auto unseal more
This commit is contained in:
parent
33fdd0b176
commit
bbe5bdca2d
3 changed files with 22 additions and 14 deletions
|
@ -14,11 +14,11 @@ let
|
||||||
'') vault_hosts);
|
'') vault_hosts);
|
||||||
in {
|
in {
|
||||||
options.services.v.vault = {
|
options.services.v.vault = {
|
||||||
enable = mkEnableOption "v.vault";
|
enable = mkEnableOption "v's vault";
|
||||||
|
|
||||||
node_id = mkOption {
|
node_id = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
The cluster node id of this node
|
The cluster node id of this node
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -26,15 +26,15 @@ in {
|
||||||
openFirewall = mkOption {
|
openFirewall = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
Whether to open port port and clusterPort in the firewall for vault
|
Whether to open port `port` and `clusterPort` in the firewall for vault
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
port = mkOption {
|
port = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 8200;
|
default = 8200;
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
The port vault listens on
|
The port vault listens on
|
||||||
**note:** this has to be the same for all nodes in a cluster
|
**note:** this has to be the same for all nodes in a cluster
|
||||||
'';
|
'';
|
||||||
|
@ -43,7 +43,7 @@ in {
|
||||||
clusterPort = mkOption {
|
clusterPort = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 8201;
|
default = 8201;
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
The cluster port vault listens on
|
The cluster port vault listens on
|
||||||
**note:** this has to be the same for all nodes in a cluster
|
**note:** this has to be the same for all nodes in a cluster
|
||||||
'';
|
'';
|
||||||
|
@ -52,24 +52,29 @@ in {
|
||||||
autoUnseal = mkOption {
|
autoUnseal = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
whether to auto-unseal this vault
|
Whether to auto-unseal this vault
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
autoUnsealTokenPath = mkOption {
|
autoUnsealKeysFile = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = null;
|
default = null;
|
||||||
example = "/var/lib/vault-unseal/keys.json";
|
example = "/var/lib/vault-unseal/keys.json";
|
||||||
description = ''
|
description = lib.mdDoc ''
|
||||||
auto unseal tokens to use
|
auto unseal keys to use, has to be a json file with the following structure
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
keys = [ key_1, ..., key_n ]
|
||||||
|
}
|
||||||
|
```
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
assertions = [{
|
assertions = [{
|
||||||
assertion = cfg.autoUnseal -> (cfg.autoUnsealTokenPath != null);
|
assertion = cfg.autoUnseal -> (cfg.autoUnsealKeysFile != null);
|
||||||
message = "If autoUnseal is enabled, a token path is required!";
|
message = "If autoUnseal is enabled, a token path is required!";
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
@ -100,7 +105,7 @@ in {
|
||||||
after = [ "vault.service" ];
|
after = [ "vault.service" ];
|
||||||
environment = {
|
environment = {
|
||||||
VAULT_ADDR = "http://localhost:${toString cfg.port}";
|
VAULT_ADDR = "http://localhost:${toString cfg.port}";
|
||||||
VAULT_KEY_FILE = cfg.autoUnsealTokenPath;
|
VAULT_KEY_FILE = cfg.autoUnsealKeysFile;
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "vault";
|
User = "vault";
|
||||||
|
|
|
@ -16,5 +16,8 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
node_id = "olympus-1";
|
node_id = "olympus-1";
|
||||||
|
|
||||||
|
autoUnseal = true;
|
||||||
|
autoUnsealKeysFile = "/var/lib/vault-unseal/keys.json";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,6 +18,6 @@ _: {
|
||||||
node_id = "olympus-2";
|
node_id = "olympus-2";
|
||||||
|
|
||||||
autoUnseal = true;
|
autoUnseal = true;
|
||||||
autoUnsealTokenPath = "/var/lib/vault-unseal/keys.json";
|
autoUnsealKeysFile = "/var/lib/vault-unseal/keys.json";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue