depot/nix/docker/vault/default.nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ pkgs, depot, ... }:
let
  vault = pkgs.vault-bin;

  imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
  imageVersion = vault.version;

  plugins = [
  ];

  pluginDrv = pkgs.runCommand "vault-plugins" {
    inherit plugins;
  } ''
    mkdir -p $out/libexec/vault

    for plugin in $plugins; do
      for f in $plugin/libexec/vault/*; do
        # Must actually put the file into the directory.
        cp $f $out/libexec/vault
      done
    done
  '';

  container = pkgs.dockerTools.buildImage rec {
    name = imageName;
    tag = imageVersion;

    contents = pluginDrv;

    # Using vault-bin because I want the vault UI.
    config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];
    config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
  } // {
    plugins = pluginDrv;
  };

  uploadCmd = pkgs.writeShellApplication {
    name = "upload-vault-container";

    runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];

    text = ''
      echo
      echo Uploading ${imageName}:${imageVersion}
      skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}

      echo
      echo Switching Cloud Run over
      gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
    '';
  };
in container // {
  upload = uploadCmd;
}
nix/docker/vault: init This is the Docker image I use for deploying Vault. 2022-03-06 16:51:34 +00:00			`# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>`
			`#`
			`# SPDX-License-Identifier: Apache-2.0`

			`{ pkgs, depot, ... }:`
			`let`
			`vault = pkgs.vault-bin;`

			`imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";`
			`imageVersion = vault.version;`

			`plugins = [`
			`];`

			`pluginDrv = pkgs.runCommand "vault-plugins" {`
			`inherit plugins;`
			`} ''`
			`mkdir -p $out/libexec/vault`

			`for plugin in $plugins; do`
			`for f in $plugin/libexec/vault/*; do`
			`# Must actually put the file into the directory.`
			`cp $f $out/libexec/vault`
			`done`
			`done`
			`'';`

			`container = pkgs.dockerTools.buildImage rec {`
			`name = imageName;`
			`tag = imageVersion;`

			`contents = pluginDrv;`

			`# Using vault-bin because I want the vault UI.`
			`config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];`
			`config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];`
			`} // {`
			`plugins = pluginDrv;`
			`};`

			`uploadCmd = pkgs.writeShellApplication {`
			`name = "upload-vault-container";`

			`runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];`

			`text = ''`
			`echo`
			`echo Uploading ${imageName}:${imageVersion}`
			`skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}`

			`echo`
			`echo Switching Cloud Run over`
			`gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default`
			`'';`
			`};`
			`in container // {`
			`upload = uploadCmd;`
			`}`