diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/Procfile b/Procfile index 5284ebc..cce2932 100755 --- a/Procfile +++ b/Procfile @@ -1,5 +1,5 @@ #!/usr/bin/env hivemind systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo' -vault: vault server -dev -dev-root-token-id secret -vault-agent: sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl -systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock +openbao: vault server -dev -dev-root-token-id secret +openbao-agent: sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl +systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock diff --git a/default.nix b/default.nix index 5513f9e..2455d7d 100644 --- a/default.nix +++ b/default.nix @@ -1,13 +1,34 @@ -{ pkgs ? import { } }: -pkgs.buildGoModule { - name = "systemd-vaultd"; - src = ./.; - vendorHash = null; - meta = with pkgs.lib; { - description = "A proxy for secrets between systemd services and vault"; - homepage = "https://github.com/numtide/systemd-vaultd"; - license = licenses.mit; - maintainers = with maintainers; [ mic92 ]; - platforms = platforms.unix; +{ sources ? import ./npins, pkgs ? import sources.nixpkgs { } }: +{ + package = pkgs.buildGoModule { + name = "systemd-openbaod"; + src = ./.; + vendorHash = null; + meta = with pkgs.lib; { + description = "A proxy for secrets between systemd services and openbao"; + homepage = "https://git.newtype.fr/ryan/systemd-openbaod"; + license = licenses.mit; + maintainers = with maintainers; [ raitobezarius ]; + platforms = platforms.unix; + }; + }; + + nixosModules = { + openbaoAgent = ./nix/modules/openbao-agent.nix; + systemdOpenBaod = ./nix/modules/systemd-openbaod.nix; + }; + + shell = pkgs.mkShellNoCC { + buildInputs = with pkgs; [ + python3.pkgs.pytest + python3.pkgs.mypy + + golangci-lint + # openbao + systemd + hivemind + go + just + ]; }; } diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 6c5ab91..0000000 --- a/flake.lock +++ /dev/null @@ -1,69 +0,0 @@ -{ - "nodes": { - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1698579227, - "narHash": "sha256-KVWjFZky+gRuWennKsbo6cWyo7c/z/VgCte5pR9pEKg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "f76e870d64779109e41370848074ac4eaa1606ec", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1698443389, - "narHash": "sha256-/IhqtAuFPL1gew2h1+b+xQipv2WVt9EuszSHz5a4PNI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a9d001fd4af2df7f5702bbdb28a0081c855cb625", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs", - "treefmt-nix": "treefmt-nix" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1698438538, - "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index c50ab55..0000000 --- a/flake.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - description = "Description for the project"; - - inputs = { - flake-parts.url = "github:hercules-ci/flake-parts"; - flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - - treefmt-nix.url = "github:numtide/treefmt-nix"; - treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = inputs @ { flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } { - systems = [ "x86_64-linux" "aarch64-linux" ]; - imports = [ - ./nix/checks/flake-module.nix - ]; - perSystem = - { config - , pkgs - , ... - }: { - packages.default = pkgs.callPackage ./default.nix { }; - devShells.default = pkgs.mkShellNoCC { - buildInputs = with pkgs; [ - python3.pkgs.pytest - python3.pkgs.mypy - - golangci-lint - vault - systemd - hivemind - go - just - config.treefmt.build.wrapper - ]; - }; - - }; - flake.nixosModules = { - vaultAgent = ./nix/modules/vault-agent.nix; - systemdVaultd = ./nix/modules/systemd-vaultd.nix; - }; - }; -} diff --git a/go.mod b/go.mod index 18ea0a7..85d370f 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ -module github.com/numtide/systemd-vaultd +module git.newtype.fr/ryan/systemd-openbaod -go 1.17 +go 1.23 diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..fb04b70 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,80 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = + spec: + assert spec ? type; + let + path = + if spec.type == "Git" then + mkGitSource spec + else if spec.type == "GitRelease" then + mkGitSource spec + else if spec.type == "PyPi" then + mkPyPiSource spec + else if spec.type == "Channel" then + mkChannelSource spec + else + builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = + { + repository, + revision, + url ? null, + hash, + branch ? null, + ... + }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; + }) + else + assert repository.type == "Git"; + let + urlToName = + url: rev: + let + matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url; + + short = builtins.substring 0 7 rev; + + appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; + in + "${if matched == null then "source" else builtins.head matched}${appendShort}"; + name = urlToName repository.url revision; + in + builtins.fetchGit { + url = repository.url; + rev = revision; + inherit name; + narHash = hash; + }; + + mkPyPiSource = + { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = + { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 4 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..4fdae5b --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,11 @@ +{ + "pins": { + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz", + "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx" + } + }, + "version": 4 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..82fb296 --- /dev/null +++ b/shell.nix @@ -0,0 +1 @@ +(import ./default.nix {}).shell diff --git a/tests/setup-vault b/tests/setup-vault index 55c9a87..e1cda14 100755 --- a/tests/setup-vault +++ b/tests/setup-vault @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -eux -o pipefail -export VAULT_ADDR=http://127.0.0.1:8200 -export VAULT_TOKEN=secret +export BAO_ADDR=http://127.0.0.1:8200 +export BAO_TOKEN=secret while ! vault status; do sleep 1 @@ -15,11 +15,11 @@ path "secret/data/*" { capabilities = ["read"] } EOF -vault policy write demo tmp/policy-file.hcl -vault kv put secret/my-secret foo=bar +openbao policy write demo tmp/policy-file.hcl +openbao kv put secret/my-secret foo=bar # role for our vault agent -vault auth enable approle -vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo -echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID -echo -n $(vault write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID +openbao auth enable approle +openbao write auth/approle/role/role1 bind_secret_id=true token_policies=demo +echo -n $(openbao read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID +echo -n $(openbao write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID