nixos/vault: add option to start in dev mode. (#180114)

* nixos/vault: add option to start in dev mode. This is not only useful for nixos tests i.e. when testing vault agent setups but also when playing around with vault in local setups. In our tests we can now make use of this option to test more vault features. i.e. adding this feature has uncovered the need for a `StateDirectory`. * Update nixos/modules/services/security/vault.nix Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> Co-authored-by: Jonas Chevalier <zimbatm@zimbatm.com> Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2022-07-05 10:54:11 +02:00 · 2022-07-05 10:54:11 +02:00 · 826c20dcae
commit 826c20dcae
parent f5522fb775
4 changed files with 63 additions and 3 deletions
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@ -7,6 +7,8 @@ let
  opt = options.services.vault;

  configFile = pkgs.writeText "vault.hcl" ''
+    # vault in dev mode will refuse to start if its configuration sets listener
+    ${lib.optionalString (!cfg.dev) ''
    listener "tcp" {
      address = "${cfg.address}"
      ${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
@ -17,6 +19,7 @@ let
        ''}
      ${cfg.listenerExtraConfig}
    }
+    ''}
    storage "${cfg.storageBackend}" {
      ${optionalString (cfg.storagePath   != null) ''path = "${cfg.storagePath}"''}
      ${optionalString (cfg.storageConfig != null) cfg.storageConfig}
@ -30,8 +33,10 @@ let
  '';

  allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
-
-  configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
+  configOptions = escapeShellArgs
+    (lib.optional cfg.dev "-dev" ++
+     lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
+      ++ (concatMap (p: ["-config" p]) allConfigPaths));

 in

@ -47,6 +52,22 @@ in
        description = "This option specifies the vault package to use.";
      };

+      dev = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
+        '';
+      };
+
+      devRootTokenID = mkOption {
+        type = types.str;
+        default = false;
+        description = ''
+          Initial root token. This only applies when <option>services.vault.dev</option> is true
+        '';
+      };
+
      address = mkOption {
        type = types.str;
        default = "127.0.0.1:8200";
@ -186,6 +207,9 @@ in
        Group = "vault";
        ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+        StateDirectory = "vault";
+        # In `dev` mode vault will put its token here
+        Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectSystem = "full";
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -590,6 +590,7 @@ in {
  uwsgi = handleTest ./uwsgi.nix {};
  v2ray = handleTest ./v2ray.nix {};
  vault = handleTest ./vault.nix {};
+  vault-dev = handleTest ./vault-dev.nix {};
  vault-postgresql = handleTest ./vault-postgresql.nix {};
  vaultwarden = handleTest ./vaultwarden.nix {};
  vector = handleTest ./vector.nix {};
--- a/nixos/tests/vault-dev.nix
+++ b/nixos/tests/vault-dev.nix
@ -0,0 +1,35 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+{
+  name = "vault-dev";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ lnl7 mic92 ];
+  };
+  nodes.machine = { pkgs, config, ... }: {
+    environment.systemPackages = [ pkgs.vault ];
+    environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
+    environment.variables.VAULT_TOKEN = "phony-secret";
+
+    services.vault = {
+      enable = true;
+      dev = true;
+      devRootTokenID = config.environment.variables.VAULT_TOKEN;
+    };
+  };
+
+  testScript = ''
+    import json
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("vault.service")
+    machine.wait_for_open_port(8200)
+    out = machine.succeed("vault status -format=json")
+    print(out)
+    status = json.loads(out)
+    assert status.get("initialized") == True
+    machine.succeed("vault kv put secret/foo bar=baz")
+    out = machine.succeed("vault kv get -format=json secret/foo")
+    print(out)
+    status = json.loads(out)
+    assert status.get("data", {}).get("data", {}).get("bar") == "baz"
+  '';
+})
--- a/pkgs/tools/security/vault/default.nix
+++ b/pkgs/tools/security/vault/default.nix
@ -38,7 +38,7 @@ buildGoModule rec {
      --prefix PATH ${lib.makeBinPath [ gawk glibc ]}
  '';

-  passthru.tests = { inherit (nixosTests) vault vault-postgresql; };
+  passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev; };

  meta = with lib; {
    homepage = "https://www.vaultproject.io/";