From 2afab6a7ba722b04e448dede74985fb6441947b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 3 Jul 2022 13:48:30 +0200
Subject: [PATCH] update end-to-end procfile example

---
 .gitignore                    |  1 +
 Procfile                      |  8 ++++----
 tests/agent-config.hcl        | 33 +++++++++++++++++++++++++++++++++
 {bin => tests}/setup-vault    |  0
 tests/vault-agent-example.hcl | 17 +++++++++++++++++
 5 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 tests/agent-config.hcl
 rename {bin => tests}/setup-vault (100%)
 create mode 100644 tests/vault-agent-example.hcl

diff --git a/.gitignore b/.gitignore
index 9e3ae6d..402aeec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@
 
 # binary
 systemd-vaultd
+tmp/
 
 # nix-build symlinks
 result*
diff --git a/Procfile b/Procfile
index 211af72..4a54c8d 100644
--- a/Procfile
+++ b/Procfile
@@ -1,5 +1,5 @@
+# run with `hivemind``
+systemd-service: sleep 3 && sudo systemd-run --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
 vault: vault server -dev -dev-root-token-id secret
-vault-agent:  sleep 10 && ./tests/setup-vault && sudo vault agent -config ./tests/vault-agent-example.hcl
-systemd-vaultd:  rm -rf /run/systemd-vault/secrets && sudo ./systemd-vaultd
-systemd-service:  sudo systemd-run --collect -u vault-nixos3.service -p LoadCredential=foo:/run/systemd-vaultd/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
-#systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
+vault-agent:  sleep 5 && ./tests/setup-vault && sudo vault agent -config ./tests/vault-agent-example.hcl
+systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
diff --git a/tests/agent-config.hcl b/tests/agent-config.hcl
new file mode 100644
index 0000000..5847025
--- /dev/null
+++ b/tests/agent-config.hcl
@@ -0,0 +1,33 @@
+pid_file = "./pidfile"
+
+auto_auth {
+  method {
+    type = "aws"
+    namespace = "/my-namespace"
+    config = {
+      role = "foobar"
+    }
+  }
+
+  sink {
+    type = "file"
+    config = {
+      path = "/tmp/file-foo"
+    }
+    aad = "foobar"
+    dh_type = "curve25519"
+    dh_path = "/tmp/file-foo-dhpath"
+  }
+
+  sink {
+    type = "file"
+    wrap_ttl = "5m"
+    aad_env_var = "TEST_AAD_ENV"
+    dh_type = "curve25519"
+    dh_path = "/tmp/file-foo-dhpath2"
+    derive_key = true
+    config = {
+      path = "/tmp/file-bar"
+    }
+  }
+}
diff --git a/bin/setup-vault b/tests/setup-vault
similarity index 100%
rename from bin/setup-vault
rename to tests/setup-vault
diff --git a/tests/vault-agent-example.hcl b/tests/vault-agent-example.hcl
new file mode 100644
index 0000000..810bd38
--- /dev/null
+++ b/tests/vault-agent-example.hcl
@@ -0,0 +1,17 @@
+ vault = {
+   address = "http://localhost:8200"
+ }
+ template = {
+   contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
+   destination = "tmp/secrets/vault-nixos3.service-foo"
+ }
+
+ auto_auth {
+   method {
+     type = "approle"
+     config = {
+       role_id_file_path = "tmp/roleID"
+       secret_id_file_path = "tmp/secretID"
+     }
+   }
+ }