apply treefmt

main
Jörg Thalheim 2 years ago
parent cc78160e6e
commit 16ab6ae069

@ -1,6 +1,7 @@
# systemd-vaultd - load vault credentials with systemd units # systemd-vaultd - load vault credentials with systemd units
> Mostly written in a train > Mostly written in a train
- Jörg Thalheim - Jörg Thalheim
systemd-vaultd is a proxy between systemd and [vault agent](https://vaultproject.io). systemd-vaultd is a proxy between systemd and [vault agent](https://vaultproject.io).

@ -15,13 +15,10 @@
imports = [ imports = [
./nix/checks/flake-module.nix ./nix/checks/flake-module.nix
]; ];
perSystem = { perSystem =
config, { config
self', , pkgs
inputs', , ...
pkgs,
system,
...
}: { }: {
packages.default = pkgs.callPackage ./default.nix { }; packages.default = pkgs.callPackage ./default.nix { };
devShells.default = pkgs.mkShellNoCC { devShells.default = pkgs.mkShellNoCC {

@ -1,8 +1,6 @@
{ { config
config, , pkgs
lib, , ...
pkgs,
...
}: { }: {
environment.systemPackages = [ pkgs.vault ]; environment.systemPackages = [ pkgs.vault ];
services.vault = { services.vault = {

@ -2,12 +2,9 @@
imports = [ imports = [
inputs.treefmt-nix.flakeModule inputs.treefmt-nix.flakeModule
]; ];
perSystem = { perSystem =
self', { pkgs
inputs', , ...
pkgs,
system,
...
}: { }: {
treefmt = { treefmt = {
# Used to find the project root # Used to find the project root
@ -45,6 +42,7 @@
includes = [ "*.py" ]; includes = [ "*.py" ];
}; };
}; };
};
checks = checks =
let let
@ -56,13 +54,4 @@
inherit (nixosTests) unittests vault-agent systemd-vaultd; inherit (nixosTests) unittests vault-agent systemd-vaultd;
}; };
}; };
checks = let
nixosTests = pkgs.callPackages ./nix/checks/nixos-test.nix {
makeTest = import (pkgs.path + "/nixos/tests/make-test-python.nix");
};
in {
inherit (nixosTests) unittests vault-agent systemd-vaultd;
};
};
} }

@ -1,13 +1,15 @@
{ { makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>
makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>, , pkgs ? (import <nixpkgs> { })
pkgs ? (import <nixpkgs> {}), ,
}: let }:
let
makeTest' = args: makeTest' = args:
makeTest args { makeTest args {
inherit pkgs; inherit pkgs;
inherit (pkgs) system; inherit (pkgs) system;
}; };
in { in
{
vault-agent = makeTest' (import ./vault-agent-test.nix); vault-agent = makeTest' (import ./vault-agent-test.nix);
systemd-vaultd = makeTest' (import ./systemd-vaultd-test.nix); systemd-vaultd = makeTest' (import ./systemd-vaultd-test.nix);
unittests = makeTest' { unittests = makeTest' {

@ -1,9 +1,9 @@
{ {
name = "systemd-vaultd"; name = "systemd-vaultd";
nodes.server = { nodes.server =
config, { config
pkgs, , pkgs
... , ...
}: { }: {
imports = [ imports = [
../modules/vault-agent.nix ../modules/vault-agent.nix

@ -1,10 +1,11 @@
{ { writeShellScript
writeShellScript, , python3
python3, , pkgs
pkgs, , lib
lib, , coreutils
coreutils, ,
}: let }:
let
systemd-vaultd = pkgs.callPackage ../../default.nix { }; systemd-vaultd = pkgs.callPackage ../../default.nix { };
systemd = pkgs.callPackage ../pkgs/systemd.nix { }; systemd = pkgs.callPackage ../pkgs/systemd.nix { };
in in

@ -1,9 +1,8 @@
{ {
name = "vault-agent"; name = "vault-agent";
nodes.server = { nodes.server =
config, { config
pkgs, , ...
...
}: { }: {
imports = [ imports = [
./dev-vault-server.nix ./dev-vault-server.nix

@ -1,11 +1,10 @@
{ { pkgs
config, , ...
lib, }:
pkgs, let
...
}: let
systemd-vaultd = pkgs.callPackage ../../default.nix { }; systemd-vaultd = pkgs.callPackage ../../default.nix { };
in { in
{
imports = [ imports = [
./vault-secrets.nix ./vault-secrets.nix
]; ];

@ -1,9 +1,9 @@
{ { config
config, , lib
lib, , pkgs
pkgs, , ...
... }:
}: let let
cfg = config.services.vault; cfg = config.services.vault;
settingsFormat = pkgs.formats.json { }; settingsFormat = pkgs.formats.json { };
@ -58,7 +58,8 @@
}; };
}; };
}; };
in { in
{
options.services.vault.agents = lib.mkOption { options.services.vault.agents = lib.mkOption {
default = { }; default = { };
description = "Instances of vault agent"; description = "Instances of vault agent";
@ -72,7 +73,8 @@ in {
}); });
}; };
config = { config = {
systemd.services = lib.mapAttrs' (name: instanceCfg: systemd.services = lib.mapAttrs'
(name: instanceCfg:
lib.nameValuePair "vault-agent-${name}" { lib.nameValuePair "vault-agent-${name}" {
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

@ -1,9 +1,9 @@
{ { lib
lib, , config
config, , pkgs
pkgs, , ...
... }:
}: let let
secretType = serviceName: secretType = serviceName:
lib.types.submodule ({ config, ... }: { lib.types.submodule ({ config, ... }: {
options = { options = {
@ -59,19 +59,22 @@
vaultTemplates = config: vaultTemplates = config:
(lib.mapAttrsToList (lib.mapAttrsToList
(serviceName: service: (serviceName: _service:
getSecretTemplate serviceName services.${serviceName}.vault) getSecretTemplate serviceName services.${serviceName}.vault)
(lib.filterAttrs (n: v: v.vault.secrets != {} && v.vault.agent == config._module.args.name) services)) (lib.filterAttrs (_n: v: v.vault.secrets != { } && v.vault.agent == config._module.args.name) services))
++ (lib.mapAttrsToList ++ (lib.mapAttrsToList
(serviceName: service: (serviceName: _service:
getEnvironmentTemplate serviceName services.${serviceName}.vault) getEnvironmentTemplate serviceName services.${serviceName}.vault)
(lib.filterAttrs (n: v: v.vault.environmentTemplate != null && v.vault.agent == config._module.args.name) services)); (lib.filterAttrs (_n: v: v.vault.environmentTemplate != null && v.vault.agent == config._module.args.name) services));
in { in
{
options = { options = {
systemd.services = lib.mkOption { systemd.services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({config, ...}: let type = lib.types.attrsOf (lib.types.submodule ({ config, ... }:
let
serviceName = config._module.args.name; serviceName = config._module.args.name;
in { in
{
options.vault = { options.vault = {
changeAction = lib.mkOption { changeAction = lib.mkOption {
description = '' description = ''
@ -117,9 +120,11 @@ in {
}; };
}; };
}; };
config = let config =
let
mkIfHasEnv = lib.mkIf (config.vault.environmentTemplate != null); mkIfHasEnv = lib.mkIf (config.vault.environmentTemplate != null);
in { in
{
after = mkIfHasEnv [ "${serviceName}-envfile.service" ]; after = mkIfHasEnv [ "${serviceName}-envfile.service" ];
bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ]; bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
@ -140,14 +145,17 @@ in {
config = { config = {
# we cannot use `systemd.services` here since this would create infinite recursion # we cannot use `systemd.services` here since this would create infinite recursion
systemd.packages = let systemd.packages =
servicesWithEnv = builtins.attrNames (lib.filterAttrs (n: v: v.vault.environmentTemplate != null) services); let
in [ servicesWithEnv = builtins.attrNames (lib.filterAttrs (_n: v: v.vault.environmentTemplate != null) services);
in
[
(pkgs.runCommand "env-services" { } (pkgs.runCommand "env-services" { }
('' (''
mkdir -p $out/lib/systemd/system mkdir -p $out/lib/systemd/system
'' ''
+ (lib.concatMapStringsSep "\n" (service: '' + (lib.concatMapStringsSep "\n"
(service: ''
cat > $out/lib/systemd/system/${service}-envfile.service <<EOF cat > $out/lib/systemd/system/${service}-envfile.service <<EOF
[Unit] [Unit]
Before=${service}.service Before=${service}.service

@ -1,6 +1,6 @@
{ { systemd
systemd, , fetchpatch
fetchpatch, ,
}: }:
systemd.overrideAttrs (old: { systemd.overrideAttrs (old: {
patches = patches =

@ -0,0 +1,20 @@
[tool.ruff]
line-length = 88
select = ["E", "F", "I"]
ignore = [ "E501" ]
[tool.mypy]
python_version = "3.10"
warn_redundant_casts = true
disallow_untyped_calls = true
disallow_untyped_defs = true
no_implicit_optional = true
[[tool.mypy.overrides]]
module = "setuptools.*"
ignore_missing_imports = true
[[tool.mypy.overrides]]
module = "pytest.*"
ignore_missing_imports = true

@ -3,8 +3,8 @@
import os import os
import signal import signal
import subprocess import subprocess
from typing import IO, Any, Dict, Iterator, List, Union
from pathlib import Path from pathlib import Path
from typing import IO, Any, Dict, Iterator, List, Union
import pytest import pytest

@ -1,8 +1,8 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import json
import random import random
import string import string
import json
from dataclasses import dataclass from dataclasses import dataclass
from pathlib import Path from pathlib import Path

@ -1,9 +1,10 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import os import os
import pytest
from pathlib import Path from pathlib import Path
from typing import Optional from typing import Optional
import pytest
from command import run from command import run
BIN: Optional[Path] = None BIN: Optional[Path] = None

@ -1,10 +1,11 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import pytest
from tempfile import TemporaryDirectory
from pathlib import Path from pathlib import Path
from tempfile import TemporaryDirectory
from typing import Iterator from typing import Iterator
import pytest
@pytest.fixture @pytest.fixture
def tempdir() -> Iterator[Path]: def tempdir() -> Iterator[Path]:

@ -1,6 +1,6 @@
import subprocess import subprocess
from pathlib import Path
import time import time
from pathlib import Path
from command import Command from command import Command
from random_service import random_service from random_service import random_service

@ -1,7 +1,7 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import time
import subprocess import subprocess
import time
from pathlib import Path from pathlib import Path
from command import Command, run from command import Command, run

Loading…
Cancel
Save