2022-03-06 16:51:34 +00:00
|
|
|
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2022-03-06 17:10:58 +00:00
|
|
|
{ lib, pkgs, depot, ... }:
|
2022-03-06 16:51:34 +00:00
|
|
|
let
|
|
|
|
vault = pkgs.vault-bin;
|
|
|
|
|
|
|
|
imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
|
|
|
|
imageVersion = vault.version;
|
|
|
|
|
2022-03-06 17:10:58 +00:00
|
|
|
plugins = {
|
|
|
|
acme = { pkg = depot.nix.pkgs.vault-acme; type = "secret"; name = "acme"; };
|
|
|
|
};
|
2022-03-06 16:51:34 +00:00
|
|
|
|
2022-03-06 17:10:58 +00:00
|
|
|
pluginDrv = pkgs.runCommand "vault-plugins" {} ''
|
2022-03-06 16:51:34 +00:00
|
|
|
mkdir -p $out/libexec/vault
|
|
|
|
|
2022-03-06 17:10:58 +00:00
|
|
|
${lib.concatStrings (lib.mapAttrsToList (
|
|
|
|
execName: pluginAttrs: ''
|
|
|
|
cp ${pluginAttrs.pkg}/libexec/vault/${execName} $out/libexec/vault/${execName}
|
|
|
|
''
|
|
|
|
) plugins)}
|
2022-03-06 16:51:34 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
container = pkgs.dockerTools.buildImage rec {
|
|
|
|
name = imageName;
|
|
|
|
tag = imageVersion;
|
|
|
|
|
|
|
|
contents = pluginDrv;
|
|
|
|
|
|
|
|
# Using vault-bin because I want the vault UI.
|
|
|
|
config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];
|
|
|
|
config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
|
|
|
|
} // {
|
|
|
|
plugins = pluginDrv;
|
|
|
|
};
|
|
|
|
|
2022-03-06 17:10:58 +00:00
|
|
|
updateVaultPluginsCmd = pkgs.runCommand "update-vault-plugins" {} ''
|
|
|
|
mkdir -p $out/bin
|
|
|
|
|
|
|
|
cat <<EOF >"$out/bin/update-vault-plugins"
|
|
|
|
#!${pkgs.runtimeShell}
|
|
|
|
set -o errexit
|
|
|
|
set -o nounset
|
|
|
|
set -o pipefail
|
|
|
|
|
|
|
|
export VAULT_ADDR=https://vault.int.lukegb.com/
|
|
|
|
|
|
|
|
vault token lookup >/dev/null || vault login -method=oidc role="admin" skip_browser=true
|
|
|
|
|
|
|
|
${lib.concatStrings (lib.mapAttrsToList (
|
|
|
|
execName: pluginAttrs: ''
|
|
|
|
echo '${execName}'
|
|
|
|
vault write '/sys/plugins/catalog/${pluginAttrs.type}/${pluginAttrs.name}' command="${execName}" sha256="$(sha256sum '${pluginAttrs.pkg}/libexec/vault/${execName}' | cut -f1 -d' ')"
|
|
|
|
''
|
|
|
|
) plugins)}
|
|
|
|
EOF
|
|
|
|
chmod +x "$out/bin/update-vault-plugins"
|
|
|
|
|
|
|
|
${pkgs.stdenv.shellDryRun} "$out/bin/update-vault-plugins"
|
|
|
|
${pkgs.shellcheck}/bin/shellcheck "$out/bin/update-vault-plugins"
|
|
|
|
'';
|
|
|
|
|
2022-03-06 16:51:34 +00:00
|
|
|
uploadCmd = pkgs.writeShellApplication {
|
|
|
|
name = "upload-vault-container";
|
|
|
|
|
|
|
|
runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];
|
|
|
|
|
|
|
|
text = ''
|
|
|
|
echo
|
|
|
|
echo Uploading ${imageName}:${imageVersion}
|
|
|
|
skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}
|
|
|
|
|
|
|
|
echo
|
|
|
|
echo Switching Cloud Run over
|
|
|
|
gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
|
2022-03-06 17:10:58 +00:00
|
|
|
|
|
|
|
echo
|
|
|
|
echo Updating Vault SHA256 for plugins
|
|
|
|
${updateVaultPluginsCmd}/bin/update-vault-plugins
|
2022-03-06 16:51:34 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
in container // {
|
|
|
|
upload = uploadCmd;
|
2022-03-06 17:10:58 +00:00
|
|
|
updateVaultPlugins = updateVaultPluginsCmd;
|
2022-03-06 16:51:34 +00:00
|
|
|
}
|