You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

133 lines
4.3 KiB
Nix

{
name = "systemd-vaultd";
nodes.server =
{ config
, ...
}: {
imports = [
../modules/vault-agent.nix
../modules/systemd-vaultd.nix
./dev-vault-server.nix
];
# speed up tests
virtualisation.cores = 4;
virtualisation.memorySize = 1024;
systemd.services.service1 = {
wantedBy = [ "multi-user.target" ];
script = ''
cat $CREDENTIALS_DIRECTORY/foo > /tmp/service1
echo -n "$SECRET_ENV" > /tmp/service1-env
'';
#serviceConfig = {
# EnvironmentFile = [ "/run/systemd-vaultd/service1.service.EnvironmentFile" ];
#};
vault = {
template = ''
{{ with secret "secret/my-secret" }}{{ .Data.data | toJSON }}{{ end }}
'';
secrets.foo = { };
environmentTemplate = ''
{{ with secret "secret/my-secret" }}
SECRET_ENV={{ .Data.data.foo }}
{{ end }}
'';
};
};
users.users.service2 = {
isSystemUser = true;
group = "service2";
uid = 1000;
};
users.groups.service2.gid = 1000;
systemd.services.service2 = {
wantedBy = [ "multi-user.target" ];
preStart = ''
cp -r $CREDENTIALS_DIRECTORY /run/service2/secrets
'';
script = ''
set -x
while true; do
cat /run/service2/secrets/secret >&2 || :
cat /run/service2/secrets/secret > /tmp/service2 || :
sleep 0.1
done
'';
serviceConfig = {
ExecReload = "+${config.services.systemd-vaultd.package}/bin/systemd-vaultd-update-secrets /run/service2/secrets";
User = "service2";
Group = "service2";
LoadCredential = [ "secret:/run/systemd-vaultd/sock" ];
RuntimeDirectory = "service2";
};
vault = {
template = ''
{{ with secret "secret/blocking-secret" }}{{ scratch.MapSet "secrets" "secret" .Data.data.foo }}{{ end }}
{{ scratch.Get "secrets" | explodeMap | toJSON }}
'';
secrets.secret = { };
};
};
services.vault.agents.default.settings = {
vault = {
address = "http://localhost:8200";
};
auto_auth = {
method = [
{
type = "approle";
config = {
role_id_file_path = "/tmp/roleID";
secret_id_file_path = "/tmp/secretID";
remove_secret_id_file_after_reading = false;
};
}
];
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("vault.service")
machine.wait_for_open_port(8200)
machine.wait_for_unit("setup-vault-agent-approle.service")
machine.wait_for_unit("vault-agent-default.service")
out = machine.wait_until_succeeds("grep -q bar /tmp/service1")
out = machine.succeed("grep -q bar /tmp/service1-env")
out = machine.succeed("systemctl status service2 || :")
print(out)
assert "(sd-mkdcreds)" in out, "service2 should be still blocked"
machine.succeed("vault kv put secret/blocking-secret foo=bar")
machine.wait_until_succeeds("grep -q bar /tmp/service2 >&2")
machine.succeed("umount /run/credentials/service2.service")
machine.succeed("rm /run/systemd-vaultd/secrets/service2.service.json")
machine.succeed("vault kv put secret/blocking-secret foo=reload")
machine.succeed("systemctl restart vault-agent-default")
machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2")
machine.succeed("systemctl restart service2")
machine.succeed("rm /tmp/service2")
machine.wait_until_succeeds("grep -q reload /tmp/service2 >&2")
# get uid and gid
out = machine.succeed("stat -c %u /run/service2/secrets/secret").strip()
assert out == "1000", "service2 should have access to secret file with uid 1000, got " + out
out = machine.succeed("stat -c %g /run/service2/secrets/secret").strip()
assert out == "1000", "service2 should have access to secret file with gid 1000, got " + out
# get permissions in octal
out = machine.succeed("stat -c %a /run/service2/secrets/secret").strip()
assert out == "400", "service2 should have access to secret file with permissions 0400, got " + out
'';
}