diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix
index 64622454b9de..c2b714d7c26f 100644
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@@ -27,6 +27,11 @@ let
''}
${cfg.extraConfig}
'';
+
+ allConfigPaths = [configFile] ++ cfg.extraConfigPaths;
+
+ configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
+
in
{
@@ -84,7 +89,14 @@ in
storageConfig = mkOption {
type = types.nullOr types.lines;
default = null;
- description = "Storage configuration";
+ description = ''
+ HCL configuration to insert in the storageBackend section.
+
+ Confidential values should not be specified here because this option's
+ value is written to the Nix store, which is publicly readable.
+ Provide credentials and such in a separate file using
+ .
+ '';
};
telemetryConfig = mkOption {
@@ -98,6 +110,36 @@ in
default = "";
description = "Extra text appended to vault.hcl.";
};
+
+ extraConfigPaths = mkOption {
+ type = types.listOf types.path;
+ default = [];
+ description = ''
+ Configuration files to load besides the immutable one defined by the NixOS module.
+ This can be used to avoid putting credentials in the Nix store, which can be read by any user.
+
+ Each path can point to a JSON- or HCL-formatted file, or a directory
+ to be scanned for files with .hcl or
+ .json extensions.
+
+ To upload the confidential file with NixOps, use for example:
+
+
+ '';
+ };
};
};
@@ -136,7 +178,7 @@ in
serviceConfig = {
User = "vault";
Group = "vault";
- ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
+ ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
PrivateDevices = true;
PrivateTmp = true;