Skip to content

vault: Support multiple config files (no secrets in store)#108411

Merged
roberth merged 4 commits intoNixOS:masterfrom
hercules-ci:vault-multiple-config-files
Jan 24, 2021
Merged

vault: Support multiple config files (no secrets in store)#108411
roberth merged 4 commits intoNixOS:masterfrom
hercules-ci:vault-multiple-config-files

Conversation

@roberth
Copy link
Copy Markdown
Member

@roberth roberth commented Jan 4, 2021

Motivation for this change

Configure storageBackend securely.
Although vault guarantees confidentiality and integrity when its backend is compromised, a leak still compromises the storage backend itself and the availability of vault.

Closes #107323 (earlier attempt, wrong approach)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc maintainers @LnL7 @rushmorem @offlinehacker @pradeepchhetri
cc @aanderse

@roberth roberth mentioned this pull request Jan 4, 2021
Closed
10 tasks
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Jan 4, 2021
@nixos-discourse
Copy link
Copy Markdown

nixos-discourse commented Jan 11, 2021

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/438

@roberth roberth changed the title Vault multiple config files vault: Support multiple config files (no secrets in store) Jan 18, 2021
@roberth roberth added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jan 18, 2021
@roberth
Copy link
Copy Markdown
Member Author

roberth commented Jan 18, 2021

@LnL7 @rushmorem @offlinehacker @pradeepchhetri Could you please review?

@aanderse aanderse mentioned this pull request Jan 19, 2021
Merged
10 tasks
@roberth
nixos/vault: extraConfigPaths -> extraSettingsPaths
04946f4 
Align with RFC42 language, even if in advance of the actual settings
attribute.
@roberth roberth requested review from aanderse and cpcloud January 23, 2021 20:10
cpcloud
cpcloud approved these changes Jan 23, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@cpcloud cpcloud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM!

@roberth
Copy link
Copy Markdown
Member Author

roberth commented Jan 24, 2021

I'm not expecting anything from the listed package maintainers (@LnL7 @rushmorem @offlinehacker @pradeepchhetri) after 34 days of silence, also counting the previous iteration of this PR.

@roberth roberth merged commit 530df49 into NixOS:master Jan 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aanderse aanderse aanderse approved these changes

@LnL7 LnL7 Awaiting requested review from LnL7

@rushmorem rushmorem Awaiting requested review from rushmorem

@offlinehacker offlinehacker Awaiting requested review from offlinehacker

+1 more reviewer

@cpcloud cpcloud cpcloud approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@roberth @nixos-discourse @cpcloud @aanderse