feat: introduce a Vault module for secrets management
Via a fork of the Linux Foundation, called OpenBao. The module supports high availability but we only have one node for now. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
This commit is contained in:
parent
6441a01ab1
commit
e66c09ee10
|
@ -16,6 +16,7 @@
|
||||||
./buildbot
|
./buildbot
|
||||||
./newsletter
|
./newsletter
|
||||||
./s3-revproxy
|
./s3-revproxy
|
||||||
|
./vault
|
||||||
./extra-builders
|
./extra-builders
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
65
services/vault/default.nix
Normal file
65
services/vault/default.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.bagel.infra.vault;
|
||||||
|
inherit (lib) mkEnableOption mkOption mkIf concatStringsSep types;
|
||||||
|
mkPeerNode = fqdn: ''
|
||||||
|
retry_join {
|
||||||
|
leader_api_addr = "https://${fqdn}"
|
||||||
|
leader_tls_servername = "${fqdn}"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
wanAddress = if config.bagel.infra.self.wan.family == "inet6" then "[${config.bagel.infra.self.wan.address}]" else "${config.bagel.infra.self.wan.address}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.bagel.infra.vault = {
|
||||||
|
enable = mkEnableOption "the OpenBao (Vault fork) service";
|
||||||
|
peers = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = "List of FQDN that are peers of this service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
./module.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
# NGINX HTTP API access
|
||||||
|
80
|
||||||
|
443
|
||||||
|
# mTLS backed cluster port
|
||||||
|
8201
|
||||||
|
];
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts."${config.networking.fqdn}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8200";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openbao = {
|
||||||
|
enable = true;
|
||||||
|
storageBackend = "raft";
|
||||||
|
listenerExtraConfig = ''
|
||||||
|
cluster_address = "${wanAddress}:8201"
|
||||||
|
'';
|
||||||
|
storageConfig = ''
|
||||||
|
node_id = "${config.networking.fqdn}"
|
||||||
|
|
||||||
|
# Other nodes of the cluster.
|
||||||
|
${concatStringsSep "\n" (map mkPeerNode cfg.peers)}
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
cluster_addr = "http://${config.networking.fqdn}:8201"
|
||||||
|
api_addr = "https://${config.networking.fqdn}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
237
services/vault/module.nix
Normal file
237
services/vault/module.nix
Normal file
|
@ -0,0 +1,237 @@
|
||||||
|
{ config, lib, options, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.openbao;
|
||||||
|
opt = options.services.openbao;
|
||||||
|
|
||||||
|
configFile = pkgs.writeText "openbao.hcl" ''
|
||||||
|
# vault in dev mode will refuse to start if its configuration sets listener
|
||||||
|
${lib.optionalString (!cfg.dev) ''
|
||||||
|
listener "tcp" {
|
||||||
|
address = "${cfg.address}"
|
||||||
|
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
|
||||||
|
tls_disable = "true"
|
||||||
|
'' else ''
|
||||||
|
tls_cert_file = "${cfg.tlsCertFile}"
|
||||||
|
tls_key_file = "${cfg.tlsKeyFile}"
|
||||||
|
''}
|
||||||
|
${cfg.listenerExtraConfig}
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
storage "${cfg.storageBackend}" {
|
||||||
|
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
|
||||||
|
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
|
||||||
|
}
|
||||||
|
${optionalString (cfg.telemetryConfig != "") ''
|
||||||
|
telemetry {
|
||||||
|
${cfg.telemetryConfig}
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
${cfg.extraConfig}
|
||||||
|
'';
|
||||||
|
|
||||||
|
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
|
||||||
|
configOptions = escapeShellArgs
|
||||||
|
(lib.optional cfg.dev "-dev" ++
|
||||||
|
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
|
||||||
|
++ (concatMap (p: ["-config" p]) allConfigPaths));
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
services.openbao = {
|
||||||
|
enable = mkEnableOption "OpenBao daemon";
|
||||||
|
|
||||||
|
package = mkPackageOption pkgs "openbao" { };
|
||||||
|
|
||||||
|
dev = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
In this mode, the Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
devRootTokenID = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Initial root token. This only applies when {option}`services.vault.dev` is true
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "127.0.0.1:8200";
|
||||||
|
description = "The name of the ip interface to listen to";
|
||||||
|
};
|
||||||
|
|
||||||
|
tlsCertFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "/path/to/your/cert.pem";
|
||||||
|
description = "TLS certificate file. TLS will be disabled unless this option is set";
|
||||||
|
};
|
||||||
|
|
||||||
|
tlsKeyFile = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
example = "/path/to/your/key.pem";
|
||||||
|
description = "TLS private key file. TLS will be disabled unless this option is set";
|
||||||
|
};
|
||||||
|
|
||||||
|
listenerExtraConfig = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
default = ''
|
||||||
|
tls_min_version = "tls12"
|
||||||
|
'';
|
||||||
|
description = "Extra text appended to the listener section.";
|
||||||
|
};
|
||||||
|
|
||||||
|
storageBackend = mkOption {
|
||||||
|
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
|
||||||
|
default = "inmem";
|
||||||
|
description = "The name of the type of storage backend";
|
||||||
|
};
|
||||||
|
|
||||||
|
storagePath = mkOption {
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
default = if cfg.storageBackend == "file" || cfg.storageBackend == "raft" then "/var/lib/vault" else null;
|
||||||
|
defaultText = literalExpression ''
|
||||||
|
if config.${opt.storageBackend} == "file" || cfg.storageBackend == "raft"
|
||||||
|
then "/var/lib/vault"
|
||||||
|
else null
|
||||||
|
'';
|
||||||
|
description = "Data directory for file backend";
|
||||||
|
};
|
||||||
|
|
||||||
|
storageConfig = mkOption {
|
||||||
|
type = types.nullOr types.lines;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
HCL configuration to insert in the storageBackend section.
|
||||||
|
|
||||||
|
Confidential values should not be specified here because this option's
|
||||||
|
value is written to the Nix store, which is publicly readable.
|
||||||
|
Provide credentials and such in a separate file using
|
||||||
|
[](#opt-services.vault.extraSettingsPaths).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
telemetryConfig = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
default = "";
|
||||||
|
description = "Telemetry configuration";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
default = "";
|
||||||
|
description = "Extra text appended to {file}`vault.hcl`.";
|
||||||
|
};
|
||||||
|
|
||||||
|
extraSettingsPaths = mkOption {
|
||||||
|
type = types.listOf types.path;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
Configuration files to load besides the immutable one defined by the NixOS module.
|
||||||
|
This can be used to avoid putting credentials in the Nix store, which can be read by any user.
|
||||||
|
|
||||||
|
Each path can point to a JSON- or HCL-formatted file, or a directory
|
||||||
|
to be scanned for files with `.hcl` or
|
||||||
|
`.json` extensions.
|
||||||
|
|
||||||
|
To upload the confidential file with NixOps, use for example:
|
||||||
|
|
||||||
|
```
|
||||||
|
# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
|
||||||
|
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
|
||||||
|
text = ${"''"}
|
||||||
|
storage "postgresql" {
|
||||||
|
connection_url = "postgres://''${db.username}:''${db.password}@host.example.com/exampledb?sslmode=verify-ca"
|
||||||
|
}
|
||||||
|
${"''"};
|
||||||
|
user = "vault";
|
||||||
|
};
|
||||||
|
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
|
||||||
|
services.vault.storageBackend = "postgresql";
|
||||||
|
users.users.vault.extraGroups = ["keys"];
|
||||||
|
```
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
nixpkgs.overlays = [ (self: super: {
|
||||||
|
openbao = super.callPackage ./package.nix { };
|
||||||
|
}) ];
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
pkgs.openbao
|
||||||
|
];
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = cfg.storageBackend == "inmem" -> (cfg.storagePath == null && cfg.storageConfig == null);
|
||||||
|
message = ''The "inmem" storage expects no services.vault.storagePath nor services.vault.storageConfig'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion = (
|
||||||
|
(cfg.storageBackend == "file" -> (cfg.storagePath != null && cfg.storageConfig == null)) &&
|
||||||
|
(cfg.storagePath != null -> (cfg.storageBackend == "file" || cfg.storageBackend == "raft"))
|
||||||
|
);
|
||||||
|
message = ''You must set services.vault.storagePath only when using the "file" or "raft" backend'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
users.users.openbao = {
|
||||||
|
name = "openbao";
|
||||||
|
group = "openbao";
|
||||||
|
uid = config.ids.uids.vault;
|
||||||
|
description = "OpenBao daemon user";
|
||||||
|
};
|
||||||
|
users.groups.openbao.gid = config.ids.gids.vault;
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = optional (cfg.storagePath != null)
|
||||||
|
"d '${cfg.storagePath}' 0700 openbao openbao - -";
|
||||||
|
|
||||||
|
systemd.services.openbao = {
|
||||||
|
description = "OpenBao server daemon";
|
||||||
|
|
||||||
|
wantedBy = ["multi-user.target"];
|
||||||
|
after = [ "network.target" ]
|
||||||
|
++ optional (config.services.consul.enable && cfg.storageBackend == "consul") "consul.service";
|
||||||
|
|
||||||
|
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60;
|
||||||
|
startLimitBurst = 3;
|
||||||
|
serviceConfig = {
|
||||||
|
User = "openbao";
|
||||||
|
Group = "openbao";
|
||||||
|
ExecStart = "${lib.getExe cfg.package} server ${configOptions}";
|
||||||
|
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||||
|
StateDirectory = "vault";
|
||||||
|
# In `dev` mode vault will put its token here
|
||||||
|
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectSystem = "full";
|
||||||
|
ProtectHome = "read-only";
|
||||||
|
AmbientCapabilities = "cap_ipc_lock";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
LimitCORE = 0;
|
||||||
|
KillSignal = "SIGINT";
|
||||||
|
TimeoutStopSec = "30s";
|
||||||
|
Restart = "on-failure";
|
||||||
|
};
|
||||||
|
|
||||||
|
unitConfig.RequiresMountsFor = optional (cfg.storagePath != null) cfg.storagePath;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
51
services/vault/package.nix
Normal file
51
services/vault/package.nix
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests
|
||||||
|
, makeWrapper
|
||||||
|
, gawk
|
||||||
|
, glibc
|
||||||
|
}:
|
||||||
|
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "openbao";
|
||||||
|
version = "2.0.2";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "openbao";
|
||||||
|
repo = "openbao";
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-7Dqrw00wjI/VCahY1+ANBMq9nPUQlb94HiBB3CKyhSQ=";
|
||||||
|
};
|
||||||
|
|
||||||
|
vendorHash = "sha256-qojDPhdCqnYCAFo5sc9mWyQxvHc/p/a1LYdW7MbOO5w=";
|
||||||
|
|
||||||
|
subPackages = [ "." ];
|
||||||
|
|
||||||
|
nativeBuildInputs = [ installShellFiles makeWrapper ];
|
||||||
|
|
||||||
|
tags = [ "openbao" ];
|
||||||
|
|
||||||
|
ldflags = [
|
||||||
|
"-s" "-w"
|
||||||
|
"-X github.com/openbao/openbao/sdk/version.GitCommit=${src.rev}"
|
||||||
|
"-X github.com/openbao/openbao/sdk/version.Version=${version}"
|
||||||
|
"-X github.com/openbao/openbao/sdk/version.VersionPrerelease="
|
||||||
|
];
|
||||||
|
|
||||||
|
postInstall = ''
|
||||||
|
echo "complete -C $out/bin/openbao openbao" > openbao.bash
|
||||||
|
installShellCompletion openbao.bash
|
||||||
|
'' + lib.optionalString stdenv.isLinux ''
|
||||||
|
wrapProgram $out/bin/openbao \
|
||||||
|
--prefix PATH ${lib.makeBinPath [ gawk glibc ]}
|
||||||
|
'';
|
||||||
|
|
||||||
|
# passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
homepage = "https://openbao.org/";
|
||||||
|
description = "Tool for managing secrets";
|
||||||
|
changelog = "https://github.com/openbao/openbao/blob/v${version}/CHANGELOG.md";
|
||||||
|
license = licenses.mpl20;
|
||||||
|
mainProgram = "openbao";
|
||||||
|
maintainers = with maintainers; [ raitobezarius ];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue