movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-13 21:25:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/vault: Allow multiple config files

Browse source
This commit is contained in:
Robert Hensing 2021-01-04 16:28:16 +01:00
parent 1eabc4cff1
commit b413e7fd2a
1 changed files with 44 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

46
nixos/modules/services/security/vault.nix
View file

@ -27,6 +27,11 @@ let
''} ''}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
allConfigPaths = [configFile] ++ cfg.extraConfigPaths;
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
in in
{ {
@ -84,7 +89,14 @@ in
storageConfig = mkOption { storageConfig = mkOption {
type = types.nullOr types.lines; type = types.nullOr types.lines;
default = null; default = null;
description = "Storage configuration"; description = ''
HCL configuration to insert in the storageBackend section.
Confidential values should not be specified here because this option's
value is written to the Nix store, which is publicly readable.
Provide credentials and such in a separate file using
<xref linkend="opt-services.vault.extraConfigPaths"/>.
'';
}; };
telemetryConfig = mkOption { telemetryConfig = mkOption {
@ -98,6 +110,36 @@ in
default = ""; default = "";
description = "Extra text appended to <filename>vault.hcl</filename>."; description = "Extra text appended to <filename>vault.hcl</filename>.";
}; };
extraConfigPaths = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Configuration files to load besides the immutable one defined by the NixOS module.
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
Each path can point to a JSON- or HCL-formatted file, or a directory
to be scanned for files with <literal>.hcl</literal> or
<literal>.json</literal> extensions.
To upload the confidential file with NixOps, use for example:
<programlisting><![CDATA[
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
text = ${"''"}
storage "postgresql" {
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
}
${"''"};
user = "vault";
};
services.vault.extraConfigPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];
]]></programlisting>
'';
};
}; };
}; };
@ -136,7 +178,7 @@ in
serviceConfig = { serviceConfig = {
User = "vault"; User = "vault";
Group = "vault"; Group = "vault";
ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;