services-vault: make package configurable and add extraConfig option

2018-08-09 23:22:53 +02:00 · 2018-08-09 23:22:53 +02:00 · d113c02563
commit d113c02563
parent 3dbdc64abd
1 changed files with 18 additions and 4 deletions
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:

 with lib;
+
 let
  cfg = config.services.vault;

@ -24,15 +25,22 @@ let
          ${cfg.telemetryConfig}
        }
      ''}
+    ${cfg.extraConfig}
  '';
 in
+
 {
  options = {
-
    services.vault = {
-
      enable = mkEnableOption "Vault daemon";

+      package = mkOption {
+        type = types.package;
+        default = pkgs.vault;
+        defaultText = "pkgs.vault";
+        description = "This option specifies the vault package to use.";
+      };
+
      address = mkOption {
        type = types.str;
        default = "127.0.0.1:8200";
@ -58,7 +66,7 @@ in
        default = ''
          tls_min_version = "tls12"
        '';
-        description = "extra configuration";
+        description = "Extra text appended to the listener section.";
      };

      storageBackend = mkOption {
@ -84,6 +92,12 @@ in
        default = "";
        description = "Telemetry configuration";
      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = "Extra text appended to <filename>vault.hcl</filename>.";
+      };
    };
  };

@ -122,7 +136,7 @@ in
        User = "vault";
        Group = "vault";
        PermissionsStartOnly = true;
-        ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}";
+        ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectSystem = "full";