feat: we don't need flakes where we are going

Cleanup the repo a bit for OpenBao. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
1 month ago · d4e31a9b0f
parent c646ca0618
commit d4e31a9b0f
10 changed files with 138 additions and 139 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 use nix
--- a/6
+++ b/6
@ -1,5 +1,5 @@
 #!/usr/bin/env hivemind
 systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
-vault: vault server -dev -dev-root-token-id secret
+openbao: vault server -dev -dev-root-token-id secret
-vault-agent:  sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl
+openbao-agent:  sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl
-systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
+systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock
--- a/default.nix
+++ b/default.nix
@ -1,13 +1,34 @@
-{ pkgs ? import <nixpkgs> { } }:
+{ sources ? import ./npins, pkgs ? import sources.nixpkgs { } }:
-pkgs.buildGoModule {
+{
-  name = "systemd-vaultd";
+  package = pkgs.buildGoModule {
-  src = ./.;
+    name = "systemd-openbaod";
-  vendorHash = null;
+    src = ./.;
-  meta = with pkgs.lib; {
+    vendorHash = null;
-    description = "A proxy for secrets between systemd services and vault";
+    meta = with pkgs.lib; {
-    homepage = "https://github.com/numtide/systemd-vaultd";
+      description = "A proxy for secrets between systemd services and openbao";
-    license = licenses.mit;
+      homepage = "https://git.newtype.fr/ryan/systemd-openbaod";
-    maintainers = with maintainers; [ mic92 ];
+      license = licenses.mit;
-    platforms = platforms.unix;
+      maintainers = with maintainers; [ raitobezarius ];
      platforms = platforms.unix;
    };
  };
  nixosModules = {
    openbaoAgent = ./nix/modules/openbao-agent.nix;
    systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
  };
  shell = pkgs.mkShellNoCC {
    buildInputs = with pkgs; [
      python3.pkgs.pytest
      python3.pkgs.mypy
      golangci-lint
      # openbao
      systemd
      hivemind
      go
      just
    ];
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,69 +0,0 @@
 {
  "nodes": {
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1698579227,
        "narHash": "sha256-KVWjFZky+gRuWennKsbo6cWyo7c/z/VgCte5pR9pEKg=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "f76e870d64779109e41370848074ac4eaa1606ec",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1698443389,
        "narHash": "sha256-/IhqtAuFPL1gew2h1+b+xQipv2WVt9EuszSHz5a4PNI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a9d001fd4af2df7f5702bbdb28a0081c855cb625",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-parts": "flake-parts",
        "nixpkgs": "nixpkgs",
        "treefmt-nix": "treefmt-nix"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1698438538,
        "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -1,46 +0,0 @@
 {
  description = "Description for the project";
  inputs = {
    flake-parts.url = "github:hercules-ci/flake-parts";
    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
    treefmt-nix.url = "github:numtide/treefmt-nix";
    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = inputs @ { flake-parts, ... }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [ "x86_64-linux" "aarch64-linux" ];
      imports = [
        ./nix/checks/flake-module.nix
      ];
      perSystem =
        { config
        , pkgs
        , ...
        }: {
          packages.default = pkgs.callPackage ./default.nix { };
          devShells.default = pkgs.mkShellNoCC {
            buildInputs = with pkgs; [
              python3.pkgs.pytest
              python3.pkgs.mypy
              golangci-lint
              vault
              systemd
              hivemind
              go
              just
              config.treefmt.build.wrapper
            ];
          };
        };
      flake.nixosModules = {
        vaultAgent = ./nix/modules/vault-agent.nix;
        systemdVaultd = ./nix/modules/systemd-vaultd.nix;
      };
    };
 }
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,3 @@
-module github.com/numtide/systemd-vaultd
+module git.newtype.fr/ryan/systemd-openbaod
-go 1.17
+go 1.23
--- a/npins/default.nix
+++ b/npins/default.nix
@ -0,0 +1,80 @@
 # Generated by npins. Do not modify; will be overwritten regularly
 let
  data = builtins.fromJSON (builtins.readFile ./sources.json);
  version = data.version;
  mkSource =
    spec:
    assert spec ? type;
    let
      path =
        if spec.type == "Git" then
          mkGitSource spec
        else if spec.type == "GitRelease" then
          mkGitSource spec
        else if spec.type == "PyPi" then
          mkPyPiSource spec
        else if spec.type == "Channel" then
          mkChannelSource spec
        else
          builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = path; };
  mkGitSource =
    {
      repository,
      revision,
      url ? null,
      hash,
      branch ? null,
      ...
    }:
    assert repository ? type;
    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
    # In the latter case, there we will always be an url to the tarball
    if url != null then
      (builtins.fetchTarball {
        inherit url;
        sha256 = hash;
      })
    else
      assert repository.type == "Git";
      let
        urlToName =
          url: rev:
          let
            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
            short = builtins.substring 0 7 rev;
            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
          in
          "${if matched == null then "source" else builtins.head matched}${appendShort}";
        name = urlToName repository.url revision;
      in
      builtins.fetchGit {
        url = repository.url;
        rev = revision;
        inherit name;
        narHash = hash;
      };
  mkPyPiSource =
    { url, hash, ... }:
    builtins.fetchurl {
      inherit url;
      sha256 = hash;
    };
  mkChannelSource =
    { url, hash, ... }:
    builtins.fetchTarball {
      inherit url;
      sha256 = hash;
    };
 in
 if version == 4 then
  builtins.mapAttrs (_: mkSource) data.pins
 else
  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -0,0 +1,11 @@
 {
  "pins": {
    "nixpkgs": {
      "type": "Channel",
      "name": "nixpkgs-unstable",
      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
      "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
    }
  },
  "version": 4
 }
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1 @@
 (import ./default.nix {}).shell
--- a/tests/setup-vault
+++ b/tests/setup-vault
@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -eux -o pipefail
-export VAULT_ADDR=http://127.0.0.1:8200
+export BAO_ADDR=http://127.0.0.1:8200
-export VAULT_TOKEN=secret
+export BAO_TOKEN=secret
 while ! vault status; do
  sleep 1
@ -15,11 +15,11 @@ path "secret/data/*" {
  capabilities = ["read"]
 }
 EOF
-vault policy write demo tmp/policy-file.hcl
+openbao policy write demo tmp/policy-file.hcl
-vault kv put secret/my-secret foo=bar
+openbao kv put secret/my-secret foo=bar
 # role for our vault agent
-vault auth enable approle
+openbao auth enable approle
-vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo
+openbao write auth/approle/role/role1 bind_secret_id=true token_policies=demo
-echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID
+echo -n $(openbao read -format json auth/approle/role/role1/role-id | jq -r .data.role_id) > tmp/roleID
-echo -n $(vault write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID
+echo -n $(openbao write -force -format json auth/approle/role/role1/secret-id | jq -r .data.secret_id) > tmp/secretID
`@ -1,3 +1,3 @@`
	`module github.com/numtide/systemd-vaultd`	`module git.newtype.fr/ryan/systemd-openbaod`

	`go 1.17`	`go 1.23`