Fixes for the service file

voxpupuli · Jul 12, 2024 · 0e46ce9 · 0e46ce9
1 parent 6472883
commit 0e46ce9
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 8 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -98,6 +98,7 @@ The following parameters are available in the `vault` class:
 * [`config_output`](#-vault--config_output)
 * [`config_mode`](#-vault--config_mode)
 * [`purge_config_dir`](#-vault--purge_config_dir)
+* [`create_env_file`](#-vault--create_env_file)
 * [`download_url`](#-vault--download_url)
 * [`download_url_base`](#-vault--download_url_base)
 * [`download_extension`](#-vault--download_extension)
@@ -707,6 +708,14 @@ Data type: `Boolean`
 
 Default value: `true`
 
+##### <a name="-vault--create_env_file"></a>`create_env_file`
+
+Data type: `Boolean`
+
+
+
+Default value: `false`
+
 ##### <a name="-vault--download_url"></a>`download_url`
 
 Data type: `Optional[StdLib::HTTPUrl]`

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -163,7 +163,16 @@
     case $vault::service_provider {
       'systemd': {
         systemd::unit_file { 'vault.service':
-          content => template('vault/vault.systemd.erb'),
+          content => epp(
+            'vault/vault.service.epp',
+            {
+              bin_dir         => $vault::bin_dir,
+              config_dir      => $vault::config_dir,
+              config_output   => $vault::config_output,
+              create_env_file => $vault::create_env_file,
+              num_procs       => $vault::num_procs,
+            }
+          ),
         }
       }
       default: {

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -38,6 +38,11 @@
 #   Whether the `config_dir` should be purged before installing the generated
 #   config.
 #
+# @param create_env_file
+#   Cause a blank vault.env file to be created in the config_dir. This also adds
+#   the EnvironmentFile directive to the service file (if manage_service_file is
+#   enabled)
+#
 # @param download_url
 #   Manual URL to download the vault zip distribution from.
 #
@@ -280,6 +285,7 @@
   Enum['hcl', 'json']        $config_output                       = 'json',
   StdLib::Filemode           $config_mode                         = '0444',
   Boolean                    $purge_config_dir                    = true,
+  Boolean                    $create_env_file                     = false,
   Optional[StdLib::HTTPUrl]  $download_url                        = undef,
   StdLib::HTTPUrl            $download_url_base                   = $vault::params::download_base,
   String                     $download_extension                  = 'zip',

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -56,7 +56,7 @@ class { 'file_capability':
       it { is_expected.to be_grouped_into 'root' }
       its(:content) { is_expected.to include 'User=vault' }
       its(:content) { is_expected.to include 'Group=vault' }
-      its(:content) { is_expected.to include 'ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json ' }
+      its(:content) { is_expected.to include 'ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault.json' }
       its(:content) { is_expected.to match %r{Environment=GOMAXPROCS=\d+} }
     end
 

diff --git a/templates/vault.service.epp b/templates/vault.service.epp
@@ -1,20 +1,24 @@
 <% |
-  String $bin_dir,
-  String $config_dir,
-  String $config_output
+  String  $bin_dir,
+  String  $config_dir,
+  String  $config_output,
+  Boolean $create_env_file,
+  Integer $num_procs,
 | %>
 [Unit]
 Description="HashiCorp Vault - A tool for managing secrets"
 Documentation=https://www.vaultproject.io/docs/
 Requires=network-online.target
 After=network-online.target
-ConditionFileNotEmpty=<%= $config_dir %>vault.hcl
+ConditionFileNotEmpty=<%= $config_dir %>/vault.<%= $config_output %>
 StartLimitIntervalSec=60
 StartLimitBurst=3
 
 [Service]
 Type=notify
-EnvironmentFile=<%= $config_dir %>vault.env
+<%- if $create_env_file == true { -%>
+  <%= $config_dir %>/vault.env
+<%- } -%>
 User=vault
 Group=vault
 ProtectSystem=full
@@ -25,7 +29,8 @@ SecureBits=keep-caps
 AmbientCapabilities=CAP_IPC_LOCK
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
 NoNewPrivileges=yes
-ExecStart=<%= $bin_dir %>vault server -config=<%= $config_dir %>vault.<%= $config_output %>
+Environment=GOMAXPROCS=<%= $num_procs %>
+ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %>
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process
 KillSignal=SIGINT