v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

auto unseal more

Browse source
This commit is contained in:
Vivian 2023-04-28 16:05:49 +02:00
parent 33fdd0b176
commit bbe5bdca2d
3 changed files with 22 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
nixos/common/modules/vault.nix
View file

@ -14,11 +14,11 @@ let
'') vault_hosts); '') vault_hosts);
in { in {
options.services.v.vault = { options.services.v.vault = {
enable = mkEnableOption "v.vault"; enable = mkEnableOption "v's vault";
node_id = mkOption { node_id = mkOption {
type = types.str; type = types.str;
description = '' description = lib.mdDoc ''
The cluster node id of this node The cluster node id of this node
''; '';
}; };
@ -26,15 +26,15 @@ in {
openFirewall = mkOption { openFirewall = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Whether to open port port and clusterPort in the firewall for vault Whether to open port `port` and `clusterPort` in the firewall for vault
''; '';
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.int;
default = 8200; default = 8200;
description = '' description = lib.mdDoc ''
The port vault listens on The port vault listens on
**note:** this has to be the same for all nodes in a cluster **note:** this has to be the same for all nodes in a cluster
''; '';
@ -43,7 +43,7 @@ in {
clusterPort = mkOption { clusterPort = mkOption {
type = types.int; type = types.int;
default = 8201; default = 8201;
description = '' description = lib.mdDoc ''
The cluster port vault listens on The cluster port vault listens on
**note:** this has to be the same for all nodes in a cluster **note:** this has to be the same for all nodes in a cluster
''; '';
@ -52,24 +52,29 @@ in {
autoUnseal = mkOption { autoUnseal = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
whether to auto-unseal this vault Whether to auto-unseal this vault
''; '';
}; };
autoUnsealTokenPath = mkOption { autoUnsealKeysFile = mkOption {
type = types.str; type = types.str;
default = null; default = null;
example = "/var/lib/vault-unseal/keys.json"; example = "/var/lib/vault-unseal/keys.json";
description = '' description = lib.mdDoc ''
auto unseal tokens to use auto unseal keys to use, has to be a json file with the following structure
```json
{
keys = [ key_1, ..., key_n ]
}
```
''; '';
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [{ assertions = [{
assertion = cfg.autoUnseal -> (cfg.autoUnsealTokenPath != null); assertion = cfg.autoUnseal -> (cfg.autoUnsealKeysFile != null);
message = "If autoUnseal is enabled, a token path is required!"; message = "If autoUnseal is enabled, a token path is required!";
}]; }];
@ -100,7 +105,7 @@ in {
after = [ "vault.service" ]; after = [ "vault.service" ];
environment = { environment = {
VAULT_ADDR = "http://localhost:${toString cfg.port}"; VAULT_ADDR = "http://localhost:${toString cfg.port}";
VAULT_KEY_FILE = cfg.autoUnsealTokenPath; VAULT_KEY_FILE = cfg.autoUnsealKeysFile;
}; };
serviceConfig = { serviceConfig = {
User = "vault"; User = "vault";

3
nixos/hosts/olympus/vault-0/configuration.nix
View file

@ -16,5 +16,8 @@
enable = true; enable = true;
openFirewall = true; openFirewall = true;
node_id = "olympus-1"; node_id = "olympus-1";
autoUnseal = true;
autoUnsealKeysFile = "/var/lib/vault-unseal/keys.json";
}; };
} }

2
nixos/hosts/olympus/vault-1/configuration.nix
View file

@ -18,6 +18,6 @@ _: {
node_id = "olympus-2"; node_id = "olympus-2";
autoUnseal = true; autoUnseal = true;
autoUnsealTokenPath = "/var/lib/vault-unseal/keys.json"; autoUnsealKeysFile = "/var/lib/vault-unseal/keys.json";
}; };
} }