mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-30 03:56:12 +01:00
a5a651dbb9
Signed-off-by: main <magic_rb@redalder.org>
150 lines
3.5 KiB
Nix
150 lines
3.5 KiB
Nix
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
|
|
#
|
|
# SPDX-License-Identifier: LGPL-3.0-or-later
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.services.vault-agent;
|
|
format = pkgs.formats.json {};
|
|
in {
|
|
options = {
|
|
services.vault-agent = {
|
|
enable = mkEnableOption "Vault, secure credentials storage and manager";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.vault;
|
|
defaultText = "nixpkgs.vault";
|
|
description = ''
|
|
The package used for the Vault agent and CLI.
|
|
'';
|
|
};
|
|
|
|
secretsDir = mkOption {
|
|
type = types.nullOr types.path;
|
|
default = "/var/secrets";
|
|
description = ''
|
|
Vault secrets directory;
|
|
'';
|
|
};
|
|
|
|
settings = mkOption {
|
|
type = format.type;
|
|
default = {};
|
|
description = ''
|
|
Configuration for Vault Agent. See the <link xlink:href="https://www.vaultproject.io/docs/agent#configuration">documentation</link>
|
|
'';
|
|
};
|
|
|
|
secretsGroup = mkOption {
|
|
type = types.submodule {
|
|
options = {
|
|
name = mkOption {
|
|
type = types.str;
|
|
default = "secrets";
|
|
description = ''
|
|
Group used for accessing the secrets.
|
|
'';
|
|
};
|
|
id = mkOption {
|
|
type = types.int;
|
|
default = 1984;
|
|
description = ''
|
|
Group ID for the secrets group.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
default = {};
|
|
};
|
|
|
|
userName = mkOption {
|
|
type = types.str;
|
|
default = "vault-agent";
|
|
};
|
|
|
|
groupName = mkOption {
|
|
type = types.str;
|
|
default = "vault-agent";
|
|
};
|
|
|
|
uid = mkOption {
|
|
type = types.int;
|
|
default = 1985;
|
|
};
|
|
|
|
gid = mkOption {
|
|
type = types.int;
|
|
default = 1985;
|
|
};
|
|
};
|
|
};
|
|
|
|
config =
|
|
mkIf cfg.enable
|
|
(let
|
|
vaultConfig = format.generate "vault.json" cfg.settings;
|
|
in {
|
|
users = {
|
|
users = {
|
|
"${cfg.userName}" = {
|
|
group = cfg.groupName;
|
|
uid = cfg.uid;
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
groups = {
|
|
"${cfg.groupName}" = {
|
|
gid = cfg.gid;
|
|
};
|
|
|
|
"${cfg.secretsGroup.name}" = {
|
|
gid = cfg.secretsGroup.id;
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.tmpfiles.rules = mkIf (cfg.secretsDir != null) [
|
|
"d ${cfg.secretsDir} 6755 vault-agent ${cfg.secretsGroup.name} 0"
|
|
];
|
|
|
|
systemd.services.vault-agent = {
|
|
description = "Vault Agent";
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
wants = ["network-online.target"];
|
|
after = ["network-online.target"];
|
|
|
|
path = with pkgs; [
|
|
glibc
|
|
];
|
|
|
|
serviceConfig = mkMerge [
|
|
{
|
|
User = cfg.userName;
|
|
Group = cfg.groupName;
|
|
|
|
ExecReload = "${pkgs.busybox}/bin/kill -HUP $MAINPID";
|
|
ExecStart = "${cfg.package}/bin/vault agent -config=${vaultConfig}";
|
|
|
|
KillMode = "process";
|
|
KillSignal = "SIGINT";
|
|
LimitNOFILE = 65536;
|
|
LimitNPROC = "infinity";
|
|
OOMScoreAdjust = -1000;
|
|
Restart = "always";
|
|
RestartSec = 2;
|
|
TasksMax = "infinity";
|
|
|
|
ConfigurationDirectory = "vault-agent";
|
|
ConfigurationDirectoryMode = "0700";
|
|
}
|
|
];
|
|
};
|
|
});
|
|
}
|