Merge pull request #17 from numtide/ci

flake.lock: Update

README.md

@@ -1,6 +1,7 @@
 # systemd-vaultd - load vault credentials with systemd units
 
 > Mostly written in a train
+
 - Jörg Thalheim
 
 systemd-vaultd is a proxy between systemd and [vault agent](https://vaultproject.io).

bors.toml

@@ -1,7 +1,10 @@
 cut_body_after = "" # don't include text from the PR body in the merge commit message
 status = [
   "Evaluate flake.nix",
- "package %",
+  "check systemd-vaultd [x86_64-linux]",
- "check %",
+  "check treefmt [x86_64-linux]",
- "devShell %",
+  "check unittests [x86_64-linux]",
+  "check vault-agent [x86_64-linux]",
+  "devShell default [x86_64-linux]",
+  "package default [x86_64-linux]"
 ]

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1671322946,
+        "lastModified": 1673362319,
-        "narHash": "sha256-J8Qj+ITV+eti+irTK9Zn2LZVYoIW2g7irPUckU8yZvU=",
+        "narHash": "sha256-Pjp45Vnj7S/b3BRpZEVfdu8sqqA6nvVjvYu59okhOyI=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3f7172646953bf86dad5953bc45f0edae62ac445",
+        "rev": "82c16f1682cf50c01cb0280b38a1eed202b3fe9f",
         "type": "github"
       },
       "original": {
@@ -22,15 +22,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1671537075,
+        "lastModified": 1673606088,
-        "narHash": "sha256-lAejYRUtM2SDTmHxcFLnx4W/P0URejhkl9DyqJ++PIc=",
+        "narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "eb37a7f66312e845fba0b3cc7c36e727012b3dae",
+        "rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -38,7 +39,23 @@
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "treefmt-nix": "treefmt-nix"
+      }
+    },
+    "treefmt-nix": {
+      "locked": {
+        "lastModified": 1672931382,
+        "narHash": "sha256-lgtc2Sct/xtvqkdzlJ4AL3Vesw0Wz/fxqNGOBFS7YXU=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "6717065d6a432bc3f5b827007ad959e6032d5856",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -4,30 +4,40 @@
   inputs = {
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
-    nixpkgs.url = "github:NixOS/nixpkgs";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+
+    treefmt-nix.url = "github:numtide/treefmt-nix";
   };
 
   outputs = inputs @ { flake-parts, ... }:
     flake-parts.lib.mkFlake { inherit inputs; } {
       systems = [ "x86_64-linux" "aarch64-linux" ];
-      perSystem = {
+      imports = [
-        config,
+        ./nix/checks/flake-module.nix
-        self',
+      ];
-        inputs',
+      perSystem =
-        pkgs,
+        { config
-        system,
+        , pkgs
-        ...
+        , ...
         }: {
           packages.default = pkgs.callPackage ./default.nix { };
-        devShells.default = pkgs.callPackage ./shell.nix {};
+          packages.systemd = pkgs.callPackage ./nix/pkgs/systemd.nix { };
-        checks = let
+          devShells.default = pkgs.mkShellNoCC {
-          nixosTests = pkgs.callPackages ./nix/checks/nixos-test.nix {
+            buildInputs = with pkgs; [
-            makeTest = import (pkgs.path + "/nixos/tests/make-test-python.nix");
+              python3.pkgs.pytest
-          };
+              python3.pkgs.mypy
-        in {
+
-          treefmt = pkgs.callPackage ./nix/checks/treefmt.nix {};
+              golangci-lint
-          inherit (nixosTests) unittests vault-agent systemd-vaultd;
+              vault
+              systemd
+              hivemind
+              go
+              just
+              config.packages.treefmt
+              config.packages.systemd
+            ];
           };
+
         };
       flake.nixosModules = {
         vaultAgent = ./nix/modules/vault-agent.nix;

nix/checks/dev-vault-server.nix

@@ -1,8 +1,6 @@
-{
+{ config
-  config,
+, pkgs
-  lib,
+, ...
-  pkgs,
-  ...
 }: {
   environment.systemPackages = [ pkgs.vault ];
   services.vault = {

nix/checks/flake-module.nix

@@ -0,0 +1,57 @@
+{ inputs, ... }: {
+  imports = [
+    inputs.treefmt-nix.flakeModule
+  ];
+  perSystem =
+    { pkgs
+    , ...
+    }: {
+      treefmt = {
+        # Used to find the project root
+        projectRootFile = "flake.lock";
+
+        programs.gofumpt.enable = true;
+        programs.prettier.enable = true;
+
+        settings.formatter = {
+          nix = {
+            command = "sh";
+            options = [
+              "-eucx"
+              ''
+                # First deadnix
+                ${pkgs.lib.getExe pkgs.deadnix} --edit "$@"
+                # Then nixpkgs-fmt
+                ${pkgs.lib.getExe pkgs.nixpkgs-fmt} "$@"
+              ''
+              "--"
+            ];
+            includes = [ "*.nix" ];
+          };
+
+          python = {
+            command = "sh";
+            options = [
+              "-eucx"
+              ''
+                ${pkgs.lib.getExe pkgs.ruff} --fix "$@"
+                ${pkgs.lib.getExe pkgs.python3.pkgs.black} "$@"
+              ''
+              "--" # this argument is ignored by bash
+            ];
+            includes = [ "*.py" ];
+          };
+        };
+      };
+
+      checks =
+        let
+          nixosTests = pkgs.callPackages ./nixos-test.nix {
+            makeTest = import (pkgs.path + "/nixos/tests/make-test-python.nix");
+          };
+        in
+        {
+          inherit (nixosTests) unittests vault-agent systemd-vaultd;
+        };
+    };
+}

nix/checks/nixos-test.nix

@@ -1,13 +1,15 @@
-{
+{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>
-  makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>,
+, pkgs ? (import <nixpkgs> { })
-  pkgs ? (import <nixpkgs> {}),
+,
-}: let
+}:
+let
   makeTest' = args:
     makeTest args {
       inherit pkgs;
       inherit (pkgs) system;
     };
-in {
+in
+{
   vault-agent = makeTest' (import ./vault-agent-test.nix);
   systemd-vaultd = makeTest' (import ./systemd-vaultd-test.nix);
   unittests = makeTest' {

nix/checks/systemd-vaultd-test.nix

@@ -1,9 +1,9 @@
 {
   name = "systemd-vaultd";
-  nodes.server = {
+  nodes.server =
-    config,
+    { config
-    pkgs,
+    , pkgs
-    ...
+    , ...
     }: {
       imports = [
         ../modules/vault-agent.nix

nix/checks/treefmt.nix

@@ -1,22 +0,0 @@
-{
-  runCommand,
-  gofumpt,
-  alejandra,
-  python3,
-  treefmt,
-}:
-runCommand "treefmt" {
-  nativeBuildInputs = [
-    gofumpt
-    treefmt
-    alejandra
-    python3.pkgs.flake8
-    python3.pkgs.black
-  ];
-} ''
-  # keep timestamps so that treefmt is able to detect mtime changes
-  cp --no-preserve=mode --preserve=timestamps -r ${../..} source
-  cd source
-  HOME=$TMPDIR treefmt --no-cache --fail-on-change
-  touch $out
-''

nix/checks/unittests.nix

@@ -1,10 +1,11 @@
-{
+{ writeShellScript
-  writeShellScript,
+, python3
-  python3,
+, pkgs
-  pkgs,
+, lib
-  lib,
+, coreutils
-  coreutils,
+,
-}: let
+}:
+let
   systemd-vaultd = pkgs.callPackage ../../default.nix { };
   systemd = pkgs.callPackage ../pkgs/systemd.nix { };
 in

nix/checks/vault-agent-test.nix

@@ -1,9 +1,8 @@
 {
   name = "vault-agent";
-  nodes.server = {
+  nodes.server =
-    config,
+    { config
-    pkgs,
+    , ...
-    ...
     }: {
       imports = [
         ./dev-vault-server.nix

nix/modules/systemd-vaultd.nix

@@ -1,11 +1,10 @@
-{
+{ pkgs
-  config,
+, ...
-  lib,
+}:
-  pkgs,
+let
-  ...
-}: let
   systemd-vaultd = pkgs.callPackage ../../default.nix { };
-in {
+in
+{
   imports = [
     ./vault-secrets.nix
   ];

nix/modules/vault-agent.nix

@@ -1,9 +1,9 @@
-{
+{ config
-  config,
+, lib
-  lib,
+, pkgs
-  pkgs,
+, ...
-  ...
+}:
-}: let
+let
   cfg = config.services.vault;
   settingsFormat = pkgs.formats.json { };
 
@@ -58,7 +58,8 @@
       };
     };
   };
-in {
+in
+{
   options.services.vault.agents = lib.mkOption {
     default = { };
     description = "Instances of vault agent";
@@ -72,7 +73,8 @@ in {
     });
   };
   config = {
-    systemd.services = lib.mapAttrs' (name: instanceCfg:
+    systemd.services = lib.mapAttrs'
+      (name: instanceCfg:
         lib.nameValuePair "vault-agent-${name}" {
           after = [ "network.target" ];
           wantedBy = [ "multi-user.target" ];

nix/modules/vault-secrets.nix

@@ -1,9 +1,9 @@
-{
+{ lib
-  lib,
+, config
-  config,
+, pkgs
-  pkgs,
+, ...
-  ...
+}:
-}: let
+let
   secretType = serviceName:
     lib.types.submodule ({ config, ... }: {
       options = {
@@ -59,19 +59,22 @@
 
   vaultTemplates = config:
     (lib.mapAttrsToList
-      (serviceName: service:
+      (serviceName: _service:
         getSecretTemplate serviceName services.${serviceName}.vault)
-      (lib.filterAttrs (n: v: v.vault.secrets != {} && v.vault.agent == config._module.args.name) services))
+      (lib.filterAttrs (_n: v: v.vault.secrets != { } && v.vault.agent == config._module.args.name) services))
     ++ (lib.mapAttrsToList
-      (serviceName: service:
+      (serviceName: _service:
         getEnvironmentTemplate serviceName services.${serviceName}.vault)
-      (lib.filterAttrs (n: v: v.vault.environmentTemplate != null && v.vault.agent == config._module.args.name) services));
+      (lib.filterAttrs (_n: v: v.vault.environmentTemplate != null && v.vault.agent == config._module.args.name) services));
-in {
+in
+{
   options = {
     systemd.services = lib.mkOption {
-      type = lib.types.attrsOf (lib.types.submodule ({config, ...}: let
+      type = lib.types.attrsOf (lib.types.submodule ({ config, ... }:
+        let
           serviceName = config._module.args.name;
-      in {
+        in
+        {
           options.vault = {
             changeAction = lib.mkOption {
               description = ''
@@ -117,9 +120,11 @@ in {
               };
             };
           };
-        config = let
+          config =
+            let
               mkIfHasEnv = lib.mkIf (config.vault.environmentTemplate != null);
-        in {
+            in
+            {
               after = mkIfHasEnv [ "${serviceName}-envfile.service" ];
               bindsTo = mkIfHasEnv [ "${serviceName}-envfile.service" ];
 
@@ -140,14 +145,17 @@ in {
 
   config = {
     # we cannot use `systemd.services` here since this would create infinite recursion
-    systemd.packages = let
+    systemd.packages =
-      servicesWithEnv = builtins.attrNames (lib.filterAttrs (n: v: v.vault.environmentTemplate != null) services);
+      let
-    in [
+        servicesWithEnv = builtins.attrNames (lib.filterAttrs (_n: v: v.vault.environmentTemplate != null) services);
+      in
+      [
         (pkgs.runCommand "env-services" { }
           (''
             mkdir -p $out/lib/systemd/system
           ''
-          + (lib.concatMapStringsSep "\n" (service: ''
+          + (lib.concatMapStringsSep "\n"
+            (service: ''
               cat > $out/lib/systemd/system/${service}-envfile.service <<EOF
               [Unit]
               Before=${service}.service

nix/pkgs/systemd.nix

@@ -1,6 +1,6 @@
-{
+{ systemd
-  systemd,
+, fetchpatch
-  fetchpatch,
+,
 }:
 systemd.overrideAttrs (old: {
   patches =

pyproject.toml

@@ -0,0 +1,20 @@
+[tool.ruff]
+line-length = 88
+
+select = ["E", "F", "I"]
+ignore = [ "E501" ]
+
+[tool.mypy]
+python_version = "3.10"
+warn_redundant_casts = true
+disallow_untyped_calls = true
+disallow_untyped_defs = true
+no_implicit_optional = true
+
+[[tool.mypy.overrides]]
+module = "setuptools.*"
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = "pytest.*"
+ignore_missing_imports = true

shell.nix

@@ -1,20 +0,0 @@
-{pkgs ? import <nixpkgs> {}}:
-with pkgs;
-  mkShellNoCC {
-    buildInputs = [
-      python3.pkgs.pytest
-      python3.pkgs.flake8
-      python3.pkgs.black
-      python3.pkgs.mypy
-
-      gofumpt
-      golangci-lint
-      alejandra
-      vault
-      systemd
-      hivemind
-      go
-      treefmt
-      just
-    ];
-  }

tests/command.py

@@ -3,8 +3,8 @@
 import os
 import signal
 import subprocess
-from typing import IO, Any, Dict, Iterator, List, Union
 from pathlib import Path
+from typing import IO, Any, Dict, Iterator, List, Union
 
 import pytest
 

tests/random_service.py

@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 
+import json
 import random
 import string
-import json
 from dataclasses import dataclass
 from pathlib import Path
 

tests/systemd_vaultd.py

@@ -1,9 +1,10 @@
 #!/usr/bin/env python3
 
 import os
-import pytest
 from pathlib import Path
 from typing import Optional
+
+import pytest
 from command import run
 
 BIN: Optional[Path] = None

tests/tempdir.py

@@ -1,10 +1,11 @@
 #!/usr/bin/env python3
 
-import pytest
-from tempfile import TemporaryDirectory
 from pathlib import Path
+from tempfile import TemporaryDirectory
 from typing import Iterator
 
+import pytest
+
 
 @pytest.fixture
 def tempdir() -> Iterator[Path]:

tests/test_blocking_secret.py

@@ -1,6 +1,6 @@
 import subprocess
-from pathlib import Path
 import time
+from pathlib import Path
 
 from command import Command
 from random_service import random_service

tests/test_socket_activation.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 
-import time
 import subprocess
+import time
 from pathlib import Path
 
 from command import Command, run

treefmt.toml

@@ -1,21 +0,0 @@
-[formatter.nix]
-command = "alejandra"
-includes = ["*.nix"]
-
-[formatter.python]
-command = "sh"
-options = [
-    "-eucx",
-    """
-flake8 "$@"
-black "$@"
-    """
-]
-includes = ["*.py"]
-excludes = []
-
-[formatter.go]
-command = "gofumpt"
-options = ["-w"]
-includes = ["*.go"]
-excludes = []