diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix
index 64622454b9d..5a20f6413b1 100644
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@@ -27,6 +27,11 @@ let
''}
${cfg.extraConfig}
'';
+
+ allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
+
+ configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
+
in
{
@@ -84,7 +89,14 @@ in
storageConfig = mkOption {
type = types.nullOr types.lines;
default = null;
- description = "Storage configuration";
+ description = ''
+ HCL configuration to insert in the storageBackend section.
+
+ Confidential values should not be specified here because this option's
+ value is written to the Nix store, which is publicly readable.
+ Provide credentials and such in a separate file using
+ .
+ '';
};
telemetryConfig = mkOption {
@@ -98,6 +110,36 @@ in
default = "";
description = "Extra text appended to vault.hcl.";
};
+
+ extraSettingsPaths = mkOption {
+ type = types.listOf types.path;
+ default = [];
+ description = ''
+ Configuration files to load besides the immutable one defined by the NixOS module.
+ This can be used to avoid putting credentials in the Nix store, which can be read by any user.
+
+ Each path can point to a JSON- or HCL-formatted file, or a directory
+ to be scanned for files with .hcl or
+ .json extensions.
+
+ To upload the confidential file with NixOps, use for example:
+
+
+ '';
+ };
};
};
@@ -136,7 +178,7 @@ in
serviceConfig = {
User = "vault";
Group = "vault";
- ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
+ ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
PrivateDevices = true;
PrivateTmp = true;
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 523d3c051e0..246ad754827 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -407,6 +407,7 @@ in
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};
+ vault-postgresql = handleTest ./vault-postgresql.nix {};
vector = handleTest ./vector.nix {};
victoriametrics = handleTest ./victoriametrics.nix {};
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
diff --git a/nixos/tests/vault-postgresql.nix b/nixos/tests/vault-postgresql.nix
new file mode 100644
index 00000000000..daa71976338
--- /dev/null
+++ b/nixos/tests/vault-postgresql.nix
@@ -0,0 +1,70 @@
+/* This test checks that
+ - multiple config files can be loaded
+ - the storage backend can be in a file outside the nix store
+ as is required for security (required because while confidentiality is
+ always covered, availability isn't)
+ - the postgres integration works
+ */
+import ./make-test-python.nix ({ pkgs, ... }:
+{
+ name = "vault-postgresql";
+ meta = with pkgs.stdenv.lib.maintainers; {
+ maintainers = [ lnl7 roberth ];
+ };
+ machine = { lib, pkgs, ... }: {
+ virtualisation.memorySize = 512;
+ environment.systemPackages = [ pkgs.vault ];
+ environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
+ services.vault.enable = true;
+ services.vault.extraSettingsPaths = [ "/run/vault.hcl" ];
+
+ systemd.services.vault = {
+ after = [
+ "postgresql.service"
+ ];
+ # Try for about 10 minutes rather than the default of 5 attempts.
+ serviceConfig.RestartSec = 1;
+ serviceConfig.StartLimitBurst = 600;
+ };
+ # systemd.services.vault.unitConfig.RequiresMountsFor = "/run/keys/";
+
+ services.postgresql.enable = true;
+ services.postgresql.initialScript = pkgs.writeText "init.psql" ''
+ CREATE USER vaultuser WITH ENCRYPTED PASSWORD 'thisisthepass';
+ GRANT CONNECT ON DATABASE postgres TO vaultuser;
+
+ -- https://www.vaultproject.io/docs/configuration/storage/postgresql
+ CREATE TABLE vault_kv_store (
+ parent_path TEXT COLLATE "C" NOT NULL,
+ path TEXT COLLATE "C",
+ key TEXT COLLATE "C",
+ value BYTEA,
+ CONSTRAINT pkey PRIMARY KEY (path, key)
+ );
+ CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
+
+ GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO vaultuser;
+ '';
+ };
+
+ testScript =
+ ''
+ secretConfig = """
+ storage "postgresql" {
+ connection_url = "postgres://vaultuser:thisisthepass@localhost/postgres?sslmode=disable"
+ }
+ """
+
+ start_all()
+
+ machine.wait_for_unit("multi-user.target")
+ machine.succeed("cat >/root/vault.hcl <