services.vault.extraSettingsPaths

Configuration files to load besides the immutable one defined by the NixOS module. This can be used to avoid putting credentials in the Nix store, which can be read by any user.

Each path can point to a JSON- or HCL-formatted file, or a directory to be scanned for files with .hcl or .json extensions.

To upload the confidential file with NixOps, use for example:

# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
  text = ''
    storage "postgresql" {
      connection_url = "postgres://${db.username}:${db.password}@host.example.com/exampledb?sslmode=verify-ca"
    }
  '';
  user = "vault";
};
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];

Type

list of absolute path

Default

[ ]

Declared

<nixpkgs/nixos/modules/services/security/vault.nix>