diff options
author | Volth <volth@webmaster.ms> | 2017-06-28 01:15:20 +0000 |
---|---|---|
committer | Volth <volth@webmaster.ms> | 2017-06-28 21:16:04 +0000 |
commit | 519f17035fed92f2cf4b8e40544e4d2ec9424fea (patch) | |
tree | 6302612c7b9756e12ffd430f1323e10e29e24771 /nixos/modules/services/security/vault.nix | |
parent | 7330e804567e4cf05c3aac880a0518875f0a5b54 (diff) | |
download | nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.gz nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.bz2 nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.lz nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.xz nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.tar.zst nixpkgs-519f17035fed92f2cf4b8e40544e4d2ec9424fea.zip |
vault: add unitConfig.RequiresMountsFor to systemd config
Diffstat (limited to 'nixos/modules/services/security/vault.nix')
-rw-r--r-- | nixos/modules/services/security/vault.nix | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 1d93ff21007..5a195271994 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -79,7 +79,18 @@ in }; }; - config = mkIf cfg.enable { + config = let + localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then + let + matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); + in + if matched == null then + throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' + else + head matched + else + null; + in mkIf cfg.enable { users.extraUsers.vault = { name = "vault"; @@ -96,18 +107,9 @@ in after = [ "network.target" ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; - preStart = - optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") - (let - matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); - path = if matched == null then - throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' - else - head matched; - in '' - [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}" - '') + - '' + preStart = optionalString (localDir != null) '' + install -d -m0700 -o vault -g vault "${localDir}" + '' + '' # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then mkdir -p $(dirname ${cfg.tlsCertFile}) || true @@ -138,6 +140,8 @@ in StartLimitInterval = "60s"; StartLimitBurst = 3; }; + + unitConfig.RequiresMountsFor = optional (localDir != null) localDir; }; }; |