summary refs log tree commit diff
path: root/nixos/modules/services/security/vault.nix
diff options
context:
space:
mode:
authorVolth <volth@webmaster.ms>2017-06-28 01:15:20 +0000
committerVolth <volth@webmaster.ms>2017-06-28 21:16:04 +0000
commit519f17035fed92f2cf4b8e40544e4d2ec9424fea (patch)
tree6302612c7b9756e12ffd430f1323e10e29e24771 /nixos/modules/services/security/vault.nix
parent7330e804567e4cf05c3aac880a0518875f0a5b54 (diff)
downloadnixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.gz
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.bz2
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.lz
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.xz
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.zst
nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.zip
vault: add unitConfig.RequiresMountsFor to systemd config
Diffstat (limited to 'nixos/modules/services/security/vault.nix')
-rw-r--r--nixos/modules/services/security/vault.nix30


1 files changed, 17 insertions, 13 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix
index 1d93ff21007..5a195271994 100644
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@@ -79,7 +79,18 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
+  config = let
+    localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then
+                 let
+                   matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);
+                 in
+                   if matched == null then
+                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''
+                   else
+                     head matched
+               else
+                 null;
+  in mkIf cfg.enable {
 
     users.extraUsers.vault = {
       name = "vault";
@@ -96,18 +107,9 @@ in
       after = [ "network.target" ]
            ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
 
-      preStart =
-        optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional")
-          (let
-            matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig);
-            path = if matched == null then
-                     throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`''
-                   else
-                     head matched;
-          in ''
-            [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}"
-          '') +
-      ''
+      preStart = optionalString (localDir != null) ''
+        install -d -m0700 -o vault -g vault "${localDir}"
+      '' + ''
         # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
         if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
           mkdir -p $(dirname ${cfg.tlsCertFile}) || true
@@ -138,6 +140,8 @@ in
         StartLimitInterval = "60s";
         StartLimitBurst = 3;
       };
+
+      unitConfig.RequiresMountsFor = optional (localDir != null) localDir;
     };
   };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-31 12:26:51 +0000