| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  | { config, lib, pkgs, ... }: | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | with lib; | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | let | 
					
						
							|  |  |  |   cfg = config.services.vault; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |   configFile = pkgs.writeText "vault.hcl" ''
 | 
					
						
							|  |  |  |     listener "tcp" { | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       address = "${cfg.address}" | 
					
						
							| 
									
										
										
										
											2017-06-28 22:08:36 +00:00
										 |  |  |       ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
 | 
					
						
							|  |  |  |           tls_disable = "true" | 
					
						
							|  |  |  |         '' else '' | 
					
						
							|  |  |  |           tls_cert_file = "${cfg.tlsCertFile}" | 
					
						
							|  |  |  |           tls_key_file = "${cfg.tlsKeyFile}" | 
					
						
							|  |  |  |         ''}
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       ${cfg.listenerExtraConfig} | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |     storage "${cfg.storageBackend}" { | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |       ${optionalString (cfg.storagePath   != null) ''path = "${cfg.storagePath}"''} | 
					
						
							|  |  |  |       ${optionalString (cfg.storageConfig != null) cfg.storageConfig} | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |     ${optionalString (cfg.telemetryConfig != "") ''
 | 
					
						
							|  |  |  |         telemetry { | 
					
						
							|  |  |  |           ${cfg.telemetryConfig} | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |       ''}
 | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  |     ${cfg.extraConfig} | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |   '';
 | 
					
						
							|  |  |  | in | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | { | 
					
						
							|  |  |  |   options = { | 
					
						
							|  |  |  |     services.vault = { | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       enable = mkEnableOption "Vault daemon"; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  |       package = mkOption { | 
					
						
							|  |  |  |         type = types.package; | 
					
						
							|  |  |  |         default = pkgs.vault; | 
					
						
							|  |  |  |         defaultText = "pkgs.vault"; | 
					
						
							|  |  |  |         description = "This option specifies the vault package to use."; | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       address = mkOption { | 
					
						
							|  |  |  |         type = types.str; | 
					
						
							|  |  |  |         default = "127.0.0.1:8200"; | 
					
						
							|  |  |  |         description = "The name of the ip interface to listen to"; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       tlsCertFile = mkOption { | 
					
						
							| 
									
										
										
										
											2017-06-28 22:08:36 +00:00
										 |  |  |         type = types.nullOr types.str; | 
					
						
							|  |  |  |         default = null; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |         example = "/path/to/your/cert.pem"; | 
					
						
							| 
									
										
										
										
											2017-06-28 22:08:36 +00:00
										 |  |  |         description = "TLS certificate file. TLS will be disabled unless this option is set"; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       tlsKeyFile = mkOption { | 
					
						
							| 
									
										
										
										
											2017-06-28 22:08:36 +00:00
										 |  |  |         type = types.nullOr types.str; | 
					
						
							|  |  |  |         default = null; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |         example = "/path/to/your/key.pem"; | 
					
						
							| 
									
										
										
										
											2017-06-28 22:08:36 +00:00
										 |  |  |         description = "TLS private key file. TLS will be disabled unless this option is set"; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       }; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       listenerExtraConfig = mkOption { | 
					
						
							|  |  |  |         type = types.lines; | 
					
						
							|  |  |  |         default = ''
 | 
					
						
							|  |  |  |           tls_min_version = "tls12" | 
					
						
							|  |  |  |         '';
 | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  |         description = "Extra text appended to the listener section."; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       }; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       storageBackend = mkOption { | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |         type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |         default = "inmem"; | 
					
						
							|  |  |  |         description = "The name of the type of storage backend"; | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |       storagePath = mkOption { | 
					
						
							|  |  |  |         type = types.nullOr types.path; | 
					
						
							|  |  |  |         default = if cfg.storageBackend == "file" then "/var/lib/vault" else null; | 
					
						
							|  |  |  |         description = "Data directory for file backend"; | 
					
						
							|  |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       storageConfig = mkOption { | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |         type = types.nullOr types.lines; | 
					
						
							|  |  |  |         default = null; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |         description = "Storage configuration"; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |       }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       telemetryConfig = mkOption { | 
					
						
							|  |  |  |         type = types.lines; | 
					
						
							|  |  |  |         default = ""; | 
					
						
							|  |  |  |         description = "Telemetry configuration"; | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |       extraConfig = mkOption { | 
					
						
							|  |  |  |         type = types.lines; | 
					
						
							|  |  |  |         default = ""; | 
					
						
							|  |  |  |         description = "Extra text appended to <filename>vault.hcl</filename>."; | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |     }; | 
					
						
							|  |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |   config = mkIf cfg.enable { | 
					
						
							|  |  |  |     assertions = [ | 
					
						
							|  |  |  |       { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); | 
					
						
							|  |  |  |         message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig''; | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |       { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file"); | 
					
						
							|  |  |  |         message = ''You must set services.vault.storagePath only when using the "file" backend''; | 
					
						
							|  |  |  |       } | 
					
						
							|  |  |  |     ]; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-06-30 01:58:35 +02:00
										 |  |  |     users.users.vault = { | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       name = "vault"; | 
					
						
							|  |  |  |       group = "vault"; | 
					
						
							|  |  |  |       uid = config.ids.uids.vault; | 
					
						
							|  |  |  |       description = "Vault daemon user"; | 
					
						
							|  |  |  |     }; | 
					
						
							| 
									
										
										
										
											2018-06-30 01:58:35 +02:00
										 |  |  |     users.groups.vault.gid = config.ids.gids.vault; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |     systemd.services.vault = { | 
					
						
							|  |  |  |       description = "Vault server daemon"; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       wantedBy = ["multi-user.target"]; | 
					
						
							| 
									
										
										
										
											2017-06-28 00:58:19 +00:00
										 |  |  |       after = [ "network.target" ] | 
					
						
							|  |  |  |            ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-07-03 19:46:02 +00:00
										 |  |  |       restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |       preStart = optionalString (cfg.storagePath != null) ''
 | 
					
						
							|  |  |  |         install -d -m0700 -o vault -g vault "${cfg.storagePath}" | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |       '';
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |       serviceConfig = { | 
					
						
							|  |  |  |         User = "vault"; | 
					
						
							|  |  |  |         Group = "vault"; | 
					
						
							|  |  |  |         PermissionsStartOnly = true; | 
					
						
							| 
									
										
										
										
											2018-08-09 23:22:53 +02:00
										 |  |  |         ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |         PrivateDevices = true; | 
					
						
							|  |  |  |         PrivateTmp = true; | 
					
						
							|  |  |  |         ProtectSystem = "full"; | 
					
						
							|  |  |  |         ProtectHome = "read-only"; | 
					
						
							|  |  |  |         AmbientCapabilities = "cap_ipc_lock"; | 
					
						
							|  |  |  |         NoNewPrivileges = true; | 
					
						
							|  |  |  |         KillSignal = "SIGINT"; | 
					
						
							|  |  |  |         TimeoutStopSec = "30s"; | 
					
						
							|  |  |  |         Restart = "on-failure"; | 
					
						
							|  |  |  |         StartLimitInterval = "60s"; | 
					
						
							|  |  |  |         StartLimitBurst = 3; | 
					
						
							|  |  |  |       }; | 
					
						
							| 
									
										
										
										
											2017-06-28 01:15:20 +00:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-06-29 21:10:56 +00:00
										 |  |  |       unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; | 
					
						
							| 
									
										
										
										
											2017-06-27 14:54:25 +00:00
										 |  |  |     }; | 
					
						
							| 
									
										
										
										
											2017-06-07 22:31:40 +02:00
										 |  |  |   }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | } |