nixos/vault: add option to start in dev mode. (#180114)
* nixos/vault: add option to start in dev mode. This is not only useful for nixos tests i.e. when testing vault agent setups but also when playing around with vault in local setups. In our tests we can now make use of this option to test more vault features. i.e. adding this feature has uncovered the need for a `StateDirectory`. * Update nixos/modules/services/security/vault.nix Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com> Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
This commit is contained in:
parent
f5522fb775
commit
826c20dcae
@ -7,6 +7,8 @@ let
|
||||
opt = options.services.vault;
|
||||
|
||||
configFile = pkgs.writeText "vault.hcl" ''
|
||||
# vault in dev mode will refuse to start if its configuration sets listener
|
||||
${lib.optionalString (!cfg.dev) ''
|
||||
listener "tcp" {
|
||||
address = "${cfg.address}"
|
||||
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
|
||||
@ -17,6 +19,7 @@ let
|
||||
''}
|
||||
${cfg.listenerExtraConfig}
|
||||
}
|
||||
''}
|
||||
storage "${cfg.storageBackend}" {
|
||||
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
|
||||
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
|
||||
@ -30,8 +33,10 @@ let
|
||||
'';
|
||||
|
||||
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
|
||||
|
||||
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
|
||||
configOptions = escapeShellArgs
|
||||
(lib.optional cfg.dev "-dev" ++
|
||||
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
|
||||
++ (concatMap (p: ["-config" p]) allConfigPaths));
|
||||
|
||||
in
|
||||
|
||||
@ -47,6 +52,22 @@ in
|
||||
description = "This option specifies the vault package to use.";
|
||||
};
|
||||
|
||||
dev = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
|
||||
'';
|
||||
};
|
||||
|
||||
devRootTokenID = mkOption {
|
||||
type = types.str;
|
||||
default = false;
|
||||
description = ''
|
||||
Initial root token. This only applies when <option>services.vault.dev</option> is true
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:8200";
|
||||
@ -186,6 +207,9 @@ in
|
||||
Group = "vault";
|
||||
ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||
StateDirectory = "vault";
|
||||
# In `dev` mode vault will put its token here
|
||||
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
|
@ -590,6 +590,7 @@ in {
|
||||
uwsgi = handleTest ./uwsgi.nix {};
|
||||
v2ray = handleTest ./v2ray.nix {};
|
||||
vault = handleTest ./vault.nix {};
|
||||
vault-dev = handleTest ./vault-dev.nix {};
|
||||
vault-postgresql = handleTest ./vault-postgresql.nix {};
|
||||
vaultwarden = handleTest ./vaultwarden.nix {};
|
||||
vector = handleTest ./vector.nix {};
|
||||
|
35
nixos/tests/vault-dev.nix
Normal file
35
nixos/tests/vault-dev.nix
Normal file
@ -0,0 +1,35 @@
|
||||
import ./make-test-python.nix ({ pkgs, ... }:
|
||||
{
|
||||
name = "vault-dev";
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [ lnl7 mic92 ];
|
||||
};
|
||||
nodes.machine = { pkgs, config, ... }: {
|
||||
environment.systemPackages = [ pkgs.vault ];
|
||||
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
|
||||
environment.variables.VAULT_TOKEN = "phony-secret";
|
||||
|
||||
services.vault = {
|
||||
enable = true;
|
||||
dev = true;
|
||||
devRootTokenID = config.environment.variables.VAULT_TOKEN;
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import json
|
||||
start_all()
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_for_unit("vault.service")
|
||||
machine.wait_for_open_port(8200)
|
||||
out = machine.succeed("vault status -format=json")
|
||||
print(out)
|
||||
status = json.loads(out)
|
||||
assert status.get("initialized") == True
|
||||
machine.succeed("vault kv put secret/foo bar=baz")
|
||||
out = machine.succeed("vault kv get -format=json secret/foo")
|
||||
print(out)
|
||||
status = json.loads(out)
|
||||
assert status.get("data", {}).get("data", {}).get("bar") == "baz"
|
||||
'';
|
||||
})
|
@ -38,7 +38,7 @@ buildGoModule rec {
|
||||
--prefix PATH ${lib.makeBinPath [ gawk glibc ]}
|
||||
'';
|
||||
|
||||
passthru.tests = { inherit (nixosTests) vault vault-postgresql; };
|
||||
passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev; };
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://www.vaultproject.io/";
|
||||
|
Loading…
Reference in New Issue
Block a user