siim
January 22, 2024, 11:52pm
1
I’ve recently been learning NixOS and am working on setting up a Nomad cluster with it. I want to setup Vault next for secrets management, but I’m having trouble finding resources to do this on NixOS. Has anyone deployed a Vault server using NixOS before who would be able to point me to any guides or git repos with an example?
Thank you!
If you are trying to set up a single-node vault, you can use the nixos test for reference:
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "vault";
meta = with pkgs.lib.maintainers; {
maintainers = [ lnl7 ];
};
nodes.machine = { pkgs, ... }: {
environment.systemPackages = [ pkgs.vault ];
environment.variables.VAULT_ADDR = "http://127.0.0.1:8200";
services.vault.enable = true;
};
testScript =
''
start_all()
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("vault.service")
machine.wait_for_open_port(8200)
machine.succeed("vault operator init")
This file has been truncated. show original
If you want the vault webui, you will need to use the vault-bin package by setting
services.vault = {
package = pkgs.vault-bin;
extraConfig = ''
ui = true
'';
};
2 Likes
siim
January 24, 2024, 12:09am
3
Thanks. Turns out I can just use Nomad Variables natively and avoid Vault altogether.
That said, I was able to get vault running to some degree with the config:
{ name, config, pkgs, secretPath, lib, meta, ... }:
with lib;
let
bind = meta.ip.mesh."${name}";
cfg = config.vaultNode;
in {
options.vaultNode = { enable = mkEnableOption "vaultNode"; };
config = mkIf cfg.enable {
services.vault = {
enable = true;
# In Memory storage for testing
storageBackend = "s3";
storageConfig = ''
access_key = "REDACTED"
secret_key = "REDACTED"
bucket = "vault-storage"
'';
address = "0.0.0.0:8200";
extraConfig = ''
api_addr = "https://0.0.0.0:8200"
cluster_addr = "https://0.0.0.0:8201"
ui = true
disable_mlock = true
'';
package = pkgs.vault-bin;
};
};
}
1 Like