diff --git a/nix/docker/vault/default.nix b/nix/docker/vault/default.nix index e1a5fdce2a..24741fccda 100644 --- a/nix/docker/vault/default.nix +++ b/nix/docker/vault/default.nix @@ -2,28 +2,25 @@ # # SPDX-License-Identifier: Apache-2.0 -{ pkgs, depot, ... }: +{ lib, pkgs, depot, ... }: let vault = pkgs.vault-bin; imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault"; imageVersion = vault.version; - plugins = [ - depot.nix.pkgs.vault-acme - ]; + plugins = { + acme = { pkg = depot.nix.pkgs.vault-acme; type = "secret"; name = "acme"; }; + }; - pluginDrv = pkgs.runCommand "vault-plugins" { - inherit plugins; - } '' + pluginDrv = pkgs.runCommand "vault-plugins" {} '' mkdir -p $out/libexec/vault - for plugin in $plugins; do - for f in $plugin/libexec/vault/*; do - # Must actually put the file into the directory. - cp $f $out/libexec/vault - done - done + ${lib.concatStrings (lib.mapAttrsToList ( + execName: pluginAttrs: '' + cp ${pluginAttrs.pkg}/libexec/vault/${execName} $out/libexec/vault/${execName} + '' + ) plugins)} ''; container = pkgs.dockerTools.buildImage rec { @@ -39,6 +36,32 @@ let plugins = pluginDrv; }; + updateVaultPluginsCmd = pkgs.runCommand "update-vault-plugins" {} '' + mkdir -p $out/bin + + cat <"$out/bin/update-vault-plugins" + #!${pkgs.runtimeShell} + set -o errexit + set -o nounset + set -o pipefail + + export VAULT_ADDR=https://vault.int.lukegb.com/ + + vault token lookup >/dev/null || vault login -method=oidc role="admin" skip_browser=true + + ${lib.concatStrings (lib.mapAttrsToList ( + execName: pluginAttrs: '' + echo '${execName}' + vault write '/sys/plugins/catalog/${pluginAttrs.type}/${pluginAttrs.name}' command="${execName}" sha256="$(sha256sum '${pluginAttrs.pkg}/libexec/vault/${execName}' | cut -f1 -d' ')" + '' + ) plugins)} + EOF + chmod +x "$out/bin/update-vault-plugins" + + ${pkgs.stdenv.shellDryRun} "$out/bin/update-vault-plugins" + ${pkgs.shellcheck}/bin/shellcheck "$out/bin/update-vault-plugins" + ''; + uploadCmd = pkgs.writeShellApplication { name = "upload-vault-container"; @@ -52,8 +75,13 @@ let echo echo Switching Cloud Run over gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default + + echo + echo Updating Vault SHA256 for plugins + ${updateVaultPluginsCmd}/bin/update-vault-plugins ''; }; in container // { upload = uploadCmd; + updateVaultPlugins = updateVaultPluginsCmd; }