diff options
Diffstat (limited to 'nixos/modules/services/security/vault.nix')
-rw-r--r-- | nixos/modules/services/security/vault.nix | 50 |
1 files changed, 46 insertions, 4 deletions
diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 6a8a3a93327..5a20f6413b1 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -27,6 +27,11 @@ let ''} ${cfg.extraConfig} ''; + + allConfigPaths = [configFile] ++ cfg.extraSettingsPaths; + + configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths); + in { @@ -84,7 +89,14 @@ in storageConfig = mkOption { type = types.nullOr types.lines; default = null; - description = "Storage configuration"; + description = '' + HCL configuration to insert in the storageBackend section. + + Confidential values should not be specified here because this option's + value is written to the Nix store, which is publicly readable. + Provide credentials and such in a separate file using + <xref linkend="opt-services.vault.extraSettingsPaths"/>. + ''; }; telemetryConfig = mkOption { @@ -98,6 +110,36 @@ in default = ""; description = "Extra text appended to <filename>vault.hcl</filename>."; }; + + extraSettingsPaths = mkOption { + type = types.listOf types.path; + default = []; + description = '' + Configuration files to load besides the immutable one defined by the NixOS module. + This can be used to avoid putting credentials in the Nix store, which can be read by any user. + + Each path can point to a JSON- or HCL-formatted file, or a directory + to be scanned for files with <literal>.hcl</literal> or + <literal>.json</literal> extensions. + + To upload the confidential file with NixOps, use for example: + + <programlisting><![CDATA[ + # https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys + deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in { + text = ${"''"} + storage "postgresql" { + connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca" + } + ${"''"}; + user = "vault"; + }; + services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"]; + services.vault.storageBackend = "postgresql"; + users.users.vault.extraGroups = ["keys"]; + ]]></programlisting> + ''; + }; }; }; @@ -131,10 +173,12 @@ in restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. + startLimitIntervalSec = 60; + startLimitBurst = 3; serviceConfig = { User = "vault"; Group = "vault"; - ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; + ExecStart = "${cfg.package}/bin/vault server ${configOptions}"; ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; PrivateDevices = true; PrivateTmp = true; @@ -145,8 +189,6 @@ in KillSignal = "SIGINT"; TimeoutStopSec = "30s"; Restart = "on-failure"; - StartLimitInterval = "60s"; - StartLimitBurst = 3; }; unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; |