feat: we don't need flakes where we are going
Cleanup the repo a bit for OpenBao. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>main
Raito Bezarius
1 month ago
parent
c646ca0618
commit
d4e31a9b0f
@ -1,5 +1,5 @@
|
||||
#!/usr/bin/env hivemind
|
||||
systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
|
||||
vault: vault server -dev -dev-root-token-id secret
|
||||
vault-agent: sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl
|
||||
systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
|
||||
openbao: vault server -dev -dev-root-token-id secret
|
||||
openbao-agent: sleep 5 && ./tests/setup-vault && openbao agent -config ./tests/vault-agent-example.hcl
|
||||
systemd-openbaod: go run . -secrets tmp/secrets -sock tmp/sock
|
||||
|
||||
@ -1,13 +1,34 @@
|
||||
{ pkgs ? import <nixpkgs> { } }:
|
||||
pkgs.buildGoModule {
|
||||
name = "systemd-vaultd";
|
||||
{ sources ? import ./npins, pkgs ? import sources.nixpkgs { } }:
|
||||
{
|
||||
package = pkgs.buildGoModule {
|
||||
name = "systemd-openbaod";
|
||||
src = ./.;
|
||||
vendorHash = null;
|
||||
meta = with pkgs.lib; {
|
||||
description = "A proxy for secrets between systemd services and vault";
|
||||
homepage = "https://github.com/numtide/systemd-vaultd";
|
||||
description = "A proxy for secrets between systemd services and openbao";
|
||||
homepage = "https://git.newtype.fr/ryan/systemd-openbaod";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ mic92 ];
|
||||
maintainers = with maintainers; [ raitobezarius ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
};
|
||||
|
||||
nixosModules = {
|
||||
openbaoAgent = ./nix/modules/openbao-agent.nix;
|
||||
systemdOpenBaod = ./nix/modules/systemd-openbaod.nix;
|
||||
};
|
||||
|
||||
shell = pkgs.mkShellNoCC {
|
||||
buildInputs = with pkgs; [
|
||||
python3.pkgs.pytest
|
||||
python3.pkgs.mypy
|
||||
|
||||
golangci-lint
|
||||
# openbao
|
||||
systemd
|
||||
hivemind
|
||||
go
|
||||
just
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
@ -1,69 +0,0 @@
|
||||
{
|
||||
"nodes": {
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1698579227,
|
||||
"narHash": "sha256-KVWjFZky+gRuWennKsbo6cWyo7c/z/VgCte5pR9pEKg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "f76e870d64779109e41370848074ac4eaa1606ec",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1698443389,
|
||||
"narHash": "sha256-/IhqtAuFPL1gew2h1+b+xQipv2WVt9EuszSHz5a4PNI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a9d001fd4af2df7f5702bbdb28a0081c855cb625",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1698438538,
|
||||
"narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
||||
@ -1,46 +0,0 @@
|
||||
{
|
||||
description = "Description for the project";
|
||||
|
||||
inputs = {
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
|
||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs = inputs @ { flake-parts, ... }:
|
||||
flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
systems = [ "x86_64-linux" "aarch64-linux" ];
|
||||
imports = [
|
||||
./nix/checks/flake-module.nix
|
||||
];
|
||||
perSystem =
|
||||
{ config
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
packages.default = pkgs.callPackage ./default.nix { };
|
||||
devShells.default = pkgs.mkShellNoCC {
|
||||
buildInputs = with pkgs; [
|
||||
python3.pkgs.pytest
|
||||
python3.pkgs.mypy
|
||||
|
||||
golangci-lint
|
||||
vault
|
||||
systemd
|
||||
hivemind
|
||||
go
|
||||
just
|
||||
config.treefmt.build.wrapper
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
flake.nixosModules = {
|
||||
vaultAgent = ./nix/modules/vault-agent.nix;
|
||||
systemdVaultd = ./nix/modules/systemd-vaultd.nix;
|
||||
};
|
||||
};
|
||||
}
|
||||
@ -1,3 +1,3 @@
|
||||
module github.com/numtide/systemd-vaultd
|
||||
module git.newtype.fr/ryan/systemd-openbaod
|
||||
|
||||
go 1.17
|
||||
go 1.23
|
||||
|
||||
@ -0,0 +1,80 @@
|
||||
# Generated by npins. Do not modify; will be overwritten regularly
|
||||
let
|
||||
data = builtins.fromJSON (builtins.readFile ./sources.json);
|
||||
version = data.version;
|
||||
|
||||
mkSource =
|
||||
spec:
|
||||
assert spec ? type;
|
||||
let
|
||||
path =
|
||||
if spec.type == "Git" then
|
||||
mkGitSource spec
|
||||
else if spec.type == "GitRelease" then
|
||||
mkGitSource spec
|
||||
else if spec.type == "PyPi" then
|
||||
mkPyPiSource spec
|
||||
else if spec.type == "Channel" then
|
||||
mkChannelSource spec
|
||||
else
|
||||
builtins.throw "Unknown source type ${spec.type}";
|
||||
in
|
||||
spec // { outPath = path; };
|
||||
|
||||
mkGitSource =
|
||||
{
|
||||
repository,
|
||||
revision,
|
||||
url ? null,
|
||||
hash,
|
||||
branch ? null,
|
||||
...
|
||||
}:
|
||||
assert repository ? type;
|
||||
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
|
||||
# In the latter case, there we will always be an url to the tarball
|
||||
if url != null then
|
||||
(builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
})
|
||||
else
|
||||
assert repository.type == "Git";
|
||||
let
|
||||
urlToName =
|
||||
url: rev:
|
||||
let
|
||||
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
|
||||
|
||||
short = builtins.substring 0 7 rev;
|
||||
|
||||
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
|
||||
in
|
||||
"${if matched == null then "source" else builtins.head matched}${appendShort}";
|
||||
name = urlToName repository.url revision;
|
||||
in
|
||||
builtins.fetchGit {
|
||||
url = repository.url;
|
||||
rev = revision;
|
||||
inherit name;
|
||||
narHash = hash;
|
||||
};
|
||||
|
||||
mkPyPiSource =
|
||||
{ url, hash, ... }:
|
||||
builtins.fetchurl {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
|
||||
mkChannelSource =
|
||||
{ url, hash, ... }:
|
||||
builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
in
|
||||
if version == 4 then
|
||||
builtins.mapAttrs (_: mkSource) data.pins
|
||||
else
|
||||
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
|
||||
@ -0,0 +1,11 @@
|
||||
{
|
||||
"pins": {
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixpkgs-unstable",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
|
||||
"hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
|
||||
}
|
||||
},
|
||||
"version": 4
|
||||
}
|
||||
Loading…
Reference in New Issue