feat: further adapt to openbao

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
1 month ago · 5aa5a794fd
parent d4e31a9b0f
commit 5aa5a794fd
5 changed files with 57 additions and 5 deletions
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 #!/usr/bin/env hivemind
 systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
-openbao: vault server -dev -dev-root-token-id secret
+openbao: openbao server -dev -dev-root-token-id secret
 openbao-agent:  sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl
 systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock
--- a/default.nix
+++ b/default.nix
@ -24,7 +24,8 @@
      python3.pkgs.mypy

      golangci-lint
-      # openbao
+      # OpenBao
+      (callPackage ./nix/package.nix { })
      systemd
      hivemind
      go
--- a/nix/package.nix
+++ b/nix/package.nix
@ -0,0 +1,51 @@
+{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests
+, makeWrapper
+, gawk
+, glibc
+}:
+
+buildGoModule rec {
+  pname = "openbao";
+  version = "2.0.2";
+
+  src = fetchFromGitHub {
+    owner = "openbao";
+    repo = "openbao";
+    rev = "v${version}";
+    hash = "sha256-7Dqrw00wjI/VCahY1+ANBMq9nPUQlb94HiBB3CKyhSQ=";
+  };
+
+  vendorHash = "sha256-qojDPhdCqnYCAFo5sc9mWyQxvHc/p/a1LYdW7MbOO5w=";
+
+  subPackages = [ "." ];
+
+  nativeBuildInputs = [ installShellFiles makeWrapper ];
+
+  tags = [ "openbao" ];
+
+  ldflags = [
+    "-s" "-w"
+    "-X github.com/openbao/openbao/sdk/version.GitCommit=${src.rev}"
+    "-X github.com/openbao/openbao/sdk/version.Version=${version}"
+    "-X github.com/openbao/openbao/sdk/version.VersionPrerelease="
+  ];
+
+  postInstall = ''
+    echo "complete -C $out/bin/openbao openbao" > openbao.bash
+    installShellCompletion openbao.bash
+  '' + lib.optionalString stdenv.isLinux ''
+    wrapProgram $out/bin/openbao \
+      --prefix PATH ${lib.makeBinPath [ gawk glibc ]}
+  '';
+
+  # passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
+
+  meta = with lib; {
+    homepage = "https://openbao.org/";
+    description = "Tool for managing secrets";
+    changelog = "https://github.com/openbao/openbao/blob/v${version}/CHANGELOG.md";
+    license = licenses.mpl20;
+    mainProgram = "openbao";
+    maintainers = with maintainers; [ raitobezarius ];
+  };
+}
--- a/tests/setup-vault
+++ b/tests/setup-vault
@ -3,7 +3,7 @@ set -eux -o pipefail
 export BAO_ADDR=http://127.0.0.1:8200
 export BAO_TOKEN=secret

-while ! vault status; do
+while ! openbao status; do
  sleep 1
 done

--- a/tests/vault-agent-example.hcl
+++ b/tests/vault-agent-example.hcl
@ -2,8 +2,8 @@
   address = "http://localhost:8200"
 }
 template = {
-   contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
-   destination = "tmp/secrets/vault-nixos3.service-foo"
+   contents = "{{ with secret \"secret/my-secret\" }}{{ .Data.data | toJSON }}{{ end }}"
+   destination = "tmp/secrets/vault-nixos3.service.json"
 }

 auto_auth {