Unverified Commit 50200de3 authored by Kira Bruneau's avatar Kira Bruneau Committed by GitHub
Browse files

Merge pull request #216230 from tcheronneau/master 

 nixos/{consul-template,vault-agent}: init
parents 234d0433 3e7069bb

maintainers/maintainer-list.nix

+6 −0
Original line number Diff line number Diff line
@@ -15245,6 +15245,12 @@ 
    }];

    name = "David Tchekachev";

  };

  tcheronneau = {

    email = "nix@mcth.fr";

    github = "tcheronneau";

    githubId = 7914437;

    name = "Thomas Cheronneau";

  };

  tckmn = {

    email = "andy@tck.mn";

    github = "tckmn";

nixos/doc/manual/release-notes/rl-2305.section.md

+4 −0
Original line number Diff line number Diff line
@@ -87,6 +87,10 @@ In addition to numerous new and upgraded packages, this release has the followin 


- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable).



- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).



- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).



- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable).



- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable).

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -1109,6 +1109,7 @@ 
  ./services/security/torsocks.nix

  ./services/security/usbguard.nix

  ./services/security/vault.nix

  ./services/security/vault-agent.nix

  ./services/security/vaultwarden/default.nix

  ./services/security/yubikey-agent.nix

  ./services/system/automatic-timezoned.nix

nixos/modules/services/security/vault-agent.nix

0 → 100644
+128 −0
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



with lib;



let

  format = pkgs.formats.json { };

  commonOptions = { pkgName, flavour ? pkgName }: mkOption {

    default = { };

    description = mdDoc ''

      Attribute set of ${flavour} instances.

      Creates independent `${flavour}-''${name}.service` systemd units for each instance defined here.

    '';

    type = with types; attrsOf (submodule ({ name, ... }: {

      options = {

        enable = mkEnableOption (mdDoc "this ${flavour} instance") // { default = true; };



        package = mkPackageOptionMD pkgs pkgName { };



        user = mkOption {

          type = types.str;

          default = "root";

          description = mdDoc ''

            User under which this instance runs.

          '';

        };



        group = mkOption {

          type = types.str;

          default = "root";

          description = mdDoc ''

            Group under which this instance runs.

          '';

        };



        settings = mkOption {

          type = types.submodule {

            freeformType = format.type;



            options = {

              pid_file = mkOption {

                default = "/run/${flavour}/${name}.pid";

                type = types.str;

                description = mdDoc ''

                  Path to use for the pid file.

                '';

              };



              template = mkOption {

                default = [ ];

                type = with types; listOf (attrsOf anything);

                description =

                  let upstreamDocs =

                    if flavour == "vault-agent"

                    then "https://developer.hashicorp.com/vault/docs/agent/template"

                    else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates";

                  in

                  mdDoc ''

                    Template section of ${flavour}.

                    Refer to <${upstreamDocs}> for supported values.

                  '';

              };

            };

          };



          default = { };



          description =

            let upstreamDocs =

              if flavour == "vault-agent"

              then "https://developer.hashicorp.com/vault/docs/agent#configuration-file-options"

              else "https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file";

            in

            mdDoc ''

              Free-form settings written directly to the `config.json` file.

              Refer to <${upstreamDocs}> for supported values.



              ::: {.note}

              Resulting format is JSON not HCL.

              Refer to <https://www.hcl2json.com/> if you are unsure how to convert HCL options to JSON.

              :::

            '';

        };

      };

    }));

  };



  createAgentInstance = { instance, name, flavour }:

    let

      configFile = format.generate "${name}.json" instance.settings;

    in

    mkIf (instance.enable) {

      description = "${flavour} daemon - ${name}";

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      path = [ pkgs.getent ];

      startLimitIntervalSec = 60;

      startLimitBurst = 3;

      serviceConfig = {

        User = instance.user;

        Group = instance.group;

        RuntimeDirectory = flavour;

        ExecStart = "${getExe instance.package} ${optionalString ((getName instance.package) == "vault") "agent"} -config ${configFile}";

        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";

        KillSignal = "SIGINT";

        TimeoutStopSec = "30s";

        Restart = "on-failure";

      };

    };

in

{

  options = {

    services.consul-template.instances = commonOptions { pkgName = "consul-template"; };

    services.vault-agent.instances = commonOptions { pkgName = "vault"; flavour = "vault-agent"; };

  };



  config = mkMerge (map

    (flavour:

      let cfg = config.services.${flavour}; in

      mkIf (cfg.instances != { }) {

        systemd.services = mapAttrs'

          (name: instance: nameValuePair "${flavour}-${name}" (createAgentInstance { inherit name instance flavour; }))

          cfg.instances;

      })

    [ "consul-template" "vault-agent" ]);



  meta.maintainers = with maintainers; [ indeednotjames tcheronneau ];

}

nixos/tests/all-tests.nix

+2 −0
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ in { 
  collectd = handleTest ./collectd.nix {};

  connman = handleTest ./connman.nix {};

  consul = handleTest ./consul.nix {};

  consul-template = handleTest ./consul-template.nix {};

  containers-bridge = handleTest ./containers-bridge.nix {};

  containers-custom-pkgs.nix = handleTest ./containers-custom-pkgs.nix {};

  containers-ephemeral = handleTest ./containers-ephemeral.nix {};
@@ -753,6 +754,7 @@ in { 
  varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; };

  varnish72 = handleTest ./varnish.nix { package = pkgs.varnish72; };

  vault = handleTest ./vault.nix {};

  vault-agent = handleTest ./vault-agent.nix {};

  vault-dev = handleTest ./vault-dev.nix {};

  vault-postgresql = handleTest ./vault-postgresql.nix {};

  vaultwarden = handleTest ./vaultwarden.nix {};