nixpkgs/nixos/tests/vault-postgresql.nix

/* This test checks that
    - multiple config files can be loaded
    - the storage backend can be in a file outside the nix store
      as is required for security (required because while confidentiality is
      always covered, availability isn't)
    - the postgres integration works
 */
import ./make-test-python.nix ({ pkgs, ... }:
{
  name = "vault-postgresql";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ lnl7 roberth ];
  };
  machine = { lib, pkgs, ... }: {
    virtualisation.memorySize = 512;
    environment.systemPackages = [ pkgs.vault ];
    environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
    services.vault.enable = true;
    services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];

    systemd.services.vault = {
      after = [
        "postgresql.service"
      ];
      # Try for about 10 minutes rather than the default of 5 attempts.
      serviceConfig.RestartSec = 1;
      serviceConfig.StartLimitBurst = 600;
    };
    # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";

    services.postgresql.enable = true;
    services.postgresql.initialScript = pkgs.writeText "init.psql" ''
      CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
      GRANT CONNECT ON DATABASE postgres TO vaultuser;

      -- https://www.vaultproject.io/docs/configuration/storage/postgresql
      CREATE TABLE vault_kv_store (
        parent_path TEXT COLLATE "C" NOT NULL,
        path        TEXT COLLATE "C",
        key         TEXT COLLATE "C",
        value       BYTEA,
        CONSTRAINT pkey PRIMARY KEY (path, key)
      );
      CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);

      GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
    '';
  };

  testScript =
    ''
      secretConfig = """
          storage "postgresql" {
            connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
          }
          """

      start_all()

      machine.wait_for_unit("multi-user.target")
      machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
      machine.succeed(
          "install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
      )
      machine.wait_for_unit("vault.service")
      machine.wait_for_open_port(8200)
      machine.succeed("vault operator init")
      machine.succeed("vault status | grep Sealed | grep true")
    '';
})
nixosTests.vault-postgresql: init 2021-01-04 17:54:03 +01:00			`/* This test checks that`
			`- multiple config files can be loaded`
			`- the storage backend can be in a file outside the nix store`
			`as is required for security (required because while confidentiality is`
			`always covered, availability isn't)`
			`- the postgres integration works`
			`*/`
			`import ./make-test-python.nix ({ pkgs, ... }:`
			`{`
			`name = "vault-postgresql";`
treewide: stdenv.lib -> lib 2021-01-27 12:59:00 +07:00			`meta = with pkgs.lib.maintainers; {`
nixosTests.vault-postgresql: init 2021-01-04 17:54:03 +01:00			`maintainers = [ lnl7 roberth ];`
			`};`
			`machine = { lib, pkgs, ... }: {`
			`virtualisation.memorySize = 512;`
			`environment.systemPackages = [ pkgs.vault ];`
			`environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";`
			`services.vault.enable = true;`
nixos/vault: extraConfigPaths -> extraSettingsPaths Align with RFC42 language, even if in advance of the actual settings attribute. 2021-01-19 18:14:29 +01:00			`services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];`
nixosTests.vault-postgresql: init 2021-01-04 17:54:03 +01:00
			`systemd.services.vault = {`
			`after = [`
			`"postgresql.service"`
			`];`
			`# Try for about 10 minutes rather than the default of 5 attempts.`
			`serviceConfig.RestartSec = 1;`
			`serviceConfig.StartLimitBurst = 600;`
			`};`
			`# systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";`

			`services.postgresql.enable = true;`
			`services.postgresql.initialScript = pkgs.writeText "init.psql" ''`
			`CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';`
			`GRANT CONNECT ON DATABASE postgres TO vaultuser;`

			`-- https://www.vaultproject.io/docs/configuration/storage/postgresql`
			`CREATE TABLE vault_kv_store (`
			`parent_path TEXT COLLATE "C" NOT NULL,`
			`path TEXT COLLATE "C",`
			`key TEXT COLLATE "C",`
			`value BYTEA,`
			`CONSTRAINT pkey PRIMARY KEY (path, key)`
			`);`
			`CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);`

			`GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;`
			`'';`
			`};`

			`testScript =`
			`''`
			`secretConfig = """`
			`storage "postgresql" {`
			`connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"`
			`}`
			`"""`

			`start_all()`

			`machine.wait_for_unit("multi-user.target")`
			`machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)`
			`machine.succeed(`
			`"install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"`
			`)`
			`machine.wait_for_unit("vault.service")`
			`machine.wait_for_open_port(8200)`
			`machine.succeed("vault operator init")`
			`machine.succeed("vault status \| grep Sealed \| grep true")`
			`'';`
			`})`