vault: 0.6.5 -> 0.7.2 with service #26130
Conversation
|
@katyucha, thanks for your PR! By analyzing the history of the files in this pull request, we identified @pradeepchhetri, @edolstra and @offlinehacker to be potential reviewers. |
|
|
||
| ${if cfg.telemetry.extraConfig != "" then " | ||
| telemetry { | ||
| ${if cfg.telemetry.disable_hostname then "disable_hostname = \"true\"" else ""} |
There was a problem hiding this comment.
telemetry.disable_hostname only takes effect if telemetry.extraConfig is set?
There was a problem hiding this comment.
No need of this parameter if you doesn't set telemetry destination in extraConfig like a statsd, circonus or statsite...
There was a problem hiding this comment.
I see, so this is self-hosted telemetry and not external. Thanks for the clarification!
| }; | ||
|
|
||
| tls_disable = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
This should use types.bool.
| }; | ||
|
|
||
| tls_min_version = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
This should use something like types.enum [ "tls10" "tls11" "tls12" ]
| }; | ||
|
|
||
| cluster_address = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
Rather than using "" to denote an unset cluster_address, I'd recommend making this types.nullOr types.str, with default = null.
There was a problem hiding this comment.
all right, I'll write that for others string else " ''
| }; | ||
|
|
||
| tls_prefer_server_cipher_suites = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
This could be something like types.nullOr (types.enum [ "tls10" "tls11" "tls12" ]).
There was a problem hiding this comment.
Hi. I note for TLS but for Cipher, it's a big list you can see here: https://golang.org/src/crypto/tls/cipher_suites.go . Is types.enum a little bit crazy for this case ?
| }; | ||
|
|
||
| tls_require_and_verify_client_cert = mkOption { | ||
| type = types.str; |
There was a problem hiding this comment.
This should be types.bool.
ghost
changed the title
ghost
changed the title
pSub
added
8.has: package (update)
|
|
||
| ${if cfg.listener.tls_prefer_server_cipher_suites then "tls_prefer_server_cipher_suites = \"true\"" else "tls_prefer_server_cipher_suites = \"false\"" } | ||
|
|
||
| ${if cfg.listener.tls_require_and_verify_client_cert then "tls_require_and_verify_client_cert = \"true\"" else "tls_require_and_verify_client_cert = \"false\"" } |
There was a problem hiding this comment.
You could use:
tls_require_and_verify_client_cert = "${boolToString cfg.listener.tls_require_and_verify_client_cert}";
or even abstract it some more and use it on more places:
let boolOption = name: opt: "${name} = \"${boolToString opt}\"";
in ''
${boolOption "tls_prefer_server_cipher_suites" cfg.listener.tls_require_and_verify_client_cert}
'';
So you don't have to repeat yourself. Same with the string options. :)
ghost
changed the title
ghost
changed the title
ghost
changed the title
ghost
changed the title
|
Is this ready to integrate? |
HashiCorp recommends NOT running as root:
However, if you do run as non-root, you either need to |
|
Some variation of |
|
Volt fork my MR ... no need of this now |
ghost
closed this
Motivation for this change
Updating vault and a service to run it !
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)