+4

nixos/doc/manual/release-notes/rl-2305.section.md

··· 85 85 86 86 - [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable). 87 87 88 88 + - [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances). 89 89 + 90 90 + - [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances). 91 91 + 88 92 - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). 89 93 90 94 - [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable).

+1

nixos/modules/module-list.nix

··· 1106 1106 ./services/security/torsocks.nix 1107 1107 ./services/security/usbguard.nix 1108 1108 ./services/security/vault.nix 1109 1109 + ./services/security/vault-agent.nix 1109 1110 ./services/security/vaultwarden/default.nix 1110 1111 ./services/security/yubikey-agent.nix 1111 1112 ./services/system/automatic-timezoned.nix

+128

nixos/modules/services/security/vault-agent.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + format = pkgs.formats.json { }; 7 7 + commonOptions = { pkgName, flavour ? pkgName }: mkOption { 8 8 + default = { }; 9 9 + description = mdDoc '' 10 10 + Attribute set of ${flavour} instances. 11 11 + Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here. 12 12 + ''; 13 13 + type = with types; attrsOf (submodule ({ name, ... }: { 14 14 + options = { 15 15 + enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; }; 16 16 + 17 17 + package = mkPackageOptionMD pkgs pkgName { }; 18 18 + 19 19 + user = mkOption { 20 20 + type = types.str; 21 21 + default = "root"; 22 22 + description = mdDoc '' 23 23 + User under which this instance runs. 24 24 + ''; 25 25 + }; 26 26 + 27 27 + group = mkOption { 28 28 + type = types.str; 29 29 + default = "root"; 30 30 + description = mdDoc '' 31 31 + Group under which this instance runs. 32 32 + ''; 33 33 + }; 34 34 + 35 35 + settings = mkOption { 36 36 + type = types.submodule { 37 37 + freeformType = format.type; 38 38 + 39 39 + options = { 40 40 + pid_file = mkOption { 41 41 + default = "/run/${flavour}/${name}.pid"; 42 42 + type = types.str; 43 43 + description = mdDoc '' 44 44 + Path to use for the pid file. 45 45 + ''; 46 46 + }; 47 47 + 48 48 + template = mkOption { 49 49 + default = [ ]; 50 50 + type = with types; listOf (attrsOf anything); 51 51 + description = 52 52 + let upstreamDocs = 53 53 + if flavour == "vault-agent" 54 54 + then "https://developer.hashicorp.com/vault/docs/agent/template" 55 55 + else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates"; 56 56 + in 57 57 + mdDoc '' 58 58 + Template section of ${flavour}. 59 59 + Refer to <${upstreamDocs}> for supported values. 60 60 + ''; 61 61 + }; 62 62 + }; 63 63 + }; 64 64 + 65 65 + default = { }; 66 66 + 67 67 + description = 68 68 + let upstreamDocs = 69 69 + if flavour == "vault-agent" 70 70 + then "https://developer.hashicorp.com/vault/docs/agent#configuration-file-options" 71 71 + else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file"; 72 72 + in 73 73 + mdDoc '' 74 74 + Free-form settings written directly to the `config.json` file. 75 75 + Refer to <${upstreamDocs}> for supported values. 76 76 + 77 77 + ::: {.note} 78 78 + Resulting format is JSON not HCL. 79 79 + Refer to <https://www.hcl2json.com/> if you are unsure how to convert HCL options to JSON. 80 80 + ::: 81 81 + ''; 82 82 + }; 83 83 + }; 84 84 + })); 85 85 + }; 86 86 + 87 87 + createAgentInstance = { instance, name, flavour }: 88 88 + let 89 89 + configFile = format.generate "${name}.json" instance.settings; 90 90 + in 91 91 + mkIf (instance.enable) { 92 92 + description = "${flavour} daemon - ${name}"; 93 93 + wantedBy = [ "multi-user.target" ]; 94 94 + after = [ "network.target" ]; 95 95 + path = [ pkgs.getent ]; 96 96 + startLimitIntervalSec = 60; 97 97 + startLimitBurst = 3; 98 98 + serviceConfig = { 99 99 + User = instance.user; 100 100 + Group = instance.group; 101 101 + RuntimeDirectory = flavour; 102 102 + ExecStart = "${getExe instance.package} ${optionalString ((getName instance.package) == "vault") "agent"} -config ${configFile}"; 103 103 + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; 104 104 + KillSignal = "SIGINT"; 105 105 + TimeoutStopSec = "30s"; 106 106 + Restart = "on-failure"; 107 107 + }; 108 108 + }; 109 109 + in 110 110 + { 111 111 + options = { 112 112 + services.consul-template.instances = commonOptions { pkgName = "consul-template"; }; 113 113 + services.vault-agent.instances = commonOptions { pkgName = "vault"; flavour = "vault-agent"; }; 114 114 + }; 115 115 + 116 116 + config = mkMerge (map 117 117 + (flavour: 118 118 + let cfg = config.services.${flavour}; in 119 119 + mkIf (cfg.instances != { }) { 120 120 + systemd.services = mapAttrs' 121 121 + (name: instance: nameValuePair "${flavour}-${name}" (createAgentInstance { inherit name instance flavour; })) 122 122 + cfg.instances; 123 123 + }) 124 124 + [ "consul-template" "vault-agent" ]); 125 125 + 126 126 + meta.maintainers = with maintainers; [ indeednotjames tcheronneau ]; 127 127 + } 128 128 +