ryan
/
systemd-openbao
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add optional command timeout

Browse Source 
Some template command can last longer than the default 30s. Add option
to override default timeout.

Define template commands using `exec` as `command` is deprecated.
(https://developer.hashicorp.com/vault/docs/agent/template#command)
main
Jean-François Roche 1 year ago
parent 70c13ed746
commit ad5f37f7a8
2 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File

1
nix/checks/systemd-vaultd-test.nix
Unescape Escape View File

@ -94,6 +94,7 @@
machine.wait_for_unit("vault.service") machine.wait_for_unit("vault.service")
machine.wait_for_open_port(8200) machine.wait_for_open_port(8200)
machine.wait_for_unit("setup-vault-agent-approle.service") machine.wait_for_unit("setup-vault-agent-approle.service")
machine.wait_for_unit("vault-agent-default.service")
out = machine.wait_until_succeeds("grep -q bar /tmp/service1") out = machine.wait_until_succeeds("grep -q bar /tmp/service1")

40
nix/modules/vault-secrets.nix
Unescape Escape View File

@ -29,33 +29,36 @@ let
services = config.systemd.services; services = config.systemd.services;
getSecretTemplate = serviceName: vaultConfig: templateExec = serviceName: vaultConfig: { } //
{ lib.optionalAttrs (vaultConfig.changeAction != null && vaultConfig.changeAction != "none") {
contents = vaultConfig.template; exec = [
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json"; ({
perms = "0400";
}
// lib.optionalAttrs (vaultConfig.changeAction != null && vaultConfig.changeAction != "none") {
command = "systemctl ${ command = "systemctl ${
if vaultConfig.changeAction == "restart" if vaultConfig.changeAction == "restart"
then "try-restart" then "try-restart"
else "try-reload-or-restart" else "try-reload-or-restart"
} ${lib.escapeShellArg "${serviceName}.service"}"; } ${lib.escapeShellArg "${serviceName}.service"}";
} // lib.optionalAttrs
(vaultConfig.command_timeout != null)
{ timeout = vaultConfig.command_timeout; })
];
}; };
getSecretTemplate = serviceName: vaultConfig:
{
contents = vaultConfig.template;
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.json";
perms = "0400";
}
// templateExec serviceName vaultConfig;
getEnvironmentTemplate = serviceName: vaultConfig: getEnvironmentTemplate = serviceName: vaultConfig:
{ {
contents = vaultConfig.environmentTemplate; contents = vaultConfig.environmentTemplate;
destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile"; destination = "/run/systemd-vaultd/secrets/${serviceName}.service.EnvironmentFile";
perms = "0400"; perms = "0400";
} }
// lib.optionalAttrs (vaultConfig.changeAction != null) { // templateExec serviceName vaultConfig;
command = "systemctl ${
if vaultConfig.changeAction == "restart"
then "try-restart"
else "try-reload-or-restart"
} ${lib.escapeShellArg "${serviceName}.service"}";
};
vaultTemplates = config: vaultTemplates = config:
(lib.mapAttrsToList (lib.mapAttrsToList
@ -119,6 +122,15 @@ in
some-secret.template = ''{{ with secret "secret/some-secret" }}{{ .Data.data.some-key }}{{ end }}''; some-secret.template = ''{{ with secret "secret/some-secret" }}{{ .Data.data.some-key }}{{ end }}'';
}; };
}; };
command_timeout = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Maximum amount of time to wait for the optional command to return.
'';
};
}; };
config = config =
let let

Write Preview
Loading…
Cancel
Save