From 23caceb5571ceac44de6b1396cf132c61e31e3ae Mon Sep 17 00:00:00 2001 From: Thomas Date: Tue, 14 Feb 2023 21:40:39 +0100 Subject: [PATCH 1/4] maintainers: add tcheronneau --- maintainers/maintainer-list.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index fa3f2990b9f..fa48c03245b 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -15136,6 +15136,12 @@ }]; name = "David Tchekachev"; }; + tcheronneau = { + email = "nix@mcth.fr"; + github = "tcheronneau"; + githubId = 7914437; + name = "Thomas Cheronneau"; + }; tckmn = { email = "andy@tck.mn"; github = "tckmn"; From 4e8bde773f7645cc238a9efd86c9d491af74ca35 Mon Sep 17 00:00:00 2001 From: Thomas Date: Tue, 14 Feb 2023 22:36:15 +0100 Subject: [PATCH 2/4] nixos/{consul-template,vault-agent}: init --- .../manual/release-notes/rl-2305.section.md | 4 + nixos/modules/module-list.nix | 1 + .../modules/services/security/vault-agent.nix | 128 ++++++++++++++++++ 3 files changed, 133 insertions(+) create mode 100644 nixos/modules/services/security/vault-agent.nix diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 601109ccee5..bb583c43f7c 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -85,6 +85,10 @@ In addition to numerous new and upgraded packages, this release has the followin - [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable). +- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances). + +- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances). + - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). - [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f1c459f7557..9558f59bddf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1106,6 +1106,7 @@ ./services/security/torsocks.nix ./services/security/usbguard.nix ./services/security/vault.nix + ./services/security/vault-agent.nix ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix ./services/system/automatic-timezoned.nix diff --git a/nixos/modules/services/security/vault-agent.nix b/nixos/modules/services/security/vault-agent.nix new file mode 100644 index 00000000000..244004f7c91 --- /dev/null +++ b/nixos/modules/services/security/vault-agent.nix @@ -0,0 +1,128 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + format = pkgs.formats.json { }; + commonOptions = { pkgName, flavour ? pkgName }: mkOption { + default = { }; + description = mdDoc '' + Attribute set of ${flavour} instances. + Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here. + ''; + type = with types; attrsOf (submodule ({ name, ... }: { + options = { + enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; }; + + package = mkPackageOptionMD pkgs pkgName { }; + + user = mkOption { + type = types.str; + default = "root"; + description = mdDoc '' + User under which this instance runs. + ''; + }; + + group = mkOption { + type = types.str; + default = "root"; + description = mdDoc '' + Group under which this instance runs. + ''; + }; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options = { + pid_file = mkOption { + default = "/run/${flavour}/${name}.pid"; + type = types.str; + description = mdDoc '' + Path to use for the pid file. + ''; + }; + + template = mkOption { + default = [ ]; + type = with types; listOf (attrsOf anything); + description = + let upstreamDocs = + if flavour == "vault-agent" + then "https://developer.hashicorp.com/vault/docs/agent/template" + else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates"; + in + mdDoc '' + Template section of ${flavour}. + Refer to <${upstreamDocs}> for supported values. + ''; + }; + }; + }; + + default = { }; + + description = + let upstreamDocs = + if flavour == "vault-agent" + then "https://developer.hashicorp.com/vault/docs/agent#configuration-file-options" + else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file"; + in + mdDoc '' + Free-form settings written directly to the `config.json` file. + Refer to <${upstreamDocs}> for supported values. + + ::: {.note} + Resulting format is JSON not HCL. + Refer to if you are unsure how to convert HCL options to JSON. + ::: + ''; + }; + }; + })); + }; + + createAgentInstance = { instance, name, flavour }: + let + configFile = format.generate "${name}.json" instance.settings; + in + mkIf (instance.enable) { + description = "${flavour} daemon - ${name}"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.getent ]; + startLimitIntervalSec = 60; + startLimitBurst = 3; + serviceConfig = { + User = instance.user; + Group = instance.group; + RuntimeDirectory = flavour; + ExecStart = "${getExe instance.package} ${optionalString ((getName instance.package) == "vault") "agent"} -config ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + KillSignal = "SIGINT"; + TimeoutStopSec = "30s"; + Restart = "on-failure"; + }; + }; +in +{ + options = { + services.consul-template.instances = commonOptions { pkgName = "consul-template"; }; + services.vault-agent.instances = commonOptions { pkgName = "vault"; flavour = "vault-agent"; }; + }; + + config = mkMerge (map + (flavour: + let cfg = config.services.${flavour}; in + mkIf (cfg.instances != { }) { + systemd.services = mapAttrs' + (name: instance: nameValuePair "${flavour}-${name}" (createAgentInstance { inherit name instance flavour; })) + cfg.instances; + }) + [ "consul-template" "vault-agent" ]); + + meta.maintainers = with maintainers; [ indeednotjames tcheronneau ]; +} + From 524fe7ff5156ef3790b97b8056317fc737840d0a Mon Sep 17 00:00:00 2001 From: IndeedNotJames Date: Tue, 25 Apr 2023 15:58:30 +0200 Subject: [PATCH 3/4] nixosTests.vault-agent: init --- nixos/tests/all-tests.nix | 1 + nixos/tests/vault-agent.nix | 52 +++++++++++++++++++++++++++ pkgs/tools/security/vault/default.nix | 2 +- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/vault-agent.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5b802fb2630..997d3893823 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -746,6 +746,7 @@ in { varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; }; varnish72 = handleTest ./varnish.nix { package = pkgs.varnish72; }; vault = handleTest ./vault.nix {}; + vault-agent = handleTest ./vault-agent.nix {}; vault-dev = handleTest ./vault-dev.nix {}; vault-postgresql = handleTest ./vault-postgresql.nix {}; vaultwarden = handleTest ./vaultwarden.nix {}; diff --git a/nixos/tests/vault-agent.nix b/nixos/tests/vault-agent.nix new file mode 100644 index 00000000000..dc86c829b67 --- /dev/null +++ b/nixos/tests/vault-agent.nix @@ -0,0 +1,52 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "vault-agent"; + + nodes.machine = { config, pkgs, ... }: { + services.vault-agent.instances.example.settings = { + vault.address = config.environment.variables.VAULT_ADDR; + + auto_auth = [{ + method = [{ + type = "token_file"; + config.token_file_path = pkgs.writeText "vault-token" config.environment.variables.VAULT_TOKEN; + }]; + }]; + + template = [{ + contents = '' + {{- with secret "secret/example" }} + {{ .Data.data.key }}" + {{- end }} + ''; + perms = "0600"; + destination = "/example"; + }]; + }; + + services.vault = { + enable = true; + dev = true; + devRootTokenID = config.environment.variables.VAULT_TOKEN; + }; + + environment = { + systemPackages = [ pkgs.vault ]; + variables = { + VAULT_ADDR = "http://localhost:8200"; + VAULT_TOKEN = "root"; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("vault.service") + machine.wait_for_open_port(8200) + + machine.wait_until_succeeds('vault kv put secret/example key=example') + + machine.wait_for_unit("vault-agent-example.service") + + machine.wait_for_file("/example") + machine.succeed('grep "example" /example') + ''; +}) diff --git a/pkgs/tools/security/vault/default.nix b/pkgs/tools/security/vault/default.nix index 42eca27fb59..a6bb24e6fa3 100644 --- a/pkgs/tools/security/vault/default.nix +++ b/pkgs/tools/security/vault/default.nix @@ -38,7 +38,7 @@ buildGoModule rec { --prefix PATH ${lib.makeBinPath [ gawk glibc ]} ''; - passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev; }; + passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; }; meta = with lib; { homepage = "https://www.vaultproject.io/"; From 3e7069bb47e90254811052aff1c295f33ac9f4c7 Mon Sep 17 00:00:00 2001 From: IndeedNotJames Date: Tue, 25 Apr 2023 16:54:08 +0200 Subject: [PATCH 4/4] nixosTests.consul-template: init --- nixos/tests/all-tests.nix | 1 + nixos/tests/consul-template.nix | 36 +++++++++++++++++++ pkgs/tools/system/consul-template/default.nix | 6 +++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/consul-template.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 997d3893823..a04db168a15 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -146,6 +146,7 @@ in { collectd = handleTest ./collectd.nix {}; connman = handleTest ./connman.nix {}; consul = handleTest ./consul.nix {}; + consul-template = handleTest ./consul-template.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; containers-custom-pkgs.nix = handleTest ./containers-custom-pkgs.nix {}; containers-ephemeral = handleTest ./containers-ephemeral.nix {}; diff --git a/nixos/tests/consul-template.nix b/nixos/tests/consul-template.nix new file mode 100644 index 00000000000..cbffa94569e --- /dev/null +++ b/nixos/tests/consul-template.nix @@ -0,0 +1,36 @@ +import ./make-test-python.nix ({ ... }: { + name = "consul-template"; + + nodes.machine = { ... }: { + services.consul-template.instances.example.settings = { + template = [{ + contents = '' + {{ key "example" }} + ''; + perms = "0600"; + destination = "/example"; + }]; + }; + + services.consul = { + enable = true; + extraConfig = { + server = true; + bootstrap_expect = 1; + bind_addr = "127.0.0.1"; + }; + }; + }; + + testScript = '' + machine.wait_for_unit("consul.service") + machine.wait_for_open_port(8500) + + machine.wait_for_unit("consul-template-example.service") + + machine.wait_until_succeeds('consul kv put example example') + + machine.wait_for_file("/example") + machine.succeed('grep "example" /example') + ''; +}) diff --git a/pkgs/tools/system/consul-template/default.nix b/pkgs/tools/system/consul-template/default.nix index 8bcceecee95..9f6f2b84225 100644 --- a/pkgs/tools/system/consul-template/default.nix +++ b/pkgs/tools/system/consul-template/default.nix @@ -1,4 +1,4 @@ -{ lib, buildGoModule, fetchFromGitHub }: +{ lib, buildGoModule, fetchFromGitHub, nixosTests }: buildGoModule rec { pname = "consul-template"; @@ -17,6 +17,10 @@ buildGoModule rec { # execute tests so we skip them here doCheck = false; + passthru.tests = { + inherit (nixosTests) consul-template; + }; + meta = with lib; { homepage = "https://github.com/hashicorp/consul-template/"; description = "Generic template rendering and notifications with Consul";