Merge pull request #108411 from hercules-ci/vault-multiple-config-files
vault: Support multiple config files (no secrets in store)
This commit is contained in:
commit
530df49d7a
@ -27,6 +27,11 @@ let
|
||||
''}
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
|
||||
|
||||
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
@ -84,7 +89,14 @@ in
|
||||
storageConfig = mkOption {
|
||||
type = types.nullOr types.lines;
|
||||
default = null;
|
||||
description = "Storage configuration";
|
||||
description = ''
|
||||
HCL configuration to insert in the storageBackend section.
|
||||
|
||||
Confidential values should not be specified here because this option's
|
||||
value is written to the Nix store, which is publicly readable.
|
||||
Provide credentials and such in a separate file using
|
||||
<xref linkend="opt-services.vault.extraSettingsPaths"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
telemetryConfig = mkOption {
|
||||
@ -98,6 +110,36 @@ in
|
||||
default = "";
|
||||
description = "Extra text appended to <filename>vault.hcl</filename>.";
|
||||
};
|
||||
|
||||
extraSettingsPaths = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = ''
|
||||
Configuration files to load besides the immutable one defined by the NixOS module.
|
||||
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
|
||||
|
||||
Each path can point to a JSON- or HCL-formatted file, or a directory
|
||||
to be scanned for files with <literal>.hcl</literal> or
|
||||
<literal>.json</literal> extensions.
|
||||
|
||||
To upload the confidential file with NixOps, use for example:
|
||||
|
||||
<programlisting><![CDATA[
|
||||
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
|
||||
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
|
||||
text = ${"''"}
|
||||
storage "postgresql" {
|
||||
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
|
||||
}
|
||||
${"''"};
|
||||
user = "vault";
|
||||
};
|
||||
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
|
||||
services.vault.storageBackend = "postgresql";
|
||||
users.users.vault.extraGroups = ["keys"];
|
||||
]]></programlisting>
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -136,7 +178,7 @@ in
|
||||
serviceConfig = {
|
||||
User = "vault";
|
||||
Group = "vault";
|
||||
ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
|
||||
ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
|
@ -407,6 +407,7 @@ in
|
||||
uwsgi = handleTest ./uwsgi.nix {};
|
||||
v2ray = handleTest ./v2ray.nix {};
|
||||
vault = handleTest ./vault.nix {};
|
||||
vault-postgresql = handleTest ./vault-postgresql.nix {};
|
||||
vector = handleTest ./vector.nix {};
|
||||
victoriametrics = handleTest ./victoriametrics.nix {};
|
||||
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
|
||||
|
70
nixos/tests/vault-postgresql.nix
Normal file
70
nixos/tests/vault-postgresql.nix
Normal file
@ -0,0 +1,70 @@
|
||||
/* This test checks that
|
||||
- multiple config files can be loaded
|
||||
- the storage backend can be in a file outside the nix store
|
||||
as is required for security (required because while confidentiality is
|
||||
always covered, availability isn't)
|
||||
- the postgres integration works
|
||||
*/
|
||||
import ./make-test-python.nix ({ pkgs, ... }:
|
||||
{
|
||||
name = "vault-postgresql";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ lnl7 roberth ];
|
||||
};
|
||||
machine = { lib, pkgs, ... }: {
|
||||
virtualisation.memorySize = 512;
|
||||
environment.systemPackages = [ pkgs.vault ];
|
||||
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
|
||||
services.vault.enable = true;
|
||||
services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
|
||||
|
||||
systemd.services.vault = {
|
||||
after = [
|
||||
"postgresql.service"
|
||||
];
|
||||
# Try for about 10 minutes rather than the default of 5 attempts.
|
||||
serviceConfig.RestartSec = 1;
|
||||
serviceConfig.StartLimitBurst = 600;
|
||||
};
|
||||
# systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.initialScript = pkgs.writeText "init.psql" ''
|
||||
CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
|
||||
GRANT CONNECT ON DATABASE postgres TO vaultuser;
|
||||
|
||||
-- https://www.vaultproject.io/docs/configuration/storage/postgresql
|
||||
CREATE TABLE vault_kv_store (
|
||||
parent_path TEXT COLLATE "C" NOT NULL,
|
||||
path TEXT COLLATE "C",
|
||||
key TEXT COLLATE "C",
|
||||
value BYTEA,
|
||||
CONSTRAINT pkey PRIMARY KEY (path, key)
|
||||
);
|
||||
CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
|
||||
|
||||
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
|
||||
'';
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
secretConfig = """
|
||||
storage "postgresql" {
|
||||
connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
|
||||
}
|
||||
"""
|
||||
|
||||
start_all()
|
||||
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
|
||||
machine.succeed(
|
||||
"install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
|
||||
)
|
||||
machine.wait_for_unit("vault.service")
|
||||
machine.wait_for_open_port(8200)
|
||||
machine.succeed("vault operator init")
|
||||
machine.succeed("vault status | grep Sealed | grep true")
|
||||
'';
|
||||
})
|
@ -8,6 +8,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||
environment.systemPackages = [ pkgs.vault ];
|
||||
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
|
||||
services.vault.enable = true;
|
||||
virtualisation.memorySize = 512;
|
||||
};
|
||||
|
||||
testScript =
|
||||
|
Loading…
Reference in New Issue
Block a user