commit c79e0b2ba03250aa2dd3977db40a4dcbf3493cbe · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

Merge pull request #26907 from volth/vault

vault: 0.6.5 -> 0.7.3 with service

authored by Charles Strahan and committed by GitHub 8 years ago c79e0b2b 451b23be

+166 -12

4 changed files

expand all

unified split

nixos

modules

misc

ids.nix

module-list.nix

services

security

vault.nix

pkgs

tools

security

vault

default.nix

nixos/modules/misc/ids.nix

··· 139 139 btsync = 113; 140 140 minecraft = 114; 141 141 #monetdb = 115; # unused (not packaged), removed 2016-09-19 142 + vault = 115; 142 143 rippled = 116; 143 144 murmur = 117; 144 145 foundationdb = 118; ··· 415 416 btsync = 113; 416 417 #minecraft = 114; # unused 417 418 #monetdb = 115; # unused (not packaged), removed 2016-09-19 419 + vault = 115; 418 420 #ripped = 116; # unused 419 421 #murmur = 117; # unused 420 422 foundationdb = 118;

nixos/modules/module-list.nix

··· 558 558 ./services/security/tor.nix 559 559 ./services/security/torify.nix 560 560 ./services/security/torsocks.nix 561 + ./services/security/vault.nix 561 562 ./services/system/cgmanager.nix 562 563 ./services/system/cloud-init.nix 563 564 ./services/system/dbus.nix

+143

nixos/modules/services/security/vault.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + let 5 + cfg = config.services.vault; 6 + 7 + configFile = pkgs.writeText "vault.hcl" '' 8 + listener "tcp" { 9 + address = "${cfg.address}" 10 + ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then '' 11 + tls_disable = "true" 12 + '' else '' 13 + tls_cert_file = "${cfg.tlsCertFile}" 14 + tls_key_file = "${cfg.tlsKeyFile}" 15 + ''} 16 + ${cfg.listenerExtraConfig} 17 + } 18 + storage "${cfg.storageBackend}" { 19 + ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} 20 + ${optionalString (cfg.storageConfig != null) cfg.storageConfig} 21 + } 22 + ${optionalString (cfg.telemetryConfig != "") '' 23 + telemetry { 24 + ${cfg.telemetryConfig} 25 + } 26 + ''} 27 + ''; 28 + in 29 + { 30 + options = { 31 + 32 + services.vault = { 33 + 34 + enable = mkEnableOption "Vault daemon"; 35 + 36 + address = mkOption { 37 + type = types.str; 38 + default = "127.0.0.1:8200"; 39 + description = "The name of the ip interface to listen to"; 40 + }; 41 + 42 + tlsCertFile = mkOption { 43 + type = types.nullOr types.str; 44 + default = null; 45 + example = "/path/to/your/cert.pem"; 46 + description = "TLS certificate file. TLS will be disabled unless this option is set"; 47 + }; 48 + 49 + tlsKeyFile = mkOption { 50 + type = types.nullOr types.str; 51 + default = null; 52 + example = "/path/to/your/key.pem"; 53 + description = "TLS private key file. TLS will be disabled unless this option is set"; 54 + }; 55 + 56 + listenerExtraConfig = mkOption { 57 + type = types.lines; 58 + default = '' 59 + tls_min_version = "tls12" 60 + ''; 61 + description = "extra configuration"; 62 + }; 63 + 64 + storageBackend = mkOption { 65 + type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; 66 + default = "inmem"; 67 + description = "The name of the type of storage backend"; 68 + }; 69 + 70 + storagePath = mkOption { 71 + type = types.nullOr types.path; 72 + default = if cfg.storageBackend == "file" then "/var/lib/vault" else null; 73 + description = "Data directory for file backend"; 74 + }; 75 + 76 + storageConfig = mkOption { 77 + type = types.nullOr types.lines; 78 + default = null; 79 + description = "Storage configuration"; 80 + }; 81 + 82 + telemetryConfig = mkOption { 83 + type = types.lines; 84 + default = ""; 85 + description = "Telemetry configuration"; 86 + }; 87 + }; 88 + }; 89 + 90 + config = mkIf cfg.enable { 91 + assertions = [ 92 + { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); 93 + message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig''; 94 + } 95 + { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file"); 96 + message = ''You must set services.vault.storagePath only when using the "file" backend''; 97 + } 98 + ]; 99 + 100 + users.extraUsers.vault = { 101 + name = "vault"; 102 + group = "vault"; 103 + uid = config.ids.uids.vault; 104 + description = "Vault daemon user"; 105 + }; 106 + users.extraGroups.vault.gid = config.ids.gids.vault; 107 + 108 + systemd.services.vault = { 109 + description = "Vault server daemon"; 110 + 111 + wantedBy = ["multi-user.target"]; 112 + after = [ "network.target" ] 113 + ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; 114 + 115 + restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. 116 + 117 + preStart = optionalString (cfg.storagePath != null) '' 118 + install -d -m0700 -o vault -g vault "${cfg.storagePath}" 119 + ''; 120 + 121 + serviceConfig = { 122 + User = "vault"; 123 + Group = "vault"; 124 + PermissionsStartOnly = true; 125 + ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}"; 126 + PrivateDevices = true; 127 + PrivateTmp = true; 128 + ProtectSystem = "full"; 129 + ProtectHome = "read-only"; 130 + AmbientCapabilities = "cap_ipc_lock"; 131 + NoNewPrivileges = true; 132 + KillSignal = "SIGINT"; 133 + TimeoutStopSec = "30s"; 134 + Restart = "on-failure"; 135 + StartLimitInterval = "60s"; 136 + StartLimitBurst = 3; 137 + }; 138 + 139 + unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; 140 + }; 141 + }; 142 + 143 + }

+20 -12

pkgs/tools/security/vault/default.nix

··· 1 - { stdenv, lib, buildGoPackage, fetchFromGitHub }: 1 + { stdenv, fetchFromGitHub, go, gox, removeReferencesTo }: 2 2 3 3 let 4 4 vaultBashCompletions = fetchFromGitHub { ··· 7 7 rev = "e2f59b64be1fa5430fa05c91b6274284de4ea77c"; 8 8 sha256 = "10m75rp3hy71wlmnd88grmpjhqy0pwb9m8wm19l0f463xla54frd"; 9 9 }; 10 - in buildGoPackage rec { 10 + in stdenv.mkDerivation rec { 11 11 name = "vault-${version}"; 12 - version = "0.6.5"; 13 - 14 - goPackagePath = "github.com/hashicorp/vault"; 12 + version = "0.7.3"; 15 13 16 14 src = fetchFromGitHub { 17 15 owner = "hashicorp"; 18 16 repo = "vault"; 19 17 rev = "v${version}"; 20 - sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb"; 18 + sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; 21 19 }; 22 20 23 - buildFlagsArray = '' 24 - -ldflags= 25 - -X github.com/hashicorp/vault/version.GitCommit=${version} 21 + nativeBuildInputs = [ go gox removeReferencesTo ]; 22 + 23 + buildPhase = '' 24 + substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' 25 + 26 + mkdir -p src/github.com/hashicorp 27 + ln -s $(pwd) src/github.com/hashicorp/vault 28 + 29 + GOPATH=$(pwd) make 26 30 ''; 27 31 28 - postInstall = '' 29 - mkdir -p $bin/share/bash-completion/completions/ 30 - cp ${vaultBashCompletions}/vault-bash-completion.sh $bin/share/bash-completion/completions/vault 32 + installPhase = '' 33 + mkdir -p $out/bin $out/share/bash-completion/completions 34 + 35 + cp pkg/*/* $out/bin/ 36 + find $out/bin -type f -exec remove-references-to -t ${go} '{}' + 37 + 38 + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault 31 39 ''; 32 40 33 41 meta = with stdenv.lib; {