forked from mirrors/nixpkgs
133 lines
3.7 KiB
Nix
133 lines
3.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.services.vault;
|
|
|
|
configFile = pkgs.writeText "vault.hcl" ''
|
|
listener "tcp" {
|
|
address = "${cfg.address}"
|
|
tls_cert_file = "${cfg.tlsCertFile}"
|
|
tls_key_file = "${cfg.tlsKeyFile}"
|
|
${cfg.listenerExtraConfig}
|
|
}
|
|
storage "${cfg.storageBackend}" {
|
|
${cfg.storageConfig}
|
|
}
|
|
${optionalString (cfg.telemetryConfig != "") ''
|
|
telemetry {
|
|
${cfg.telemetryConfig}
|
|
}
|
|
''}
|
|
'';
|
|
in
|
|
{
|
|
options = {
|
|
|
|
services.vault = {
|
|
|
|
enable = mkEnableOption "Vault daemon";
|
|
|
|
address = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1:8200";
|
|
description = "The name of the ip interface to listen to";
|
|
};
|
|
|
|
tlsCertFile = mkOption {
|
|
type = types.str;
|
|
default = "/etc/vault/cert.pem";
|
|
example = "/path/to/your/cert.pem";
|
|
description = "TLS certificate file. A self-signed certificate will be generated if file not exists";
|
|
};
|
|
|
|
tlsKeyFile = mkOption {
|
|
type = types.str;
|
|
default = "/etc/vault/key.pem";
|
|
example = "/path/to/your/key.pem";
|
|
description = "TLS private key file. A self-signed certificate will be generated if file not exists";
|
|
};
|
|
|
|
listenerExtraConfig = mkOption {
|
|
type = types.lines;
|
|
default = ''
|
|
tls_min_version = "tls12"
|
|
'';
|
|
description = "extra configuration";
|
|
};
|
|
|
|
storageBackend = mkOption {
|
|
type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"];
|
|
default = "inmem";
|
|
description = "The name of the type of storage backend";
|
|
};
|
|
|
|
storageConfig = mkOption {
|
|
type = types.lines;
|
|
description = "Storage configuration";
|
|
default = "";
|
|
};
|
|
|
|
telemetryConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
description = "Telemetry configuration";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
users.extraUsers.vault = {
|
|
name = "vault";
|
|
group = "vault";
|
|
uid = config.ids.uids.vault;
|
|
description = "Vault daemon user";
|
|
};
|
|
users.extraGroups.vault.gid = config.ids.gids.vault;
|
|
|
|
systemd.services.vault = {
|
|
description = "Vault server daemon";
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
after = [ "network.target" ];
|
|
|
|
preStart = ''
|
|
mkdir -m 0755 -p /var/lib/vault
|
|
chown -R vault:vault /var/lib/vault
|
|
|
|
# generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
|
|
if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
|
|
mkdir -p $(dirname ${cfg.tlsCertFile}) || true
|
|
mkdir -p $(dirname ${cfg.tlsKeyFile }) || true
|
|
${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \
|
|
-subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \
|
|
-keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile}
|
|
|
|
chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
|
|
chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
|
|
fi
|
|
'';
|
|
|
|
serviceConfig = {
|
|
User = "vault";
|
|
Group = "vault";
|
|
PermissionsStartOnly = true;
|
|
ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}";
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "full";
|
|
ProtectHome = "read-only";
|
|
AmbientCapabilities = "cap_ipc_lock";
|
|
NoNewPrivileges = true;
|
|
KillSignal = "SIGINT";
|
|
TimeoutStopSec = "30s";
|
|
Restart = "on-failure";
|
|
StartLimitInterval = "60s";
|
|
StartLimitBurst = 3;
|
|
};
|
|
};
|
|
};
|
|
|
|
}
|