diff options
| author | Robert Hensing <robert@roberthensing.nl> | 2021-01-04 16:28:16 +0100 |
|---|---|---|
| committer | Robert Hensing <robert@roberthensing.nl> | 2021-01-04 19:00:30 +0100 |
| commit | b413e7fd2a4ece5d23b78cc04ec19378ee11ceba (patch) | |
| tree | a48ff0a02286218e8e29432e5fcaff53bba98b42 /nixos/modules/services/security/vault.nix | |
| parent | 1eabc4cff1bc5e3d7ce536e266ddd6223352965d (diff) | |
| download | nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar.gz nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar.bz2 nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar.lz nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar.xz nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.tar.zst nixpkgs-b413e7fd2a4ece5d23b78cc04ec19378ee11ceba.zip | |
nixos/vault: Allow multiple config files
Diffstat (limited to 'nixos/modules/services/security/vault.nix')
| -rw-r--r-- | nixos/modules/services/security/vault.nix | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 64622454b9d..c2b714d7c26 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -27,6 +27,11 @@ let ''} ${cfg.extraConfig} ''; + + allConfigPaths = [configFile] ++ cfg.extraConfigPaths; + + configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths); + in { @@ -84,7 +89,14 @@ in storageConfig = mkOption { type = types.nullOr types.lines; default = null; - description = "Storage configuration"; + description = '' + HCL configuration to insert in the storageBackend section. + + Confidential values should not be specified here because this option's + value is written to the Nix store, which is publicly readable. + Provide credentials and such in a separate file using + <xref linkend="opt-services.vault.extraConfigPaths"/>. + ''; }; telemetryConfig = mkOption { @@ -98,6 +110,36 @@ in default = ""; description = "Extra text appended to <filename>vault.hcl</filename>."; }; + + extraConfigPaths = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Configuration files to load besides the immutable one defined by the NixOS module. + This can be used to avoid putting credentials in the Nix store, which can be read by any user. + + Each path can point to a JSON- or HCL-formatted file, or a directory + to be scanned for files with <literal>.hcl</literal> or + <literal>.json</literal> extensions. + + To upload the confidential file with NixOps, use for example: + + <programlisting><![CDATA[ + # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys + deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { + text = ${"''"} + storage "postgresql" { + connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca" + } + ${"''"}; + user = "vault"; + }; + services.vault.extraConfigPaths = ["/run/keys/vault.hcl"]; + services.vault.storageBackend = "postgresql"; + users.users.vault.extraGroups = ["keys"]; + ]]></programlisting> + ''; + }; }; }; @@ -136,7 +178,7 @@ in serviceConfig = { User = "vault"; Group = "vault"; - ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; + ExecStart = "${cfg.package}/bin/vault server ${configOptions}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; PrivateDevices = true; PrivateTmp = true; |