diff options
author | Robert Hensing <robert@roberthensing.nl> | 2021-01-04 17:54:03 +0100 |
---|---|---|
committer | Robert Hensing <robert@roberthensing.nl> | 2021-01-04 19:00:30 +0100 |
commit | 653f18b48fa6bd6b3e51a05c8ca0d93042c19785 (patch) | |
tree | dd72483d92f9c581c3808d9b98df0d7d6f27f1f1 /nixos/tests/vault-postgresql.nix | |
parent | b413e7fd2a4ece5d23b78cc04ec19378ee11ceba (diff) | |
download | nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar.gz nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar.bz2 nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar.lz nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar.xz nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.tar.zst nixpkgs-653f18b48fa6bd6b3e51a05c8ca0d93042c19785.zip |
nixosTests.vault-postgresql: init
Diffstat (limited to 'nixos/tests/vault-postgresql.nix')
-rw-r--r-- | nixos/tests/vault-postgresql.nix | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/nixos/tests/vault-postgresql.nix b/nixos/tests/vault-postgresql.nix new file mode 100644 index 00000000000..185a9515d61 --- /dev/null +++ b/nixos/tests/vault-postgresql.nix @@ -0,0 +1,70 @@ +/* This test checks that + - multiple config files can be loaded + - the storage backend can be in a file outside the nix store + as is required for security (required because while confidentiality is + always covered, availability isn't) + - the postgres integration works + */ +import ./make-test-python.nix ({ pkgs, ... }: +{ + name = "vault-postgresql"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lnl7 roberth ]; + }; + machine = { lib, pkgs, ... }: { + virtualisation.memorySize = 512; + environment.systemPackages = [ pkgs.vault ]; + environment.variables.VAULT_ADDR = "http://127.0.0.1:8200"; + services.vault.enable = true; + services.vault.extraConfigPaths = [ "/run/vault.hcl" ]; + + systemd.services.vault = { + after = [ + "postgresql.service" + ]; + # Try for about 10 minutes rather than the default of 5 attempts. + serviceConfig.RestartSec = 1; + serviceConfig.StartLimitBurst = 600; + }; + # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/"; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "init.psql" '' + CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass'; + GRANT CONNECT ON DATABASE postgres TO vaultuser; + + -- https://www.vaultproject.io/docs/configuration/storage/postgresql + CREATE TABLE vault_kv_store ( + parent_path TEXT COLLATE "C" NOT NULL, + path TEXT COLLATE "C", + key TEXT COLLATE "C", + value BYTEA, + CONSTRAINT pkey PRIMARY KEY (path, key) + ); + CREATE INDEX parent_path_idx ON vault_kv_store (parent_path); + + GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser; + ''; + }; + + testScript = + '' + secretConfig = """ + storage "postgresql" { + connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable" + } + """ + + start_all() + + machine.wait_for_unit("multi-user.target") + machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig) + machine.succeed( + "install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl" + ) + machine.wait_for_unit("vault.service") + machine.wait_for_open_port(8200) + machine.succeed("vault operator init") + machine.succeed("vault status | grep Sealed | grep true") + ''; +}) |