diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5d9b062f204..7de839c201a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -555,6 +555,7 @@ ./services/security/tor.nix ./services/security/torify.nix ./services/security/torsocks.nix + ./services/security/vault.nix ./services/system/cgmanager.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix new file mode 100644 index 00000000000..314bf59804d --- /dev/null +++ b/nixos/modules/services/security/vault.nix @@ -0,0 +1,208 @@ +{ config, lib, pkgs, utils, ... }: + +with lib; +let + + inherit (pkgs) vault; + + cfg = config.services.vault; + + configFile = pkgs.writeText "vault.hcl" '' + listener "tcp" { + address = "${cfg.listener.address}" + + ${optionalString (cfg.listener.cluster_address != null)'' + cluster_address = "${cfg.listener.cluster_address}" + ''} + + ${optionalString (cfg.listener.tls_cert_file != null)'' + tls_cert_file = "${cfg.listener.tls_cert_file}" + ''} + + ${optionalString (cfg.listener.tls_key_file != null)'' + tls_key_file = "${cfg.listener.tls_key_file}" + ''} + + ${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" } + + tls_min_version = "${cfg.listener.tls_min_version}" + + + ${optionalString (cfg.listener.tls_cipher_suites != null)'' + tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" + ''} + + tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}" + + tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}" + + } + + storage "${cfg.storage.backend}" { + ${cfg.storage.extraConfig} + } + + ${if cfg.telemetry.extraConfig != "" then " + telemetry { + ${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} + ${cfg.telemetry.extraConfig} + }" else ""} + + ''; + +in +{ + options = { + + services.vault = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables the vault daemon. + ''; + }; + + listener = { + + address = mkOption { + type = types.str; + default = "127.0.0.1:8200"; + description = '' + The name of the ip interface to listen to. + ''; + }; + + cluster_address = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The name of the address to bind to for cluster server-to-server requests. + ''; + }; + + tls_cert_file = mkOption { + type = types.str; + default = ""; + description = '' + The name of the crt file for the ssl certificate. + ''; + }; + + tls_key_file = mkOption { + type = types.str; + default = ""; + description = '' + The name of the key file for the ssl certificate. + ''; + }; + + tls_disable = mkOption { + type = types.bool; + default = false; + description = '' + Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. + ''; + }; + + tls_min_version = mkOption { + type = types.enum [ "tls10" "tls11" "tls12" ]; + default = "tls12"; + description = '' + The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12". + ''; + }; + + tls_cipher_suites = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The list of supported ciphersuites as a comma-separated-list. + ''; + }; + + tls_prefer_server_cipher_suites = mkOption { + type = types.bool; + default = false; + description = '' + Specifies to prefer the server's ciphersuite over the client ciphersuites. + ''; + }; + + tls_require_and_verify_client_cert = mkOption { + type = types.bool; + default = false; + description = '' + Turns on client authentication for this listener. + ''; + }; + + }; + + storage = { + + backend = mkOption { + type = types.str; + default = "inMemory"; + description = '' + The name of the type of storage backend. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Configuration for storage + ''; + }; + + }; + + + telemetry = { + + disable_hostname = mkOption { + type = types.bool; + default = false; + description = '' + Specifies if gauge values should be prefixed with the local hostname. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + configuration for telemetry + ''; + }; + + }; + + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.vault = + { description = "Vault server daemon"; + + wantedBy = ["multi-user.target"]; + + preStart = + '' + mkdir -m 0755 -p /var/lib/vault + ''; + + serviceConfig = + { ExecStart = + "${pkgs.vault}/bin/vault server -config ${configFile}"; + KillMode = "process"; + }; + }; + }; + +} diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 0344fc0a74e..6e8128ec00f 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -9,7 +9,7 @@ let }; in buildGoPackage rec { name = "vault-${version}"; - version = "0.6.5"; + version = "0.7.2"; goPackagePath = "github.com/hashicorp/vault"; @@ -17,7 +17,7 @@ in buildGoPackage rec { owner = "hashicorp"; repo = "vault"; rev = "v${version}"; - sha256 = "0ci46zn9d9h26flgjf4inmvk4mb1hlixvx5g7vg02raw0cqvknnb"; + sha256 = "1kclpyb9a9y5zjvrlbxnkac4fl3lwqsr98v4yydf9ihl5v7wy4f5"; }; buildFlagsArray = ''