public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vault: add unitConfig.RequiresMountsFor to systemd config

This commit is contained in:
Volth 2017-06-28 01:15:20 +00:00
parent 7330e80456
commit 519f17035f
2 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/modules/services/security/vault.nix
View File

@ -79,7 +79,18 @@ in
}; };
}; };
config = mkIf cfg.enable { config = let
localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then
let
matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);
in
if matched == null then
throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''
else
head matched
else
null;
in mkIf cfg.enable {
users.extraUsers.vault = { users.extraUsers.vault = {
name = "vault"; name = "vault";
@ -96,18 +107,9 @@ in
after = [ "network.target" ] after = [ "network.target" ]
++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
preStart = preStart = optionalString (localDir != null) ''
optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") install -d -m0700 -o vault -g vault "${localDir}"
(let '' + ''
matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);
path = if matched == null then
throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''
else
head matched;
in ''
[ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}"
'') +
''
# generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
mkdir -p $(dirname ${cfg.tlsCertFile}) || true mkdir -p $(dirname ${cfg.tlsCertFile}) || true
@ -138,6 +140,8 @@ in
StartLimitInterval = "60s"; StartLimitInterval = "60s";
StartLimitBurst = 3; StartLimitBurst = 3;
}; };
unitConfig.RequiresMountsFor = optional (localDir != null) localDir;
}; };
}; };

2
pkgs/tools/security/vault/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, lib, buildGoPackage, fetchFromGitHub }: { stdenv, buildGoPackage, fetchFromGitHub }:
let let
vaultBashCompletions = fetchFromGitHub { vaultBashCompletions = fetchFromGitHub {