nixos/tests/vault-postgresql.nix at 2bccbf892e4e8c342f2dac4d893fbba0a0a1319f · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / vault-postgresql.nix
at 2bccbf892e4e8c342f2dac4d893fbba0a0a1319f 2.4 kB view raw
 1/*
 2  This test checks that
 3   - multiple config files can be loaded
 4   - the storage backend can be in a file outside the nix store
 5     as is required for security (required because while confidentiality is
 6     always covered, availability isn't)
 7   - the postgres integration works
 8*/
 9{ pkgs, ... }:
10{
11  name = "vault-postgresql";
12  meta = with pkgs.lib.maintainers; {
13    maintainers = [
14      lnl7
15      roberth
16    ];
17  };
18  nodes.machine =
19    { lib, pkgs, ... }:
20    {
21      environment.systemPackages = [ pkgs.vault ];
22      environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
23      services.vault.enable = true;
24      services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
25
26      systemd.services.vault = {
27        after = [
28          "postgresql.target"
29        ];
30        # Try for about 10 minutes rather than the default of 5 attempts.
31        serviceConfig.RestartSec = 1;
32        unitConfig.StartLimitBurst = 600;
33      };
34      # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
35
36      services.postgresql.enable = true;
37      services.postgresql.initialScript = pkgs.writeText "init.psql" ''
38        CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
39        GRANT CONNECT ON DATABASE postgres TO vaultuser;
40
41        -- https://www.vaultproject.io/docs/configuration/storage/postgresql
42        CREATE TABLE vault_kv_store (
43          parent_path TEXT COLLATE "C" NOT NULL,
44          path        TEXT COLLATE "C",
45          key         TEXT COLLATE "C",
46          value       BYTEA,
47          CONSTRAINT pkey PRIMARY KEY (path, key)
48        );
49        CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
50
51        GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
52      '';
53    };
54
55  testScript = ''
56    secretConfig = """
57        storage "postgresql" {
58          connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
59        }
60        """
61
62    start_all()
63
64    machine.wait_for_unit("multi-user.target")
65    machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
66    machine.succeed(
67        "install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
68    )
69    machine.wait_for_unit("vault.service")
70    machine.wait_for_open_port(8200)
71    machine.succeed("vault operator init")
72    machine.succeed("vault status || test $? -eq 2")
73  '';
74}