From 442f76d72a422aa44a3ff744d8d6c1d61f500354 Mon Sep 17 00:00:00 2001 From: Katyucha Date: Wed, 7 Jun 2017 22:31:40 +0200 Subject: [PATCH 01/11] Vault: 0.6.5 -> 0.7.2 with services --- nixos/modules/module-list.nix | 1 + nixos/modules/services/security/vault.nix | 208 ++++++++++++++++++++++ pkgs/tools/security/vault/default.nix | 4 +- 3 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 nixos/modules/services/security/vault.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5d9b062f2048..7de839c201a7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -555,6 +555,7 @@ ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix + ./services/security/vault.nix ./services/system/cgmanager.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix new file mode 100644 index 000000000000..314bf59804d5 --- /dev/null +++ b/nixos/modules/services/security/vault.nix @@ -0,0 +1,208 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; +let + + inherit (pkgs) vault; + + cfg = config.services.vault; + + configFile = pkgs.writeText "vault.hcl" '' + listener "tcp" { + address = "${cfg.listener.address}" + + ${optionalString (cfg.listener.cluster_address != null)'' + cluster_address = "${cfg.listener.cluster_address}" + ''} + + ${optionalString (cfg.listener.tls_cert_file != null)'' + tls_cert_file = "${cfg.listener.tls_cert_file}" + ''} + + ${optionalString (cfg.listener.tls_key_file != null)'' + tls_key_file = "${cfg.listener.tls_key_file}" + ''} + + ${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" } + + tls_min_version = "${cfg.listener.tls_min_version}" + + + ${optionalString (cfg.listener.tls_cipher_suites != null)'' + tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" + ''} + + tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}" + + tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}" + + } + + storage "${cfg.storage.backend}" { + ${cfg.storage.extraConfig} + } + + ${if cfg.telemetry.extraConfig != "" then " + telemetry { + ${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} + ${cfg.telemetry.extraConfig} + }" else ""} + + ''; + +in +{ + options = { + + services.vault = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables the vault daemon. + ''; + }; + + listener = { + + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = '' + The name of the ip interface to listen to. + ''; + }; + + cluster_address = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the address to bind to for cluster server-to-server requests. + ''; + }; + + tls_cert_file = mkOption { + type = types.str; + default = ""; + description = '' + The name of the crt file for the ssl certificate. + ''; + }; + + tls_key_file = mkOption { + type = types.str; + default = ""; + description = '' + The name of the key file for the ssl certificate. + ''; + }; + + tls_disable = mkOption { + type = types.bool; + default = false; + description = '' + Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. + ''; + }; + + tls_min_version = mkOption { + type = types.enum [ "tls10" "tls11" "tls12" ]; + default = "tls12"; + description = '' + The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12". + ''; + }; + + tls_cipher_suites = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The list of supported ciphersuites as a comma-separated-list. + ''; + }; + + tls_prefer_server_cipher_suites = mkOption { + type = types.bool; + default = false; + description = '' + Specifies to prefer the server's ciphersuite over the client ciphersuites. + ''; + }; + + tls_require_and_verify_client_cert = mkOption { + type = types.bool; + default = false; + description = '' + Turns on client authentication for this listener. + ''; + }; + + }; + + storage = { + + backend = mkOption { + type = types.str; + default = "inMemory"; + description = '' + The name of the type of storage backend. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration for storage + ''; + }; + + }; + + + telemetry = { + + disable_hostname = mkOption { + type = types.bool; + default = false; + description = '' + Specifies if gauge values should be prefixed with the local hostname. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + configuration for telemetry + ''; + }; + + }; + + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.vault = + { description = "Vault server daemon"; + + wantedBy = ["multi-user.target"]; + + preStart = + '' + mkdir -m 0755 -p /var/lib/vault + ''; + + serviceConfig = + { ExecStart = + "${pkgs.vault}/bin/vault server -config ${configFile}"; + KillMode = "process"; + }; + }; + }; + +} diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 0344fc0a74ee..6e8128ec00f2 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -9,7 +9,7 @@ let }; in buildGoPackage rec { name = "vault-${version}"; - version = "0.6.5"; + version = "0.7.2"; goPackagePath = "github.com/hashicorp/vault"; @@ -17,7 +17,7 @@ in buildGoPackage rec { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb"; + sha256 = "1kclpyb9a9y5zjvrlbxnkac4fl3lwqsr98v4yydf9ihl5v7wy4f5"; }; buildFlagsArray = '' From cad450e6d6339fee852b468411c065c5f43c73c9 Mon Sep 17 00:00:00 2001 From: Katyucha Date: Fri, 9 Jun 2017 20:00:54 +0200 Subject: [PATCH 02/11] delete lines --- nixos/modules/services/security/vault.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 314bf59804d5..eae3a8ca6188 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -27,7 +27,6 @@ let tls_min_version = "${cfg.listener.tls_min_version}" - ${optionalString (cfg.listener.tls_cipher_suites != null)'' tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" ''} From 4c428b4a6f8793e62889819e7e9877e6cbca6210 Mon Sep 17 00:00:00 2001 From: Volth Date: Tue, 27 Jun 2017 14:54:25 +0000 Subject: [PATCH 03/11] vault: run as an unpivileged user --- nixos/modules/misc/ids.nix | 2 + nixos/modules/services/security/vault.nix | 269 ++++++++-------------- pkgs/tools/security/vault/default.nix | 4 +- 3 files changed, 101 insertions(+), 174 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 22059bb7fbbb..4c4e7cfe0d1d 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -139,6 +139,7 @@ btsync = 113; minecraft = 114; #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; rippled = 116; murmur = 117; foundationdb = 118; @@ -415,6 +416,7 @@ btsync = 113; #minecraft = 114; # unused #monetdb = 115; # unused (not packaged), removed 2016-09-19 + vault = 115; #ripped = 116; # unused #murmur = 117; # unused foundationdb = 118; diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index eae3a8ca6188..dc06f89cce8c 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -1,207 +1,132 @@ -{ config, lib, pkgs, utils, ... }: +{ config, lib, pkgs, ... }: with lib; let - - inherit (pkgs) vault; - cfg = config.services.vault; - + configFile = pkgs.writeText "vault.hcl" '' listener "tcp" { - address = "${cfg.listener.address}" - - ${optionalString (cfg.listener.cluster_address != null)'' - cluster_address = "${cfg.listener.cluster_address}" - ''} - - ${optionalString (cfg.listener.tls_cert_file != null)'' - tls_cert_file = "${cfg.listener.tls_cert_file}" - ''} - - ${optionalString (cfg.listener.tls_key_file != null)'' - tls_key_file = "${cfg.listener.tls_key_file}" - ''} - - ${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" } - - tls_min_version = "${cfg.listener.tls_min_version}" - - ${optionalString (cfg.listener.tls_cipher_suites != null)'' - tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" - ''} - - tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}" - - tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}" - + address = "${cfg.address}" + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ${cfg.listenerExtraConfig} } - - storage "${cfg.storage.backend}" { - ${cfg.storage.extraConfig} + storage "${cfg.storageBackend}" { + ${cfg.storageConfig} } - - ${if cfg.telemetry.extraConfig != "" then " - telemetry { - ${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} - ${cfg.telemetry.extraConfig} - }" else ""} - + ${optionalString (cfg.telemetryConfig != "") '' + telemetry { + ${cfg.telemetryConfig} + } + ''} ''; - in { options = { services.vault = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enables the vault daemon. + enable = mkEnableOption "Vault daemon"; + + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = "The name of the ip interface to listen to"; + }; + + tlsCertFile = mkOption { + type = types.str; + default = "/etc/vault/cert.pem"; + example = "/path/to/your/cert.pem"; + description = "TLS certificate file. A self-signed certificate will be generated if file not exists"; + }; + + tlsKeyFile = mkOption { + type = types.str; + default = "/etc/vault/key.pem"; + example = "/path/to/your/key.pem"; + description = "TLS private key file. A self-signed certificate will be generated if file not exists"; + }; + + listenerExtraConfig = mkOption { + type = types.lines; + default = '' + tls_min_version = "tls12" ''; + description = "extra configuration"; }; - listener = { - - address = mkOption { - type = types.str; - default = "127.0.0.1:8200"; - description = '' - The name of the ip interface to listen to. - ''; - }; - - cluster_address = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The name of the address to bind to for cluster server-to-server requests. - ''; - }; - - tls_cert_file = mkOption { - type = types.str; - default = ""; - description = '' - The name of the crt file for the ssl certificate. - ''; - }; - - tls_key_file = mkOption { - type = types.str; - default = ""; - description = '' - The name of the key file for the ssl certificate. - ''; - }; - - tls_disable = mkOption { - type = types.bool; - default = false; - description = '' - Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. - ''; - }; - - tls_min_version = mkOption { - type = types.enum [ "tls10" "tls11" "tls12" ]; - default = "tls12"; - description = '' - The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12". - ''; - }; - - tls_cipher_suites = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The list of supported ciphersuites as a comma-separated-list. - ''; - }; - - tls_prefer_server_cipher_suites = mkOption { - type = types.bool; - default = false; - description = '' - Specifies to prefer the server's ciphersuite over the client ciphersuites. - ''; - }; - - tls_require_and_verify_client_cert = mkOption { - type = types.bool; - default = false; - description = '' - Turns on client authentication for this listener. - ''; - }; - + storageBackend = mkOption { + type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; + default = "inmem"; + description = "The name of the type of storage backend"; }; - storage = { - - backend = mkOption { - type = types.str; - default = "inMemory"; - description = '' - The name of the type of storage backend. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Configuration for storage - ''; - }; - + storageConfig = mkOption { + type = types.lines; + description = "Storage configuration"; + default = ""; }; - - telemetry = { - - disable_hostname = mkOption { - type = types.bool; - default = false; - description = '' - Specifies if gauge values should be prefixed with the local hostname. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - configuration for telemetry - ''; - }; - + telemetryConfig = mkOption { + type = types.lines; + default = ""; + description = "Telemetry configuration"; }; - }; - }; config = mkIf cfg.enable { - systemd.services.vault = - { description = "Vault server daemon"; + users.extraUsers.vault = { + name = "vault"; + group = "vault"; + uid = config.ids.uids.vault; + description = "Vault daemon user"; + }; + users.extraGroups.vault.gid = config.ids.gids.vault; + + systemd.services.vault = { + description = "Vault server daemon"; wantedBy = ["multi-user.target"]; + after = [ "network.target" ]; - preStart = - '' - mkdir -m 0755 -p /var/lib/vault - ''; + preStart = '' + mkdir -m 0755 -p /var/lib/vault + chown -R vault:vault /var/lib/vault - serviceConfig = - { ExecStart = - "${pkgs.vault}/bin/vault server -config ${configFile}"; - KillMode = "process"; - }; - }; + # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client + if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then + mkdir -p $(dirname ${cfg.tlsCertFile}) || true + mkdir -p $(dirname ${cfg.tlsKeyFile }) || true + ${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \ + -subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \ + -keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile} + + chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile} + chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile} + fi + ''; + + serviceConfig = { + User = "vault"; + Group = "vault"; + PermissionsStartOnly = true; + ExecStart = "${pkgs.vault}/bin/vault server -config ${configFile}"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ProtectHome = "read-only"; + AmbientCapabilities = "cap_ipc_lock"; + NoNewPrivileges = true; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + StartLimitInterval = "60s"; + StartLimitBurst = 3; + }; + }; }; } diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 6e8128ec00f2..2c8f24cf8bda 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -9,7 +9,7 @@ let }; in buildGoPackage rec { name = "vault-${version}"; - version = "0.7.2"; + version = "0.7.3"; goPackagePath = "github.com/hashicorp/vault"; @@ -17,7 +17,7 @@ in buildGoPackage rec { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "1kclpyb9a9y5zjvrlbxnkac4fl3lwqsr98v4yydf9ihl5v7wy4f5"; + sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; buildFlagsArray = '' From d016ef1f5be81bfcb58ad745e2127d8ec9d52cc3 Mon Sep 17 00:00:00 2001 From: Volth Date: Tue, 27 Jun 2017 19:32:11 +0000 Subject: [PATCH 04/11] create directory only for "file" storage --- nixos/modules/services/security/vault.nix | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index dc06f89cce8c..2f4935ee1a32 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -57,7 +57,7 @@ in }; storageBackend = mkOption { - type = types.enum ["inmem" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; + type = types.enum ["inmem" "inmem_transactional" "inmem_ha" "inmem_transactional_ha" "file_transactional" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; default = "inmem"; description = "The name of the type of storage backend"; }; @@ -65,7 +65,10 @@ in storageConfig = mkOption { type = types.lines; description = "Storage configuration"; - default = ""; + default = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then '' + path = "/var/lib/vault" + '' else '' + ''; }; telemetryConfig = mkOption { @@ -92,10 +95,18 @@ in wantedBy = ["multi-user.target"]; after = [ "network.target" ]; - preStart = '' - mkdir -m 0755 -p /var/lib/vault - chown -R vault:vault /var/lib/vault - + preStart = + optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") + (let + matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); + path = if matched == null then + throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' + else + head matched; + in '' + [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}" + '') + + '' # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then mkdir -p $(dirname ${cfg.tlsCertFile}) || true From 7330e804567e4cf05c3aac880a0518875f0a5b54 Mon Sep 17 00:00:00 2001 From: Volth Date: Wed, 28 Jun 2017 00:58:19 +0000 Subject: [PATCH 05/11] vault: start after consul if consul is used as storage backend --- nixos/modules/services/security/vault.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 2f4935ee1a32..1d93ff210070 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -93,7 +93,8 @@ in description = "Vault server daemon"; wantedBy = ["multi-user.target"]; - after = [ "network.target" ]; + after = [ "network.target" ] + ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; preStart = optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") From 519f17035fed92f2cf4b8e40544e4d2ec9424fea Mon Sep 17 00:00:00 2001 From: Volth Date: Wed, 28 Jun 2017 01:15:20 +0000 Subject: [PATCH 06/11] vault: add unitConfig.RequiresMountsFor to systemd config --- nixos/modules/services/security/vault.nix | 30 +++++++++++++---------- pkgs/tools/security/vault/default.nix | 2 +- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 1d93ff210070..5a1952719945 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -79,7 +79,18 @@ in }; }; - config = mkIf cfg.enable { + config = let + localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then + let + matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); + in + if matched == null then + throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' + else + head matched + else + null; + in mkIf cfg.enable { users.extraUsers.vault = { name = "vault"; @@ -96,18 +107,9 @@ in after = [ "network.target" ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; - preStart = - optionalString (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") - (let - matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); - path = if matched == null then - throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' - else - head matched; - in '' - [ -d "${path}"] || install -d -m0700 -o vault -g vault "${path}" - '') + - '' + preStart = optionalString (localDir != null) '' + install -d -m0700 -o vault -g vault "${localDir}" + '' + '' # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then mkdir -p $(dirname ${cfg.tlsCertFile}) || true @@ -138,6 +140,8 @@ in StartLimitInterval = "60s"; StartLimitBurst = 3; }; + + unitConfig.RequiresMountsFor = optional (localDir != null) localDir; }; }; diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 2c8f24cf8bda..29fba2802802 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, buildGoPackage, fetchFromGitHub }: +{ stdenv, buildGoPackage, fetchFromGitHub }: let vaultBashCompletions = fetchFromGitHub { From 2056c7e39548a1106b2f0101fdfd3fb8b7510479 Mon Sep 17 00:00:00 2001 From: Volth Date: Wed, 28 Jun 2017 22:08:36 +0000 Subject: [PATCH 07/11] removed generation of self-signed certificate --- nixos/modules/services/security/vault.nix | 32 +++++++++-------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 5a1952719945..91d5810195af 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -7,8 +7,12 @@ let configFile = pkgs.writeText "vault.hcl" '' listener "tcp" { address = "${cfg.address}" - tls_cert_file = "${cfg.tlsCertFile}" - tls_key_file = "${cfg.tlsKeyFile}" + ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then '' + tls_disable = "true" + '' else '' + tls_cert_file = "${cfg.tlsCertFile}" + tls_key_file = "${cfg.tlsKeyFile}" + ''} ${cfg.listenerExtraConfig} } storage "${cfg.storageBackend}" { @@ -35,17 +39,17 @@ in }; tlsCertFile = mkOption { - type = types.str; - default = "/etc/vault/cert.pem"; + type = types.nullOr types.str; + default = null; example = "/path/to/your/cert.pem"; - description = "TLS certificate file. A self-signed certificate will be generated if file not exists"; + description = "TLS certificate file. TLS will be disabled unless this option is set"; }; tlsKeyFile = mkOption { - type = types.str; - default = "/etc/vault/key.pem"; + type = types.nullOr types.str; + default = null; example = "/path/to/your/key.pem"; - description = "TLS private key file. A self-signed certificate will be generated if file not exists"; + description = "TLS private key file. TLS will be disabled unless this option is set"; }; listenerExtraConfig = mkOption { @@ -109,18 +113,6 @@ in preStart = optionalString (localDir != null) '' install -d -m0700 -o vault -g vault "${localDir}" - '' + '' - # generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client - if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then - mkdir -p $(dirname ${cfg.tlsCertFile}) || true - mkdir -p $(dirname ${cfg.tlsKeyFile }) || true - ${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \ - -subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \ - -keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile} - - chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile} - chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile} - fi ''; serviceConfig = { From ca16df17bd72fe8516a4a2dc6a18d3e9f86f89b0 Mon Sep 17 00:00:00 2001 From: Volth Date: Thu, 29 Jun 2017 02:02:13 +0000 Subject: [PATCH 08/11] vault: build as Makefile project, not as Go package --- pkgs/tools/security/vault/default.nix | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 29fba2802802..a04375883091 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, buildGoPackage, fetchFromGitHub }: +{ stdenv, fetchFromGitHub, go, gox }: let vaultBashCompletions = fetchFromGitHub { @@ -7,12 +7,10 @@ let rev = "e2f59b64be1fa5430fa05c91b6274284de4ea77c"; sha256 = "10m75rp3hy71wlmnd88grmpjhqy0pwb9m8wm19l0f463xla54frd"; }; -in buildGoPackage rec { +in stdenv.mkDerivation rec { name = "vault-${version}"; version = "0.7.3"; - goPackagePath = "github.com/hashicorp/vault"; - src = fetchFromGitHub { owner = "hashicorp"; repo = "vault"; @@ -20,14 +18,21 @@ in buildGoPackage rec { sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; - buildFlagsArray = '' - -ldflags= - -X github.com/hashicorp/vault/version.GitCommit=${version} + nativeBuildInputs = [ go gox ]; + + buildPhase = '' + substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' + + mkdir -p src/github.com/hashicorp + ln -s $(pwd) src/github.com/hashicorp/vault + + GOPATH=$(pwd) make ''; - postInstall = '' - mkdir -p $bin/share/bash-completion/completions/ - cp ${vaultBashCompletions}/vault-bash-completion.sh $bin/share/bash-completion/completions/vault + installPhase = '' + mkdir -p $out/bin $out/share/bash-completion/completions + cp pkg/*/* $out/bin/ + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault ''; meta = with stdenv.lib; { From 68bf28adaf4272b1540633fb65d848f152b028fa Mon Sep 17 00:00:00 2001 From: Volth Date: Thu, 29 Jun 2017 21:10:56 +0000 Subject: [PATCH 09/11] vault: services.vault.storagePath for the file backend --- nixos/modules/services/security/vault.nix | 45 ++++++++++++----------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 91d5810195af..6b11248adb33 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -16,7 +16,8 @@ let ${cfg.listenerExtraConfig} } storage "${cfg.storageBackend}" { - ${cfg.storageConfig} + ${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''} + ${optionalString (cfg.storageConfig != null) cfg.storageConfig} } ${optionalString (cfg.telemetryConfig != "") '' telemetry { @@ -61,18 +62,21 @@ in }; storageBackend = mkOption { - type = types.enum ["inmem" "inmem_transactional" "inmem_ha" "inmem_transactional_ha" "file_transactional" "consul" "zookeeper" "file" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs"]; + type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ]; default = "inmem"; description = "The name of the type of storage backend"; }; + storagePath = mkOption { + type = types.nullOr types.path; + default = if cfg.storageBackend == "file" then "/var/lib/vault" else null; + description = "Data directory for file backend"; + }; + storageConfig = mkOption { - type = types.lines; + type = types.nullOr types.lines; + default = null; description = "Storage configuration"; - default = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then '' - path = "/var/lib/vault" - '' else '' - ''; }; telemetryConfig = mkOption { @@ -83,18 +87,15 @@ in }; }; - config = let - localDir = if (cfg.storageBackend == "file" || cfg.storageBackend == "file_transactional") then - let - matched = builtins.match ''.*path[ ]*=[ ]*"([^"]+)".*'' (toString cfg.storageConfig); - in - if matched == null then - throw ''`storageBackend` "${cfg.storageBackend}" requires path in `storageConfig`'' - else - head matched - else - null; - in mkIf cfg.enable { + config = mkIf cfg.enable { + assertions = [ + { assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null); + message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig''; + } + { assertion = (cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) && (cfg.storagePath != null -> cfg.storageBackend == "file"); + message = ''You must set services.vault.storagePath only when using the "file" backend''; + } + ]; users.extraUsers.vault = { name = "vault"; @@ -111,8 +112,8 @@ in after = [ "network.target" ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; - preStart = optionalString (localDir != null) '' - install -d -m0700 -o vault -g vault "${localDir}" + preStart = optionalString (cfg.storagePath != null) '' + install -d -m0700 -o vault -g vault "${cfg.storagePath}" ''; serviceConfig = { @@ -133,7 +134,7 @@ in StartLimitBurst = 3; }; - unitConfig.RequiresMountsFor = optional (localDir != null) localDir; + unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath; }; }; From c3996de4fd1014a9a0977d25e1235ea2949954d8 Mon Sep 17 00:00:00 2001 From: Volth Date: Sun, 2 Jul 2017 00:39:55 +0000 Subject: [PATCH 10/11] vault: remove-references-to go compiler --- pkgs/tools/security/vault/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index a04375883091..9de6216ea594 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, go, gox }: +{ stdenv, fetchFromGitHub, go, gox, removeReferencesTo }: let vaultBashCompletions = fetchFromGitHub { @@ -18,7 +18,7 @@ in stdenv.mkDerivation rec { sha256 = "15wj1pfgzwzjfrqy7b5bx4y9f0hbpqlfif58l5xamwm88229qk4m"; }; - nativeBuildInputs = [ go gox ]; + nativeBuildInputs = [ go gox removeReferencesTo ]; buildPhase = '' substituteInPlace scripts/build.sh --replace 'git rev-parse HEAD' 'echo ${src.rev}' @@ -31,7 +31,10 @@ in stdenv.mkDerivation rec { installPhase = '' mkdir -p $out/bin $out/share/bash-completion/completions + cp pkg/*/* $out/bin/ + find $out/bin -type f -exec remove-references-to -t ${go} '{}' + + cp ${vaultBashCompletions}/vault-bash-completion.sh $out/share/bash-completion/completions/vault ''; From 334e85e75abdfd87dd948ac226ed6c00d1143023 Mon Sep 17 00:00:00 2001 From: Volth Date: Mon, 3 Jul 2017 19:46:02 +0000 Subject: [PATCH 11/11] vault: do not restart the service on "nixos-rebuild switch" --- nixos/modules/services/security/vault.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 6b11248adb33..146afec344ab 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -112,6 +112,8 @@ in after = [ "network.target" ] ++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service"; + restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. + preStart = optionalString (cfg.storagePath != null) '' install -d -m0700 -o vault -g vault "${cfg.storagePath}" '';