diff options
| author | Volth <volth@webmaster.ms> | 2017-06-28 22:08:36 +0000 |
|---|---|---|
| committer | Volth <volth@webmaster.ms> | 2017-06-28 22:22:53 +0000 |
| commit | 2056c7e39548a1106b2f0101fdfd3fb8b7510479 (patch) | |
| tree | ef4a29efab7b75e50af865e401b8c89ae3039193 /nixos/modules/services/security/vault.nix | |
| parent | 519f17035fed92f2cf4b8e40544e4d2ec9424fea (diff) | |
| download | nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar.gz nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar.bz2 nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar.lz nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar.xz nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.tar.zst nixpkgs-2056c7e39548a1106b2f0101fdfd3fb8b7510479.zip | |
removed generation of self-signed certificate
Diffstat (limited to 'nixos/modules/services/security/vault.nix')
| -rw-r--r-- | nixos/modules/services/security/vault.nix | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 5a195271994..91d5810195a 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -7,8 +7,12 @@ let configFile = pkgs.writeText "vault.hcl" '' listener "tcp" { address = "${cfg.address}" - tls_cert_file = "${cfg.tlsCertFile}" - tls_key_file = "${cfg.tlsKeyFile}" + ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then '' + tls_disable = "true" + '' else '' + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ''} ${cfg.listenerExtraConfig} } storage "${cfg.storageBackend}" { @@ -35,17 +39,17 @@ in }; tlsCertFile = mkOption { - type = types.str; - default = "/etc/vault/cert.pem"; + type = types.nullOr types.str; + default = null; example = "/path/to/your/cert.pem"; - description = "TLS certificate file. A self-signed certificate will be generated if file not exists"; + description = "TLS certificate file. TLS will be disabled unless this option is set"; }; tlsKeyFile = mkOption { - type = types.str; - default = "/etc/vault/key.pem"; + type = types.nullOr types.str; + default = null; example = "/path/to/your/key.pem"; - description = "TLS private key file. A self-signed certificate will be generated if file not exists"; + description = "TLS private key file. TLS will be disabled unless this option is set"; }; listenerExtraConfig = mkOption { @@ -109,18 +113,6 @@ in preStart = optionalString (localDir != null) '' install -d -m0700 -o vault -g vault "${localDir}" - '' + '' - # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client - if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then - mkdir -p $(dirname ${cfg.tlsCertFile}) || true - mkdir -p $(dirname ${cfg.tlsKeyFile }) || true - ${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \ - -subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \ - -keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile} - - chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile} - chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile} - fi ''; serviceConfig = { |