nixos/vault: implement RFC0042

[aanderse]

Description of changes

this PR contributes to #144575 by migrating the vault module to RFC42

i intended this change to be as minimally intrusive as possible, though one might argue i'm breaking stuff willy nilly because i removed 4 options: listenerExtraConfig, storageConfig, telemetryConfig, and extraConfig

while i feel bad about breaking things the added maintenance burden in generating a configuration file that preserves these removed options isn't worth the hassle for people who work on this module

remaining tasks:

• gather some feedback
• test this module on my vault instance which uses the raft storage protocol
• write release notes

cc @jelle-bigbridge as someone who somewhat recently contributed to the module... maybe you want to test this 😄

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[aanderse]

this was removed because this is already the default value vault uses and therefore redundant

source: https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tls_min_version

[pingiun]

Thank you for tagging me (@jelle-bigbridge is my old account). Unfortunately I'm unable to test this as we migrated off of vault at work. The changes do seem good to me however. I recommend merging when the module is tested properly

[Mic92]

@ofborg test vault

[Mic92]

@ofborg build vault

[aanderse]

unfree so i don't think anything will go here... i ran all tests locally, though

[roberth]

unfree so i don't think anything will go here

It is distributable and source available fwiw. In my opinion, ofborg should build it.

• Allow unfree redistributable builds? ofborg#687

[roberth]

Perhaps OpenBao support could be added; that's proper open source, and would run in ofborg without any changes.

[aanderse]

Perhaps OpenBao support could be added

yeah, i am sure someone will package it soon enough 👍

[roberth]

I hope this can make the config file generation simpler and more robust, but I can't promise that.

[Mic92]

unfree so i don't think anything will go here

It is distributable and source available fwiw. In my opinion, ofborg should build it.

* [Allow unfree redistributable builds? ofborg#687](https://github.com/NixOS/ofborg/issues/687)

Does hydra build unfreeRedistributable? Maybe we need to change license to this.

[aanderse]

given the work @roberth and @MattSturgeon have done on a record type i no longer feel great about moving forward with this PR, despite how the module has some serious shortcomings

if you ever feel inclined to continue the great work you were doing please ping me @MattSturgeon, as the vault module would greatly benefit from it (as would many other modules!) 🙇‍♂️