pyrox.dev / nixpkgs
lol
fork atom

vault: services.vault.storagePath for the file backend

Volth 68bf28ad ca16df17

options
unified split
Changed files
+23 -22
nixos
modules
services
security
vault.nix
+23 -22
nixos/modules/services/security/vault.nix 
···

       
16

       
16

       
 

       
      ${cfg.listenerExtraConfig}


     

       
17

       
17

       
 

       
    }


     

       
18

       
18

       
 

       
    storage "${cfg.storageBackend}" {


     

       
19

       

       
-

       
      ${cfg.storageConfig}


     

       

       
19

       
+

       
      ${optionalString (cfg.storagePath   != null) ''path = "${cfg.storagePath}"''}


     

       

       
20

       
+

       
      ${optionalString (cfg.storageConfig != null) cfg.storageConfig}


     

       
20

       
21

       
 

       
    }


     

       
21

       
22

       
 

       
    ${optionalString (cfg.telemetryConfig != "") ''


     

       
22

       
23

       
 

       
        telemetry {


     
···

       
61

       
62

       
 

       
      };


     

       
62

       
63

       
 

       



     

       
63

       
64

       
 

       
      storageBackend = mkOption {


     

       
64

       

       
-

       
        type = types.enum ["inmem" "inmem_transactional" "inmem_ha" "inmem_transactional_ha" "file_transactional" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"];


     

       

       
65

       
+

       
        type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ];


     

       
65

       
66

       
 

       
        default = "inmem";


     

       
66

       
67

       
 

       
        description = "The name of the type of storage backend";


     

       
67

       
68

       
 

       
      };


     

       
68

       
69

       
 

       



     

       

       
70

       
+

       
      storagePath = mkOption {


     

       

       
71

       
+

       
        type = types.nullOr types.path;


     

       

       
72

       
+

       
        default = if cfg.storageBackend == "file" then "/var/lib/vault" else null;


     

       

       
73

       
+

       
        description = "Data directory for file backend";


     

       

       
74

       
+

       
      };


     

       

       
75

       
+

       



     

       
69

       
76

       
 

       
      storageConfig = mkOption {


     

       
70

       

       
-

       
        type = types.lines;


     

       

       
77

       
+

       
        type = types.nullOr types.lines;


     

       

       
78

       
+

       
        default = null;


     

       
71

       
79

       
 

       
        description = "Storage configuration";


     

       
72

       

       
-

       
        default = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then ''


     

       
73

       

       
-

       
                    path = "/var/lib/vault"


     

       
74

       

       
-

       
                  '' else ''


     

       
75

       

       
-

       
                  '';


     

       
76

       
80

       
 

       
      };


     

       
77

       
81

       
 

       



     

       
78

       
82

       
 

       
      telemetryConfig = mkOption {


     
···

       
83

       
87

       
 

       
    };


     

       
84

       
88

       
 

       
  };


     

       
85

       
89

       
 

       



     

       
86

       

       
-

       
  config = let


     

       
87

       

       
-

       
    localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then


     

       
88

       

       
-

       
                 let


     

       
89

       

       
-

       
                   matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);


     

       
90

       

       
-

       
                 in


     

       
91

       

       
-

       
                   if matched == null then


     

       
92

       

       
-

       
                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''


     

       
93

       

       
-

       
                   else


     

       
94

       

       
-

       
                     head matched


     

       
95

       

       
-

       
               else


     

       
96

       

       
-

       
                 null;


     

       
97

       

       
-

       
  in mkIf cfg.enable {


     

       

       
90

       
+

       
  config = mkIf cfg.enable {


     

       

       
91

       
+

       
    assertions = [


     

       

       
92

       
+

       
      { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);


     

       

       
93

       
+

       
        message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig'';


     

       

       
94

       
+

       
      }


     

       

       
95

       
+

       
      { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file");


     

       

       
96

       
+

       
        message = ''You must set services.vault.storagePath only when using the "file" backend'';


     

       

       
97

       
+

       
      }


     

       

       
98

       
+

       
    ];


     

       
98

       
99

       
 

       



     

       
99

       
100

       
 

       
    users.extraUsers.vault = {


     

       
100

       
101

       
 

       
      name = "vault";


     
···

       
111

       
112

       
 

       
      after = [ "network.target" ]


     

       
112

       
113

       
 

       
           ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";


     

       
113

       
114

       
 

       



     

       
114

       

       
-

       
      preStart = optionalString (localDir != null) ''


     

       
115

       

       
-

       
        install -d -m0700 -o vault -g vault "${localDir}"


     

       

       
115

       
+

       
      preStart = optionalString (cfg.storagePath != null) ''


     

       

       
116

       
+

       
        install -d -m0700 -o vault -g vault "${cfg.storagePath}"


     

       
116

       
117

       
 

       
      '';


     

       
117

       
118

       
 

       



     

       
118

       
119

       
 

       
      serviceConfig = {


     
···

       
133

       
134

       
 

       
        StartLimitBurst = 3;


     

       
134

       
135

       
 

       
      };


     

       
135

       
136

       
 

       



     

       
136

       

       
-

       
      unitConfig.RequiresMountsFor = optional (localDir != null) localDir;


     

       

       
137

       
+

       
      unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;


     

       
137

       
138

       
 

       
    };


     

       
138

       
139

       
 

       
  };


     

       
139

       
140