modularized vault config

2022-09-29 18:56:03 +02:00 · 2022-09-29 18:56:03 +02:00 · ca94555776
commit ca94555776
parent c788303183
9 changed files with 120 additions and 104 deletions
--- a/nixos/common/modules/default.nix
+++ b/nixos/common/modules/default.nix
@ -4,5 +4,6 @@
    ./flood.nix
    ./unpackerr.nix
    ./vmagent.nix
+    ./vault.nix
  ];
 }
--- a/nixos/common/modules/vault.nix
+++ b/nixos/common/modules/vault.nix
@ -0,0 +1,75 @@
+{ config, pkgs, lib, flat_hosts, ... }:
+with lib;
+let
+  cfg = config.services.v.vault;
+  hostIP = config.deployment.targetHost;
+
+  vault_hosts =
+    filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP))
+    flat_hosts;
+  cluster_config = concatStrings (map ({ ip, ... }: ''
+    retry_join {
+      leader_api_addr = "http://${ip}:${toString cfg.port}"
+    }
+  '') vault_hosts);
+in {
+  options.services.v.vault = {
+    enable = mkEnableOption "v.vault";
+
+    node_id = mkOption {
+      type = types.str;
+      description = ''
+        The cluster node id of this node
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to open port port and clusterPort in the firewall for vault
+      '';
+    };
+
+    port = mkOption {
+      type = types.int;
+      default = 8200;
+      description = ''
+        The port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+
+    clusterPort = mkOption {
+      type = types.int;
+      default = 8201;
+      description = ''
+        The cluster port vault listens on
+        **note:** this has to be the same for all nodes in a cluster
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts =
+      mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ];
+
+    services.vault = {
+      enable = true;
+      # bin version includes the UI
+      package = pkgs.vault-bin;
+      address = "0.0.0.0:${toString cfg.port}";
+      storageBackend = "raft";
+      storagePath = "/var/lib/vault-raft";
+      storageConfig = ''
+        node_id = "${cfg.node_id}"
+      '' + cluster_config;
+      extraConfig = ''
+        ui = true
+        disable_mlock = true
+        api_addr = "http://${hostIP}:${toString cfg.port}"
+        cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}"
+      '';
+    };
+  };
+}