parent
8791cad96b
commit
442f76d72a
@ -0,0 +1,208 @@ |
||||
{ config, lib, pkgs, utils, ... }: |
||||
|
||||
with lib; |
||||
let |
||||
|
||||
inherit (pkgs) vault; |
||||
|
||||
cfg = config.services.vault; |
||||
|
||||
configFile = pkgs.writeText "vault.hcl" '' |
||||
listener "tcp" { |
||||
address = "${cfg.listener.address}" |
||||
|
||||
${optionalString (cfg.listener.cluster_address != null)'' |
||||
cluster_address = "${cfg.listener.cluster_address}" |
||||
''} |
||||
|
||||
${optionalString (cfg.listener.tls_cert_file != null)'' |
||||
tls_cert_file = "${cfg.listener.tls_cert_file}" |
||||
''} |
||||
|
||||
${optionalString (cfg.listener.tls_key_file != null)'' |
||||
tls_key_file = "${cfg.listener.tls_key_file}" |
||||
''} |
||||
|
||||
${if cfg.listener.tls_disable then "tls_disable = \"1\"" else "" } |
||||
|
||||
tls_min_version = "${cfg.listener.tls_min_version}" |
||||
|
||||
|
||||
${optionalString (cfg.listener.tls_cipher_suites != null)'' |
||||
tls_cipher_suites = \"${cfg.listener.tls_cipher_suites}\" |
||||
''} |
||||
|
||||
tls_prefer_server_cipher_suites = "${boolToString cfg.listener.tls_prefer_server_cipher_suites}" |
||||
|
||||
tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}" |
||||
|
||||
} |
||||
|
||||
storage "${cfg.storage.backend}" { |
||||
${cfg.storage.extraConfig} |
||||
} |
||||
|
||||
${if cfg.telemetry.extraConfig != "" then " |
||||
telemetry { |
||||
${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} |
||||
${cfg.telemetry.extraConfig} |
||||
}" else ""} |
||||
|
||||
''; |
||||
|
||||
in |
||||
{ |
||||
options = { |
||||
|
||||
services.vault = { |
||||
|
||||
enable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Enables the vault daemon. |
||||
''; |
||||
}; |
||||
|
||||
listener = { |
||||
|
||||
address = mkOption { |
||||
type = types.str; |
||||
default = "127.0.0.1:8200"; |
||||
description = '' |
||||
The name of the ip interface to listen to. |
||||
''; |
||||
}; |
||||
|
||||
cluster_address = mkOption { |
||||
type = types.nullOr types.str; |
||||
default = null; |
||||
description = '' |
||||
The name of the address to bind to for cluster server-to-server requests. |
||||
''; |
||||
}; |
||||
|
||||
tls_cert_file = mkOption { |
||||
type = types.str; |
||||
default = ""; |
||||
description = '' |
||||
The name of the crt file for the ssl certificate. |
||||
''; |
||||
}; |
||||
|
||||
tls_key_file = mkOption { |
||||
type = types.str; |
||||
default = ""; |
||||
description = '' |
||||
The name of the key file for the ssl certificate. |
||||
''; |
||||
}; |
||||
|
||||
tls_disable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. |
||||
''; |
||||
}; |
||||
|
||||
tls_min_version = mkOption { |
||||
type = types.enum [ "tls10" "tls11" "tls12" ]; |
||||
default = "tls12"; |
||||
description = '' |
||||
The minimum supported version of TLS. Accepted values are "tls10", "tls11" or "tls12". |
||||
''; |
||||
}; |
||||
|
||||
tls_cipher_suites = mkOption { |
||||
type = types.nullOr types.str; |
||||
default = null; |
||||
description = '' |
||||
The list of supported ciphersuites as a comma-separated-list. |
||||
''; |
||||
}; |
||||
|
||||
tls_prefer_server_cipher_suites = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Specifies to prefer the server's ciphersuite over the client ciphersuites. |
||||
''; |
||||
}; |
||||
|
||||
tls_require_and_verify_client_cert = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Turns on client authentication for this listener. |
||||
''; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
storage = { |
||||
|
||||
backend = mkOption { |
||||
type = types.str; |
||||
default = "inMemory"; |
||||
description = '' |
||||
The name of the type of storage backend. |
||||
''; |
||||
}; |
||||
|
||||
extraConfig = mkOption { |
||||
type = types.lines; |
||||
default = ""; |
||||
description = '' |
||||
Configuration for storage |
||||
''; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
|
||||
telemetry = { |
||||
|
||||
disable_hostname = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Specifies if gauge values should be prefixed with the local hostname. |
||||
''; |
||||
}; |
||||
|
||||
extraConfig = mkOption { |
||||
type = types.lines; |
||||
default = ""; |
||||
description = '' |
||||
configuration for telemetry |
||||
''; |
||||
}; |
||||
|
||||
}; |
||||
|
||||
}; |
||||
|
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
|
||||
systemd.services.vault = |
||||
{ description = "Vault server daemon"; |
||||
|
||||
wantedBy = ["multi-user.target"]; |
||||
|
||||
preStart = |
||||
'' |
||||
mkdir -m 0755 -p /var/lib/vault |
||||
''; |
||||
|
||||
serviceConfig = |
||||
{ ExecStart = |
||||
"${pkgs.vault}/bin/vault server -config ${configFile}"; |
||||
KillMode = "process"; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
} |
Loading…
Reference in new issue