nixos/vault: Allow multiple config files

2025-06-10 19:55:41 +03:00 · 2021-01-04 16:28:16 +01:00 · 2021-01-04 16:28:16 +01:00 · b413e7fd2a
commit b413e7fd2a
parent 1eabc4cff1
1 changed files with 44 additions and 2 deletions
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@ -27,6 +27,11 @@ let
      ''}
    ${cfg.extraConfig}
  '';
+
+  allConfigPaths = [configFile] ++ cfg.extraConfigPaths;
+
+  configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
+
 in

 {
@ -84,7 +89,14 @@ in
      storageConfig = mkOption {
        type = types.nullOr types.lines;
        default = null;
-        description = "Storage configuration";
+        description = ''
+          HCL configuration to insert in the storageBackend section.
+
+          Confidential values should not be specified here because this option's
+          value is written to the Nix store, which is publicly readable.
+          Provide credentials and such in a separate file using
+          <xref linkend="opt-services.vault.extraConfigPaths"/>.
+        '';
      };

      telemetryConfig = mkOption {
@ -98,6 +110,36 @@ in
        default = "";
        description = "Extra text appended to <filename>vault.hcl</filename>.";
      };
+
+      extraConfigPaths = mkOption {
+        type = types.listOf types.path;
+        default = [];
+        description = ''
+          Configuration files to load besides the immutable one defined by the NixOS module.
+          This can be used to avoid putting credentials in the Nix store, which can be read by any user.
+
+          Each path can point to a JSON- or HCL-formatted file, or a directory
+          to be scanned for files with <literal>.hcl</literal> or
+          <literal>.json</literal> extensions.
+
+          To upload the confidential file with NixOps, use for example:
+
+          <programlisting><![CDATA[
+          # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
+          deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
+            text = ${"''"}
+              storage "postgresql" {
+                connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
+              }
+            ${"''"};
+            user = "vault";
+          };
+          services.vault.extraConfigPaths = ["/run/keys/vault.hcl"];
+          services.vault.storageBackend = "postgresql";
+          users.users.vault.extraGroups = ["keys"];
+          ]]></programlisting>
+        '';
+      };
    };
  };

@ -136,7 +178,7 @@ in
      serviceConfig = {
        User = "vault";
        Group = "vault";
-        ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
+        ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
        PrivateDevices = true;
        PrivateTmp = true;