nixos/tests/vault-postgresql.nix at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / vault-postgresql.nix
at 21.11-pre 2.5 kB view raw
 1/* This test checks that
 2    - multiple config files can be loaded
 3    - the storage backend can be in a file outside the nix store
 4      as is required for security (required because while confidentiality is
 5      always covered, availability isn't)
 6    - the postgres integration works
 7 */
 8import ./make-test-python.nix ({ pkgs, ... }:
 9{
10  name = "vault-postgresql";
11  meta = with pkgs.lib.maintainers; {
12    maintainers = [ lnl7 roberth ];
13  };
14  machine = { lib, pkgs, ... }: {
15    virtualisation.memorySize = 512;
16    environment.systemPackages = [ pkgs.vault ];
17    environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
18    services.vault.enable = true;
19    services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
20
21    systemd.services.vault = {
22      after = [
23        "postgresql.service"
24      ];
25      # Try for about 10 minutes rather than the default of 5 attempts.
26      serviceConfig.RestartSec = 1;
27      serviceConfig.StartLimitBurst = 600;
28    };
29    # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
30
31    services.postgresql.enable = true;
32    services.postgresql.initialScript = pkgs.writeText "init.psql" ''
33      CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
34      GRANT CONNECT ON DATABASE postgres TO vaultuser;
35
36      -- https://www.vaultproject.io/docs/configuration/storage/postgresql
37      CREATE TABLE vault_kv_store (
38        parent_path TEXT COLLATE "C" NOT NULL,
39        path        TEXT COLLATE "C",
40        key         TEXT COLLATE "C",
41        value       BYTEA,
42        CONSTRAINT pkey PRIMARY KEY (path, key)
43      );
44      CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
45
46      GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
47    '';
48  };
49
50  testScript =
51    ''
52      secretConfig = """
53          storage "postgresql" {
54            connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
55          }
56          """
57
58      start_all()
59
60      machine.wait_for_unit("multi-user.target")
61      machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
62      machine.succeed(
63          "install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
64      )
65      machine.wait_for_unit("vault.service")
66      machine.wait_for_open_port(8200)
67      machine.succeed("vault operator init")
68      machine.succeed("vault status | grep Sealed | grep true")
69    '';
70})