nixos/tests/vault-postgresql.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / vault-postgresql.nix
at 25.11-pre 2.6 kB view raw
 1/*
 2  This test checks that
 3   - multiple config files can be loaded
 4   - the storage backend can be in a file outside the nix store
 5     as is required for security (required because while confidentiality is
 6     always covered, availability isn't)
 7   - the postgres integration works
 8*/
 9import ./make-test-python.nix (
10  { pkgs, ... }:
11  {
12    name = "vault-postgresql";
13    meta = with pkgs.lib.maintainers; {
14      maintainers = [
15        lnl7
16        roberth
17      ];
18    };
19    nodes.machine =
20      { lib, pkgs, ... }:
21      {
22        environment.systemPackages = [ pkgs.vault ];
23        environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
24        services.vault.enable = true;
25        services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
26
27        systemd.services.vault = {
28          after = [
29            "postgresql.service"
30          ];
31          # Try for about 10 minutes rather than the default of 5 attempts.
32          serviceConfig.RestartSec = 1;
33          serviceConfig.StartLimitBurst = 600;
34        };
35        # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
36
37        services.postgresql.enable = true;
38        services.postgresql.initialScript = pkgs.writeText "init.psql" ''
39          CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
40          GRANT CONNECT ON DATABASE postgres TO vaultuser;
41
42          -- https://www.vaultproject.io/docs/configuration/storage/postgresql
43          CREATE TABLE vault_kv_store (
44            parent_path TEXT COLLATE "C" NOT NULL,
45            path        TEXT COLLATE "C",
46            key         TEXT COLLATE "C",
47            value       BYTEA,
48            CONSTRAINT pkey PRIMARY KEY (path, key)
49          );
50          CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
51
52          GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
53        '';
54      };
55
56    testScript = ''
57      secretConfig = """
58          storage "postgresql" {
59            connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
60          }
61          """
62
63      start_all()
64
65      machine.wait_for_unit("multi-user.target")
66      machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
67      machine.succeed(
68          "install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
69      )
70      machine.wait_for_unit("vault.service")
71      machine.wait_for_open_port(8200)
72      machine.succeed("vault operator init")
73      machine.succeed("vault status || test $? -eq 2")
74    '';
75  }
76)