feat: we don't need flakes where we are going

Cleanup the repo a bit for OpenBao.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
main
Raito Bezarius 3 months ago
parent c646ca0618
commit d4e31a9b0f

@ -0,0 +1 @@
use nix

@ -1,5 +1,5 @@
#!/usr/bin/env hivemind
systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
vault: vault server -dev -dev-root-token-id secret
vault-agent: sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl
systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
openbao: vault server -dev -dev-root-token-id secret
openbao-agent: sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl
systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock

@ -1,13 +1,34 @@
{ pkgs ? import <nixpkgs> { } }:
pkgs.buildGoModule {
name = "systemd-vaultd";
src = ./.;
vendorHash = null;
meta = with pkgs.lib; {
description = "A proxy for secrets between systemd services and vault";
homepage = "https://github.com/numtide/systemd-vaultd";
license = licenses.mit;
maintainers = with maintainers; [ mic92 ];
platforms = platforms.unix;
{ sources ? import ./npins, pkgs ? import sources.nixpkgs { } }:
{
package = pkgs.buildGoModule {
name = "systemd-openbaod";
src = ./.;
vendorHash = null;
meta = with pkgs.lib; {
description = "A proxy for secrets between systemd services and openbao";
homepage = "https://git.newtype.fr/ryan/systemd-openbaod";
license = licenses.mit;
maintainers = with maintainers; [ raitobezarius ];
platforms = platforms.unix;
};
};
nixosModules = {
openbaoAgent = ./nix/modules/openbao-agent.nix;
systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
};
shell = pkgs.mkShellNoCC {
buildInputs = with pkgs; [
python3.pkgs.pytest
python3.pkgs.mypy
golangci-lint
# openbao
systemd
hivemind
go
just
];
};
}

@ -1,69 +0,0 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1698579227,
"narHash": "sha256-KVWjFZky+gRuWennKsbo6cWyo7c/z/VgCte5pR9pEKg=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f76e870d64779109e41370848074ac4eaa1606ec",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1698443389,
"narHash": "sha256-/IhqtAuFPL1gew2h1+b+xQipv2WVt9EuszSHz5a4PNI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a9d001fd4af2df7f5702bbdb28a0081c855cb625",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1698438538,
"narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

@ -1,46 +0,0 @@
{
description = "Description for the project";
inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
treefmt-nix.url = "github:numtide/treefmt-nix";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs @ { flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" "aarch64-linux" ];
imports = [
./nix/checks/flake-module.nix
];
perSystem =
{ config
, pkgs
, ...
}: {
packages.default = pkgs.callPackage ./default.nix { };
devShells.default = pkgs.mkShellNoCC {
buildInputs = with pkgs; [
python3.pkgs.pytest
python3.pkgs.mypy
golangci-lint
vault
systemd
hivemind
go
just
config.treefmt.build.wrapper
];
};
};
flake.nixosModules = {
vaultAgent = ./nix/modules/vault-agent.nix;
systemdVaultd = ./nix/modules/systemd-vaultd.nix;
};
};
}

@ -1,3 +1,3 @@
module github.com/numtide/systemd-vaultd
module git.newtype.fr/ryan/systemd-openbaod
go 1.17
go 1.23

@ -0,0 +1,80 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource =
spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource =
{
repository,
revision,
url ? null,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash;
})
else
assert repository.type == "Git";
let
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName repository.url revision;
in
builtins.fetchGit {
url = repository.url;
rev = revision;
inherit name;
narHash = hash;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 4 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

@ -0,0 +1,11 @@
{
"pins": {
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
"hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
}
},
"version": 4
}

@ -0,0 +1 @@
(import ./default.nix {}).shell

@ -1,7 +1,7 @@
#!/usr/bin/env bash
set -eux -o pipefail
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=secret
export BAO_ADDR=http://127.0.0.1:8200
export BAO_TOKEN=secret
while ! vault status; do
sleep 1
@ -15,11 +15,11 @@ path "secret/data/*" {
capabilities = ["read"]
}
EOF
vault policy write demo tmp/policy-file.hcl
vault kv put secret/my-secret foo=bar
openbao policy write demo tmp/policy-file.hcl
openbao kv put secret/my-secret foo=bar
# role for our vault agent
vault auth enable approle
vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo
echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID
echo -n $(vault write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID
openbao auth enable approle
openbao write auth/approle/role/role1 bind_secret_id=true token_policies=demo
echo -n $(openbao read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID
echo -n $(openbao write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID

Loading…
Cancel
Save