···
1
-
{ config, lib, pkgs, utils, ... }:
1
+
{ config, lib, pkgs, ... }:
6
-
inherit (pkgs) vault;
5
+
cfg = config.services.vault;
8
-
cfg = config.services.vault;
configFile = pkgs.writeText "vault.hcl" ''
12
-
address = "${cfg.listener.address}"
14
-
${optionalString (cfg.listener.cluster_address != null)''
15
-
cluster_address = "${cfg.listener.cluster_address}"
18
-
${optionalString (cfg.listener.tls_cert_file != null)''
19
-
tls_cert_file = "${cfg.listener.tls_cert_file}"
22
-
${optionalString (cfg.listener.tls_key_file != null)''
23
-
tls_key_file = "${cfg.listener.tls_key_file}"
26
-
${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" }
28
-
tls_min_version = "${cfg.listener.tls_min_version}"
30
-
${optionalString (cfg.listener.tls_cipher_suites != null)''
31
-
tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\"
34
-
tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}"
36
-
tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}"
9
+
address = "${cfg.address}"
10
+
tls_cert_file = "${cfg.tlsCertFile}"
11
+
tls_key_file = "${cfg.tlsKeyFile}"
12
+
${cfg.listenerExtraConfig}
40
-
storage "${cfg.storage.backend}" {
41
-
${cfg.storage.extraConfig}
14
+
storage "${cfg.storageBackend}" {
15
+
${cfg.storageConfig}
44
-
${if cfg.telemetry.extraConfig != "" then "
46
-
${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""}
47
-
${cfg.telemetry.extraConfig}
17
+
${optionalString (cfg.telemetryConfig != "") ''
19
+
${cfg.telemetryConfig}
62
-
Enables the vault daemon.
29
+
enable = mkEnableOption "Vault daemon";
31
+
address = mkOption {
33
+
default = "127.0.0.1:8200";
34
+
description = "The name of the ip interface to listen to";
37
+
tlsCertFile = mkOption {
39
+
default = "/etc/vault/cert.pem";
40
+
example = "/path/to/your/cert.pem";
41
+
description = "TLS certificate file. A self-signed certificate will be generated if file not exists";
68
-
address = mkOption {
70
-
default = "127.0.0.1:8200";
72
-
The name of the ip interface to listen to.
44
+
tlsKeyFile = mkOption {
46
+
default = "/etc/vault/key.pem";
47
+
example = "/path/to/your/key.pem";
48
+
description = "TLS private key file. A self-signed certificate will be generated if file not exists";
76
-
cluster_address = mkOption {
77
-
type = types.nullOr types.str;
80
-
The name of the address to bind to for cluster server-to-server requests.
84
-
tls_cert_file = mkOption {
88
-
The name of the crt file for the ssl certificate.
92
-
tls_key_file = mkOption {
96
-
The name of the key file for the ssl certificate.
51
+
listenerExtraConfig = mkOption {
54
+
tls_min_version = "tls12"
56
+
description = "extra configuration";
100
-
tls_disable = mkOption {
104
-
Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication.
108
-
tls_min_version = mkOption {
109
-
type = types.enum [ "tls10" "tls11" "tls12" ];
112
-
The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12".
116
-
tls_cipher_suites = mkOption {
117
-
type = types.nullOr types.str;
120
-
The list of supported ciphersuites as a comma-separated-list.
124
-
tls_prefer_server_cipher_suites = mkOption {
128
-
Specifies to prefer the server's ciphersuite over the client ciphersuites.
132
-
tls_require_and_verify_client_cert = mkOption {
136
-
Turns on client authentication for this listener.
59
+
storageBackend = mkOption {
60
+
type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"];
62
+
description = "The name of the type of storage backend";
144
-
backend = mkOption {
146
-
default = "inMemory";
148
-
The name of the type of storage backend.
152
-
extraConfig = mkOption {
153
-
type = types.lines;
156
-
Configuration for storage
65
+
storageConfig = mkOption {
67
+
description = "Storage configuration";
165
-
disable_hostname = mkOption {
169
-
Specifies if gauge values should be prefixed with the local hostname.
173
-
extraConfig = mkOption {
174
-
type = types.lines;
177
-
configuration for telemetry
71
+
telemetryConfig = mkOption {
74
+
description = "Telemetry configuration";
config = mkIf cfg.enable {
189
-
systemd.services.vault =
190
-
{ description = "Vault server daemon";
81
+
users.extraUsers.vault = {
84
+
uid = config.ids.uids.vault;
85
+
description = "Vault daemon user";
87
+
users.extraGroups.vault.gid = config.ids.gids.vault;
89
+
systemd.services.vault = {
90
+
description = "Vault server daemon";
wantedBy = ["multi-user.target"];
93
+
after = [ "network.target" ];
196
-
mkdir -m 0755 -p /var/lib/vault
96
+
mkdir -m 0755 -p /var/lib/vault
97
+
chown -R vault:vault /var/lib/vault
201
-
"${pkgs.vault}/bin/vault server -config ${configFile}";
202
-
KillMode = "process";
99
+
# generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
100
+
if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
101
+
mkdir -p $(dirname ${cfg.tlsCertFile}) || true
102
+
mkdir -p $(dirname ${cfg.tlsKeyFile }) || true
103
+
${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \
104
+
-subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \
105
+
-keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile}
107
+
chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
108
+
chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
115
+
PermissionsStartOnly = true;
116
+
ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}";
117
+
PrivateDevices = true;
119
+
ProtectSystem = "full";
120
+
ProtectHome = "read-only";
121
+
AmbientCapabilities = "cap_ipc_lock";
122
+
NoNewPrivileges = true;
123
+
KillSignal = "SIGINT";
124
+
TimeoutStopSec = "30s";
125
+
Restart = "on-failure";
126
+
StartLimitInterval = "60s";
127
+
StartLimitBurst = 3;
pyrox.dev