philipp
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Merge pull request #108411 from hercules-ci/vault-multiple-config-files 

vault: Support multiple config files (no secrets in store)
master
Robert Hensing 2021-01-24 13:49:06 +01:00 committed by GitHub
parent 0a81d0846a 04946f4246
commit 530df49d7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 116 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
nixos/modules/services/security/vault.nix
View File

@ -27,6 +27,11 @@ let
''}
${cfg.extraConfig}
'';
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
in
{
@ -84,7 +89,14 @@ in
storageConfig = mkOption {
type = types.nullOr types.lines;
default = null;
description = "Storage configuration";
description = ''
HCL configuration to insert in the storageBackend section.
Confidential values should not be specified here because this option's
value is written to the Nix store, which is publicly readable.
Provide credentials and such in a separate file using
<xref linkend="opt-services.vault.extraSettingsPaths"/>.
'';
};
telemetryConfig = mkOption {
@ -98,6 +110,36 @@ in
default = "";
description = "Extra text appended to <filename>vault.hcl</filename>.";
};
extraSettingsPaths = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Configuration files to load besides the immutable one defined by the NixOS module.
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
Each path can point to a JSON- or HCL-formatted file, or a directory
to be scanned for files with <literal>.hcl</literal> or
<literal>.json</literal> extensions.
To upload the confidential file with NixOps, use for example:
<programlisting><![CDATA[
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
text = ${"''"}
storage "postgresql" {
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
}
${"''"};
user = "vault";
};
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];
]]></programlisting>
'';
};
};
};
@ -136,7 +178,7 @@ in
serviceConfig = {
User = "vault";
Group = "vault";
ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
PrivateDevices = true;
PrivateTmp = true;

1
nixos/tests/all-tests.nix
View File

@ -407,6 +407,7 @@ in
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};
vault-postgresql = handleTest ./vault-postgresql.nix {};
vector = handleTest ./vector.nix {};
victoriametrics = handleTest ./victoriametrics.nix {};
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};

70
nixos/tests/vault-postgresql.nix Normal file
View File

@ -0,0 +1,70 @@
/* This test checks that
- multiple config files can be loaded
- the storage backend can be in a file outside the nix store
as is required for security (required because while confidentiality is
always covered, availability isn't)
- the postgres integration works
*/
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "vault-postgresql";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ lnl7 roberth ];
};
machine = { lib, pkgs, ... }: {
virtualisation.memorySize = 512;
environment.systemPackages = [ pkgs.vault ];
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
services.vault.enable = true;
services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
systemd.services.vault = {
after = [
"postgresql.service"
];
# Try for about 10 minutes rather than the default of 5 attempts.
serviceConfig.RestartSec = 1;
serviceConfig.StartLimitBurst = 600;
};
# systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "init.psql" ''
CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
GRANT CONNECT ON DATABASE postgres TO vaultuser;
-- https://www.vaultproject.io/docs/configuration/storage/postgresql
CREATE TABLE vault_kv_store (
parent_path TEXT COLLATE "C" NOT NULL,
path TEXT COLLATE "C",
key TEXT COLLATE "C",
value BYTEA,
CONSTRAINT pkey PRIMARY KEY (path, key)
);
CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
'';
};
testScript =
''
secretConfig = """
storage "postgresql" {
connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
}
"""
start_all()
machine.wait_for_unit("multi-user.target")
machine.succeed("cat >/root/vault.hcl <<EOF\n%s\nEOF\n" % secretConfig)
machine.succeed(
"install --owner vault --mode 0400 /root/vault.hcl /run/vault.hcl; rm /root/vault.hcl"
)
machine.wait_for_unit("vault.service")
machine.wait_for_open_port(8200)
machine.succeed("vault operator init")
machine.succeed("vault status | grep Sealed | grep true")
'';
})

1
nixos/tests/vault.nix
View File

@ -8,6 +8,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
environment.systemPackages = [ pkgs.vault ];
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
services.vault.enable = true;
virtualisation.memorySize = 512;
};
testScript =