add auto unseal for vault-1

2023-04-28 15:55:06 +02:00 · 2023-04-28 15:55:06 +02:00 · c8d0760e0e
commit c8d0760e0e
parent 9dc8bba4f0
5 changed files with 135 additions and 20 deletions
--- a/nixos/common/modules/unpackerr.nix
+++ b/nixos/common/modules/unpackerr.nix
@ -45,7 +45,7 @@ let
      type = types.bool;
      default = false;
      description = ''
-        Delete archives after import? 
+        Delete archives after import?
        Recommend not setting this to true
      '';
    };
--- a/nixos/common/modules/vault.nix
+++ b/nixos/common/modules/vault.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, flat_hosts, ... }:
+{ config, pkgs, lib, flat_hosts, inputs, ... }:
 with lib;
 let
  cfg = config.services.v.vault;
@ -48,9 +48,31 @@ in {
        **note:** this has to be the same for all nodes in a cluster
      '';
    };
+
+    autoUnseal = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        whether to auto-unseal this vault
+      '';
+    };
+
+    autoUnsealTokenPath = mkOption {
+      type = types.str;
+      default = null;
+      example = "/var/lib/vault-unseal/keys.json";
+      description = ''
+        auto unseal tokens to use
+      '';
+    };
  };

  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg.autoUnseal -> (cfg.autoUnsealTokenPath != null);
+      message = "If autoUnseal is enabled, a token path is required!";
+    }];
+
    networking.firewall.allowedTCPPorts =
      mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];

@ -71,5 +93,24 @@ in {
        cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
      '';
    };
+
+    systemd.services.vault-unseal = mkIf cfg.autoUnseal {
+      description = "Vault unseal service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "vault.service" ];
+      environment = {
+        VAULT_ADDR = "http://localhost:${toString cfg.port}";
+        VAULT_KEY_FILE = cfg.autoUnsealTokenPath;
+      };
+      serviceConfig = {
+        User = "vault";
+        Group = "vault";
+        Type = "simple";
+        Restart = "on-failure";
+        ExecStart = "${
+            inputs.vault-unseal.packages.${pkgs.system}.default
+          }/bin/vault-unseal";
+      };
+    };
  };
 }
--- a/nixos/hosts/olympus/vault-1/configuration.nix
+++ b/nixos/hosts/olympus/vault-1/configuration.nix
@ -2,7 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ config, pkgs, hosts, ... }: {
+_: {
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
@ -16,5 +16,8 @@
    enable = true;
    openFirewall = true;
    node_id = "olympus-2";
+
+    autoUnseal = true;
+    autoUnsealTokenPath = "/var/lib/vault-unseal/keys.json";
  };
 }