nixos/vault: add option to start in dev mode. (#180114)

* nixos/vault: add option to start in dev mode.

This is not only useful for nixos tests i.e. when testing vault agent
setups but also when playing around with vault in local setups. In our
tests we can now make use of this option to test more vault features.
i.e. adding this feature has uncovered the need for a `StateDirectory`.

* Update nixos/modules/services/security/vault.nix

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>

Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com>
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
This commit is contained in:
Jörg Thalheim 2022-07-05 10:54:11 +02:00 committed by GitHub
parent f5522fb775
commit 826c20dcae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 63 additions and 3 deletions

View File

@ -7,6 +7,8 @@ let
opt = options.services.vault;
configFile = pkgs.writeText "vault.hcl" ''
# vault in dev mode will refuse to start if its configuration sets listener
${lib.optionalString (!cfg.dev) ''
listener "tcp" {
address = "${cfg.address}"
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
@ -17,6 +19,7 @@ let
''}
${cfg.listenerExtraConfig}
}
''}
storage "${cfg.storageBackend}" {
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
@ -30,8 +33,10 @@ let
'';
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
configOptions = escapeShellArgs
(lib.optional cfg.dev "-dev" ++
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
++ (concatMap (p: ["-config" p]) allConfigPaths));
in
@ -47,6 +52,22 @@ in
description = "This option specifies the vault package to use.";
};
dev = mkOption {
type = types.bool;
default = false;
description = ''
In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
'';
};
devRootTokenID = mkOption {
type = types.str;
default = false;
description = ''
Initial root token. This only applies when <option>services.vault.dev</option> is true
'';
};
address = mkOption {
type = types.str;
default = "127.0.0.1:8200";
@ -186,6 +207,9 @@ in
Group = "vault";
ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
StateDirectory = "vault";
# In `dev` mode vault will put its token here
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";

View File

@ -590,6 +590,7 @@ in {
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};
vault-dev = handleTest ./vault-dev.nix {};
vault-postgresql = handleTest ./vault-postgresql.nix {};
vaultwarden = handleTest ./vaultwarden.nix {};
vector = handleTest ./vector.nix {};

35
nixos/tests/vault-dev.nix Normal file
View File

@ -0,0 +1,35 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "vault-dev";
meta = with pkgs.lib.maintainers; {
maintainers = [ lnl7 mic92 ];
};
nodes.machine = { pkgs, config, ... }: {
environment.systemPackages = [ pkgs.vault ];
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
environment.variables.VAULT_TOKEN = "phony-secret";
services.vault = {
enable = true;
dev = true;
devRootTokenID = config.environment.variables.VAULT_TOKEN;
};
};
testScript = ''
import json
start_all()
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("vault.service")
machine.wait_for_open_port(8200)
out = machine.succeed("vault status -format=json")
print(out)
status = json.loads(out)
assert status.get("initialized") == True
machine.succeed("vault kv put secret/foo bar=baz")
out = machine.succeed("vault kv get -format=json secret/foo")
print(out)
status = json.loads(out)
assert status.get("data", {}).get("data", {}).get("bar") == "baz"
'';
})

View File

@ -38,7 +38,7 @@ buildGoModule rec {
--prefix PATH ${lib.makeBinPath [ gawk glibc ]}
'';
passthru.tests = { inherit (nixosTests) vault vault-postgresql; };
passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev; };
meta = with lib; {
homepage = "https://www.vaultproject.io/";