Merge pull request #2 from numtide/no-sudo

Procfile: avoid using sudo
2 years ago · e2d7197f61
parent 974032c41a 6da13d433c
commit e2d7197f61
4 changed files with 12 additions and 9 deletions
--- a/4
+++ b/4
@ -1,5 +1,5 @@
 # run with `hivemind``
-systemd-service: sleep 3 && sudo systemd-run --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
+systemd-service: sleep 3 && systemd-run --user --collect -u vault-nixos3.service -p LoadCredential=foo:$(pwd)/tmp/sock --wait --pipe cat '${CREDENTIALS_DIRECTORY}/foo'
 vault: vault server -dev -dev-root-token-id secret
-vault-agent:  sleep 5 && ./tests/setup-vault && sudo vault agent -config ./tests/vault-agent-example.hcl
+vault-agent:  sleep 5 && ./tests/setup-vault && vault agent -config ./tests/vault-agent-example.hcl
 systemd-vaultd: go run . -secrets tmp/secrets -sock tmp/sock
--- a/flake.lock
+++ b/flake.lock
@ -22,16 +22,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1655567057,
-        "narHash": "sha256-Cc5hQSMsTzOHmZnYm8OSJ5RNUp22bd5NADWLHorULWQ=",
-        "owner": "NixOS",
+        "lastModified": 1656938529,
+        "narHash": "sha256-j9hgKLoZZVYl/06Y2GzAhovGzfiuLzV5HX4kFEl+dTU=",
+        "owner": "Mic92",
        "repo": "nixpkgs",
-        "rev": "e0a42267f73ea52adc061a64650fddc59906fc99",
+        "rev": "5f6d0be096ef78b0fd38c3211d17117457193b69",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "owner": "Mic92",
+        "ref": "vault",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -4,7 +4,8 @@
  inputs = {
    flake-parts.url = "github:hercules-ci/flake-parts";
    flake-parts.inputs.nixpkgs.follows = "nixpkgs";
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # https://github.com/NixOS/nixpkgs/pull/180114
+    nixpkgs.url = "github:Mic92/nixpkgs/vault";
  };

  outputs = {
--- a/nix/modules/systemd-vaultd.nix
+++ b/nix/modules/systemd-vaultd.nix
@ -20,6 +20,8 @@ in {
    description = "systemd-vaultd daemon";
    requires = ["systemd-vaultd.socket"];
    after = ["systemd-vaultd.socket"];
+    # Restarting can break services waiting for secrets
+    stopIfChanged = false;
    serviceConfig = {
      ExecStart = "${systemd-vaultd}/bin/systemd-vaultd";
    };