diff --git a/Procfile b/Procfile index cce2932..4ccb0f6 100755 --- a/Procfile +++ b/Procfile @@ -1,5 +1,5 @@ #!/usr/bin/env hivemind systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo' -openbao: vault server -dev -dev-root-token-id secret +openbao: openbao server -dev -dev-root-token-id secret openbao-agent: sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock diff --git a/default.nix b/default.nix index 2455d7d..4c61f00 100644 --- a/default.nix +++ b/default.nix @@ -24,7 +24,8 @@ python3.pkgs.mypy golangci-lint - # openbao + # OpenBao + (callPackage ./nix/package.nix { }) systemd hivemind go diff --git a/nix/package.nix b/nix/package.nix new file mode 100644 index 0000000..ec78c9f --- /dev/null +++ b/nix/package.nix @@ -0,0 +1,51 @@ +{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests +, makeWrapper +, gawk +, glibc +}: + +buildGoModule rec { + pname = "openbao"; + version = "2.0.2"; + + src = fetchFromGitHub { + owner = "openbao"; + repo = "openbao"; + rev = "v${version}"; + hash = "sha256-7Dqrw00wjI/VCahY1+ANBMq9nPUQlb94HiBB3CKyhSQ="; + }; + + vendorHash = "sha256-qojDPhdCqnYCAFo5sc9mWyQxvHc/p/a1LYdW7MbOO5w="; + + subPackages = [ "." ]; + + nativeBuildInputs = [ installShellFiles makeWrapper ]; + + tags = [ "openbao" ]; + + ldflags = [ + "-s" "-w" + "-X github.com/openbao/openbao/sdk/version.GitCommit=${src.rev}" + "-X github.com/openbao/openbao/sdk/version.Version=${version}" + "-X github.com/openbao/openbao/sdk/version.VersionPrerelease=" + ]; + + postInstall = '' + echo "complete -C $out/bin/openbao openbao" > openbao.bash + installShellCompletion openbao.bash + '' + lib.optionalString stdenv.isLinux '' + wrapProgram $out/bin/openbao \ + --prefix PATH ${lib.makeBinPath [ gawk glibc ]} + ''; + + # passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; }; + + meta = with lib; { + homepage = "https://openbao.org/"; + description = "Tool for managing secrets"; + changelog = "https://github.com/openbao/openbao/blob/v${version}/CHANGELOG.md"; + license = licenses.mpl20; + mainProgram = "openbao"; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/tests/setup-vault b/tests/setup-vault index e1cda14..457c221 100755 --- a/tests/setup-vault +++ b/tests/setup-vault @@ -3,7 +3,7 @@ set -eux -o pipefail export BAO_ADDR=http://127.0.0.1:8200 export BAO_TOKEN=secret -while ! vault status; do +while ! openbao status; do sleep 1 done diff --git a/tests/vault-agent-example.hcl b/tests/vault-agent-example.hcl index 810bd38..abd5643 100644 --- a/tests/vault-agent-example.hcl +++ b/tests/vault-agent-example.hcl @@ -2,8 +2,8 @@ address = "http://localhost:8200" } template = { - contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}" - destination = "tmp/secrets/vault-nixos3.service-foo" + contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data | toJSON }}{{ end }}" + destination = "tmp/secrets/vault-nixos3.service.json" } auto_auth {