security/vault: add vault user to daemon class

This allows use of mlock() when vault is started via rc script.

Submitted by:	dch
Reviewed by:	jrm
Differential Revision:	https://reviews.freebsd.org/D20025

UIDs

@@ -416,7 +416,7 @@ netmon:*:467:467::0:0:Network monitor account:/var/netmon:/usr/sbin/nologin
 slurm:*:468:468::0:0:SLURM Daemon:/nonexistent:/usr/sbin/nologin
 consul:*:469:469::0:0:Consul Daemon:/var/tmp/consul:/usr/sbin/nologin
 serf:*:470:470::0:0:Serf Daemon:/nonexistent:/usr/sbin/nologin
-vault:*:471:471::0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
+vault:*:471:471:daemon:0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
 nomad:*:472:472::0:0:Nomad Daemon:/var/tmp/nomad:/usr/sbin/nologin
 minio:*:473:473::0:0:Minio Daemon:/var/tmp/minio:/usr/sbin/nologin
 gitlab-runner:*:474:474::0:0:GitLab Runner Daemon:/var/tmp/gitlab_runner:/usr/sbin/nologin

security/vault/Makefile

@@ -2,6 +2,7 @@
 
 PORTNAME=	vault
 PORTVERSION=	1.1.2
+PORTREVISION=	1
 DISTVERSIONPREFIX=	v
 CATEGORIES=	security
 
@@ -26,6 +27,7 @@ USERS=		vault
 GROUPS=		vault
 
 PLIST_FILES=	bin/${PORTNAME}
+SUB_FILES=	pkg-message
 
 post-patch:
 	@${CP} ${WRKDIR}/vaultui-${PORTVERSION}/http/bindata_assetfs.go ${WRKDIR}/vault-${PORTVERSION}/http/bindata_assetfs.go

security/vault/files/pkg-message.in

@@ -0,0 +1,19 @@
+The vault user created by the vault package is now a member of the daemon
+class, which will allow it to use mlock() when started by the rc script. This
+will not be reflected in systems where the user already exists. Please add the
+vault user to the daemon class manually by running:
+
+pw usermod -L daemon -n vault
+
+or delete the user and reinstall the package.
+
+You may also need to increase memorylocked for the daemon class in
+/etc/login.conf to 256M or more and run:
+
+cap_mkdb /etc/login.conf
+
+Or to disable mlock, add:
+
+disable_mlock = 1
+
+to %%PREFIX%%/etc/vault.hcl