default = ""; - description = '' - The name of the crt file for the ssl certificate. - ''; - }; - - tls_key_file = mkOption { - type = types.str; - default = ""; - description = '' - The name of the key file for the ssl certificate. - ''; - }; - - tls_disable = mkOption { - type = types.bool; - default = false; - description = '' - Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. - ''; - }; - - tls_min_version = mkOption { - type = types.enum [ "tls10" "tls11" "tls12" ]; - default = "tls12"; - description = '' - The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12". - ''; - }; - - tls_cipher_suites = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The list of supported ciphersuites as a comma-separated-list. - ''; - }; - - tls_prefer_server_cipher_suites = mkOption { - type = types.bool; - default = false; - description = '' - Specifies to prefer the server's ciphersuite over the client ciphersuites. - ''; - }; - - tls_require_and_verify_client_cert = mkOption { - type = types.bool; - default = false; - description = '' - Turns on client authentication for this listener. - ''; - }; + enable = mkEnableOption "Vault daemon"; + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = "The name of the ip interface to listen to"; }; - storage = { - - backend = mkOption { - type = types.str; - default = "inMemory"; - description = '' - The name of the type of storage backend. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Configuration for storage - ''; - }; - + tlsCertFile = mkOption { + type = types.str; + default = "/etc/vault/cert.pem"; + example = "/path/to/your/cert.pem"; + description = "TLS certificate file. A self-signed certificate will be generated if file not exists"; }; + tlsKeyFile = mkOption { + type = types.str; + default = "/etc/vault/key.pem"; + example = "/path/to/your/key.pem"; + description = "TLS private key file. A self-signed certificate will be generated if file not exists"; + }; - telemetry = { - - disable_hostname = mkOption { - type = types.bool; - default = false; - description = '' - Specifies if gauge values should be prefixed with the local hostname. - ''; - }; + listenerExtraConfig = mkOption { + type = types.lines; + default = '' + tls_min_version = "tls12" + ''; + description = "extra configuration"; + }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - configuration for telemetry - ''; - }; + storageBackend = mkOption { + type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; + default = "inmem"; + description = "The name of the type of storage backend"; + }; + storageConfig = mkOption { + type = types.lines; + description = "Storage configuration"; + default = ""; }; + telemetryConfig = mkOption { + type = types.lines; + default = ""; + description = "Telemetry configuration"; + }; }; - }; config = mkIf cfg.enable { - systemd.services.vault = - { description = "Vault server daemon"; - - wantedBy = ["multi-user.target"]; + users.extraUsers.vault = { + name = "vault"; + group = "vault"; + uid = config.ids.uids.vault; + description = "Vault daemon user"; + }; + users.extraGroups.vault.gid = config.ids.gids.vault; - preStart = - '' - mkdir -m 0755 -p /var/lib/vault - ''; + systemd.services.vault = { + description = "Vault server daemon"; - serviceConfig = - { ExecStart = - "${pkgs.vault}/bin/vault server -config ${configFile}"; - KillMode = "process"; - }; - }; + wantedBy = ["multi-user.target"]; + after = [ "network.target" ]; + + preStart = '' + mkdir -m 0755 -p /var/lib/vault + chown -R vault:vault /var/lib/vault + + # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client + if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then + mkdir -p $(dirname ${cfg.tlsCertFile}) || true + mkdir -p $(dirname ${cfg.tlsKeyFile }) || true + ${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \ + -subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \ + -keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile} + + chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile} + chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile} + fi + ''; + + serviceConfig = { + User = "vault"; + Group = "vault"; + PermissionsStartOnly = true; + ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = "read-only"; + AmbientCapabilities = "cap_ipc_lock"; + NoNewPrivileges = true; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + StartLimitInterval = "60s"; + StartLimitBurst = 3; + }; + }; }; } diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 6e8128ec00f2..2c8f24cf8bda 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -9,7 +9,7 @@ let }; in buildGoPackage rec { name = "vault-${version}"; - version = "0.7.2"; + version = "0.7.3"; goPackagePath = "github.com/hashicorp/vault"; @@ -17,7 +17,7 @@ in buildGoPackage rec { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "1kclpyb9a9y5zjvrlbxnkac4fl3lwqsr98v4yydf9ihl5v7wy4f5"; + sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; buildFlagsArray = '' -- cgit 1.4.1 From 519f17035fed92f2cf4b8e40544e4d2ec9424fea Mon Sep 17 00:00:00 2001 From: Volth Date: Wed, 28 Jun 2017 01:15:20 +0000 Subject: vault: add unitConfig.RequiresMountsFor to systemd config --- nixos/modules/services/security/vault.nix | 30 +++++++++++++++++------------- pkgs/tools/security/vault/default.nix | 2 +- 2 files changed, 18 insertions(+), 14 deletions(-) (limited to 'pkgs/tools') diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 1d93ff210070..5a1952719945 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -79,7 +79,18 @@ in }; }; - config = mkIf cfg.enable { + config = let + localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then + let + matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); + in + if matched == null then + throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' + else + head matched + else + null; + in mkIf cfg.enable { users.extraUsers.vault = { name = "vault"; @@ -96,18 +107,9 @@ in after = [ "network.target" ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; - preStart = - optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") - (let - matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); - path = if matched == null then - throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' - else - head matched; - in '' - [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}" - '') + - '' + preStart = optionalString (localDir != null) '' + install -d -m0700 -o vault -g vault "${localDir}" + '' + '' # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then mkdir -p $(dirname ${cfg.tlsCertFile}) || true @@ -138,6 +140,8 @@ in StartLimitInterval = "60s"; StartLimitBurst = 3; }; + + unitConfig.RequiresMountsFor = optional (localDir != null) localDir; }; }; diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 2c8f24cf8bda..29fba2802802 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildGoPackage, fetchFromGitHub }: +{ stdenv, buildGoPackage, fetchFromGitHub }: let vaultBashCompletions = fetchFromGitHub { -- cgit 1.4.1 From ca16df17bd72fe8516a4a2dc6a18d3e9f86f89b0 Mon Sep 17 00:00:00 2001 From: Volth Date: Thu, 29 Jun 2017 02:02:13 +0000 Subject: vault: build as Makefile project, not as Go package --- pkgs/tools/security/vault/default.nix | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) (limited to 'pkgs/tools') diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 29fba2802802..a04375883091 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, buildGoPackage, fetchFromGitHub }: +{ stdenv, fetchFromGitHub, go, gox }: let vaultBashCompletions = fetchFromGitHub { @@ -7,12 +7,10 @@ let rev = "e2f59b64be1fa5430fa05c91b6274284de4ea77c"; sha256 = "10m75rp3hy71wlmnd88grmpjhqy0pwb9m8wm19l0f463xla54frd"; }; -in buildGoPackage rec { +in stdenv.mkDerivation rec { name = "vault-${version}"; version = "0.7.3"; - goPackagePath = "github.com/hashicorp/vault"; - src = fetchFromGitHub { owner = "hashicorp"; repo = "vault"; @@ -20,14 +18,21 @@ in buildGoPackage rec { sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; - buildFlagsArray = '' - -ldflags= - -X github.com/hashicorp/vault/version.GitCommit=${version} + nativeBuildInputs = [ go gox ]; + + buildPhase = '' + substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' + + mkdir -p src/github.com/hashicorp + ln -s $(pwd) src/github.com/hashicorp/vault + + GOPATH=$(pwd) make ''; - postInstall = '' - mkdir -p $bin/share/bash-completion/completions/ - cp ${vaultBashCompletions}/vault-bash-completion.sh $bin/share/bash-completion/completions/vault + installPhase = '' + mkdir -p $out/bin $out/share/bash-completion/completions + cp pkg/*/* $out/bin/ + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault ''; meta = with stdenv.lib; { -- cgit 1.4.1 From c3996de4fd1014a9a0977d25e1235ea2949954d8 Mon Sep 17 00:00:00 2001 From: Volth Date: Sun, 2 Jul 2017 00:39:55 +0000 Subject: vault: remove-references-to go compiler --- pkgs/tools/security/vault/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'pkgs/tools') diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index a04375883091..9de6216ea594 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, go, gox }: +{ stdenv, fetchFromGitHub, go, gox, removeReferencesTo }: let vaultBashCompletions = fetchFromGitHub { @@ -18,7 +18,7 @@ in stdenv.mkDerivation rec { sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; - nativeBuildInputs = [ go gox ]; + nativeBuildInputs = [ go gox removeReferencesTo ]; buildPhase = '' substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' @@ -31,7 +31,10 @@ in stdenv.mkDerivation rec { installPhase = '' mkdir -p $out/bin $out/share/bash-completion/completions + cp pkg/*/* $out/bin/ + find $out/bin -type f -exec remove-references-to -t ${go} '{}' + + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault ''; -- cgit 1.4.1