Merge pull request #26907 from volth/vault
vault: 0.6.5 -> 0.7.3 with service
This commit is contained in:
commit
c79e0b2ba0
|
@ -139,6 +139,7 @@
|
|||
btsync = 113;
|
||||
minecraft = 114;
|
||||
#monetdb = 115; # unused (not packaged), removed 2016-09-19
|
||||
vault = 115;
|
||||
rippled = 116;
|
||||
murmur = 117;
|
||||
foundationdb = 118;
|
||||
|
@ -415,6 +416,7 @@
|
|||
btsync = 113;
|
||||
#minecraft = 114; # unused
|
||||
#monetdb = 115; # unused (not packaged), removed 2016-09-19
|
||||
vault = 115;
|
||||
#ripped = 116; # unused
|
||||
#murmur = 117; # unused
|
||||
foundationdb = 118;
|
||||
|
|
|
@ -558,6 +558,7 @@
|
|||
./services/security/tor.nix
|
||||
./services/security/torify.nix
|
||||
./services/security/torsocks.nix
|
||||
./services/security/vault.nix
|
||||
./services/system/cgmanager.nix
|
||||
./services/system/cloud-init.nix
|
||||
./services/system/dbus.nix
|
||||
|
|
|
@ -0,0 +1,143 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.vault;
|
||||
|
||||
configFile = pkgs.writeText "vault.hcl" ''
|
||||
listener "tcp" {
|
||||
address = "${cfg.address}"
|
||||
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
|
||||
tls_disable = "true"
|
||||
'' else ''
|
||||
tls_cert_file = "${cfg.tlsCertFile}"
|
||||
tls_key_file = "${cfg.tlsKeyFile}"
|
||||
''}
|
||||
${cfg.listenerExtraConfig}
|
||||
}
|
||||
storage "${cfg.storageBackend}" {
|
||||
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
|
||||
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
|
||||
}
|
||||
${optionalString (cfg.telemetryConfig != "") ''
|
||||
telemetry {
|
||||
${cfg.telemetryConfig}
|
||||
}
|
||||
''}
|
||||
'';
|
||||
in
|
||||
{
|
||||
options = {
|
||||
|
||||
services.vault = {
|
||||
|
||||
enable = mkEnableOption "Vault daemon";
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:8200";
|
||||
description = "The name of the ip interface to listen to";
|
||||
};
|
||||
|
||||
tlsCertFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "/path/to/your/cert.pem";
|
||||
description = "TLS certificate file. TLS will be disabled unless this option is set";
|
||||
};
|
||||
|
||||
tlsKeyFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "/path/to/your/key.pem";
|
||||
description = "TLS private key file. TLS will be disabled unless this option is set";
|
||||
};
|
||||
|
||||
listenerExtraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = ''
|
||||
tls_min_version = "tls12"
|
||||
'';
|
||||
description = "extra configuration";
|
||||
};
|
||||
|
||||
storageBackend = mkOption {
|
||||
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ];
|
||||
default = "inmem";
|
||||
description = "The name of the type of storage backend";
|
||||
};
|
||||
|
||||
storagePath = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = if cfg.storageBackend == "file" then "/var/lib/vault" else null;
|
||||
description = "Data directory for file backend";
|
||||
};
|
||||
|
||||
storageConfig = mkOption {
|
||||
type = types.nullOr types.lines;
|
||||
default = null;
|
||||
description = "Storage configuration";
|
||||
};
|
||||
|
||||
telemetryConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "Telemetry configuration";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{ assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);
|
||||
message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig'';
|
||||
}
|
||||
{ assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file");
|
||||
message = ''You must set services.vault.storagePath only when using the "file" backend'';
|
||||
}
|
||||
];
|
||||
|
||||
users.extraUsers.vault = {
|
||||
name = "vault";
|
||||
group = "vault";
|
||||
uid = config.ids.uids.vault;
|
||||
description = "Vault daemon user";
|
||||
};
|
||||
users.extraGroups.vault.gid = config.ids.gids.vault;
|
||||
|
||||
systemd.services.vault = {
|
||||
description = "Vault server daemon";
|
||||
|
||||
wantedBy = ["multi-user.target"];
|
||||
after = [ "network.target" ]
|
||||
++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
|
||||
|
||||
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
|
||||
|
||||
preStart = optionalString (cfg.storagePath != null) ''
|
||||
install -d -m0700 -o vault -g vault "${cfg.storagePath}"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
User = "vault";
|
||||
Group = "vault";
|
||||
PermissionsStartOnly = true;
|
||||
ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}";
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = "read-only";
|
||||
AmbientCapabilities = "cap_ipc_lock";
|
||||
NoNewPrivileges = true;
|
||||
KillSignal = "SIGINT";
|
||||
TimeoutStopSec = "30s";
|
||||
Restart = "on-failure";
|
||||
StartLimitInterval = "60s";
|
||||
StartLimitBurst = 3;
|
||||
};
|
||||
|
||||
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ stdenv, lib, buildGoPackage, fetchFromGitHub }:
|
||||
{ stdenv, fetchFromGitHub, go, gox, removeReferencesTo }:
|
||||
|
||||
let
|
||||
vaultBashCompletions = fetchFromGitHub {
|
||||
|
@ -7,27 +7,35 @@ let
|
|||
rev = "e2f59b64be1fa5430fa05c91b6274284de4ea77c";
|
||||
sha256 = "10m75rp3hy71wlmnd88grmpjhqy0pwb9m8wm19l0f463xla54frd";
|
||||
};
|
||||
in buildGoPackage rec {
|
||||
in stdenv.mkDerivation rec {
|
||||
name = "vault-${version}";
|
||||
version = "0.6.5";
|
||||
|
||||
goPackagePath = "github.com/hashicorp/vault";
|
||||
version = "0.7.3";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "hashicorp";
|
||||
repo = "vault";
|
||||
rev = "v${version}";
|
||||
sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb";
|
||||
sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m";
|
||||
};
|
||||
|
||||
buildFlagsArray = ''
|
||||
-ldflags=
|
||||
-X github.com/hashicorp/vault/version.GitCommit=${version}
|
||||
nativeBuildInputs = [ go gox removeReferencesTo ];
|
||||
|
||||
buildPhase = ''
|
||||
substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}'
|
||||
|
||||
mkdir -p src/github.com/hashicorp
|
||||
ln -s $(pwd) src/github.com/hashicorp/vault
|
||||
|
||||
GOPATH=$(pwd) make
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p $bin/share/bash-completion/completions/
|
||||
cp ${vaultBashCompletions}/vault-bash-completion.sh $bin/share/bash-completion/completions/vault
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin $out/share/bash-completion/completions
|
||||
|
||||
cp pkg/*/* $out/bin/
|
||||
find $out/bin -type f -exec remove-references-to -t ${go} '{}' +
|
||||
|
||||
cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
|
|
Loading…
Reference in New Issue