pyrox.dev / nixpkgs
lol
fork atom

vault: add unitConfig.RequiresMountsFor to systemd config

Volth 519f1703 7330e804

options
unified split
Changed files
+18 -14
nixos
modules
services
security
vault.nix
pkgs
tools
security
vault
default.nix
+17 -13
nixos/modules/services/security/vault.nix 
···

       
79

       
79

       
 

       
    };


     

       
80

       
80

       
 

       
  };


     

       
81

       
81

       
 

       



     

       
82

       

       
-

       
  config = mkIf cfg.enable {


     

       

       
82

       
+

       
  config = let


     

       

       
83

       
+

       
    localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then


     

       

       
84

       
+

       
                 let


     

       

       
85

       
+

       
                   matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);


     

       

       
86

       
+

       
                 in


     

       

       
87

       
+

       
                   if matched == null then


     

       

       
88

       
+

       
                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''


     

       

       
89

       
+

       
                   else


     

       

       
90

       
+

       
                     head matched


     

       

       
91

       
+

       
               else


     

       

       
92

       
+

       
                 null;


     

       

       
93

       
+

       
  in mkIf cfg.enable {


     

       
83

       
94

       
 

       



     

       
84

       
95

       
 

       
    users.extraUsers.vault = {


     

       
85

       
96

       
 

       
      name = "vault";


     
···

       
96

       
107

       
 

       
      after = [ "network.target" ]


     

       
97

       
108

       
 

       
           ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";


     

       
98

       
109

       
 

       



     

       
99

       

       
-

       
      preStart =


     

       
100

       

       
-

       
        optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional")


     

       
101

       

       
-

       
          (let


     

       
102

       

       
-

       
            matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);


     

       
103

       

       
-

       
            path = if matched == null then


     

       
104

       

       
-

       
                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''


     

       
105

       

       
-

       
                   else


     

       
106

       

       
-

       
                     head matched;


     

       
107

       

       
-

       
          in ''


     

       
108

       

       
-

       
            [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}"


     

       
109

       

       
-

       
          '') +


     

       
110

       

       
-

       
      ''


     

       

       
110

       
+

       
      preStart = optionalString (localDir != null) ''


     

       

       
111

       
+

       
        install -d -m0700 -o vault -g vault "${localDir}"


     

       

       
112

       
+

       
      '' + ''


     

       
111

       
113

       
 

       
        # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client


     

       
112

       
114

       
 

       
        if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then


     

       
113

       
115

       
 

       
          mkdir -p $(dirname ${cfg.tlsCertFile}) || true


     
···

       
138

       
140

       
 

       
        StartLimitInterval = "60s";


     

       
139

       
141

       
 

       
        StartLimitBurst = 3;


     

       
140

       
142

       
 

       
      };


     

       

       
143

       
+

       



     

       

       
144

       
+

       
      unitConfig.RequiresMountsFor = optional (localDir != null) localDir;


     

       
141

       
145

       
 

       
    };


     

       
142

       
146

       
 

       
  };


     

       
143

       
147
+1 -1
pkgs/tools/security/vault/default.nix 
···

       
1

       

       
-

       
{ stdenv, lib, buildGoPackage, fetchFromGitHub }:


     

       

       
1

       
+

       
{ stdenv, buildGoPackage, fetchFromGitHub }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
let


     

       
4

       
4

       
 

       
  vaultBashCompletions = fetchFromGitHub {