From 09aeac2ff1146132b583343357c72eaef173aead Mon Sep 17 00:00:00 2001 From: zimbatm Date: Mon, 4 Jul 2022 14:34:47 +0200 Subject: [PATCH 1/3] Procfile: avoid using sudo Aside from the running-as-root issue, it also means that the user has to enter their password sometimes, and that doesn't work really well with hivemind. --- Procfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Procfile b/Procfile index 4a54c8d..44f36dd 100644 --- a/Procfile +++ b/Procfile @@ -1,5 +1,5 @@ # run with `hivemind`` -systemd-service: sleep 3 && sudo systemd-run --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo' +systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo' vault: vault server -dev -dev-root-token-id secret -vault-agent: sleep 5 && ./tests/setup-vault && sudo vault agent -config ./tests/vault-agent-example.hcl +vault-agent: sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock From 7cd4acbc147d00666efca63637ae6ac1bd1d0e9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 4 Jul 2022 14:43:41 +0200 Subject: [PATCH 2/3] switch to nixpkgs fork --- flake.lock | 12 ++++++------ flake.nix | 3 ++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index cbf96c6..02e9758 100644 --- a/flake.lock +++ b/flake.lock @@ -22,16 +22,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1655567057, - "narHash": "sha256-Cc5hQSMsTzOHmZnYm8OSJ5RNUp22bd5NADWLHorULWQ=", - "owner": "NixOS", + "lastModified": 1656938529, + "narHash": "sha256-j9hgKLoZZVYl/06Y2GzAhovGzfiuLzV5HX4kFEl+dTU=", + "owner": "Mic92", "repo": "nixpkgs", - "rev": "e0a42267f73ea52adc061a64650fddc59906fc99", + "rev": "5f6d0be096ef78b0fd38c3211d17117457193b69", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", + "owner": "Mic92", + "ref": "vault", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index c0dde99..fb0940c 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,8 @@ inputs = { flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs.follows = "nixpkgs"; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + # https://github.com/NixOS/nixpkgs/pull/180114 + nixpkgs.url = "github:Mic92/nixpkgs/vault"; }; outputs = { From 6da13d433cc128c12dfe0693984222c94d075dc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 4 Jul 2022 14:48:24 +0200 Subject: [PATCH 3/3] nixos/systemd-vaultd: don't stop on nixos upgrades --- nix/modules/systemd-vaultd.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/modules/systemd-vaultd.nix b/nix/modules/systemd-vaultd.nix index 3d176d5..89e359c 100644 --- a/nix/modules/systemd-vaultd.nix +++ b/nix/modules/systemd-vaultd.nix @@ -20,6 +20,8 @@ in { description = "systemd-vaultd daemon"; requires = ["systemd-vaultd.socket"]; after = ["systemd-vaultd.socket"]; + # Restarting can break services waiting for secrets + stopIfChanged = false; serviceConfig = { ExecStart = "${systemd-vaultd}/bin/systemd-vaultd"; };