nix/docker/vault: init

This is the Docker image I use for deploying Vault.
2022-03-06 16:51:34 +00:00 · 2022-03-06 16:51:34 +00:00 · 6c3ecb4d0b
commit 6c3ecb4d0b
parent a3eb1e4519
2 changed files with 59 additions and 0 deletions
--- a/nix/docker/default.nix
+++ b/nix/docker/default.nix
@ -4,4 +4,5 @@
 args: {
  heptapod = import ./heptapod args;
  vault = import ./vault args;
 }
--- a/nix/docker/vault/default.nix
+++ b/nix/docker/vault/default.nix
@ -0,0 +1,58 @@
 # SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
 #
 # SPDX-License-Identifier: Apache-2.0
 { pkgs, depot, ... }:
 let
  vault = pkgs.vault-bin;
  imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
  imageVersion = vault.version;
  plugins = [
  ];
  pluginDrv = pkgs.runCommand "vault-plugins" {
    inherit plugins;
  } ''
    mkdir -p $out/libexec/vault
    for plugin in $plugins; do
      for f in $plugin/libexec/vault/*; do
        # Must actually put the file into the directory.
        cp $f $out/libexec/vault
      done
    done
  '';
  container = pkgs.dockerTools.buildImage rec {
    name = imageName;
    tag = imageVersion;
    contents = pluginDrv;
    # Using vault-bin because I want the vault UI.
    config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];
    config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
  } // {
    plugins = pluginDrv;
  };
  uploadCmd = pkgs.writeShellApplication {
    name = "upload-vault-container";
    runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];
    text = ''
      echo
      echo Uploading ${imageName}:${imageVersion}
      skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}
      echo
      echo Switching Cloud Run over
      gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
    '';
  };
 in container // {
  upload = uploadCmd;
 }