depot/nix/docker/vault/default.nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ pkgs, depot, ... }:
let
  vault = pkgs.vault-bin;

  imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
  imageVersion = vault.version;

  plugins = [
    depot.nix.pkgs.vault-acme
  ];

  pluginDrv = pkgs.runCommand "vault-plugins" {
    inherit plugins;
  } ''
    mkdir -p $out/libexec/vault

    for plugin in $plugins; do
      for f in $plugin/libexec/vault/*; do
        # Must actually put the file into the directory.
        cp $f $out/libexec/vault
      done
    done
  '';

  container = pkgs.dockerTools.buildImage rec {
    name = imageName;
    tag = imageVersion;

    contents = pluginDrv;

    # Using vault-bin because I want the vault UI.
    config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];
    config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
  } // {
    plugins = pluginDrv;
  };

  uploadCmd = pkgs.writeShellApplication {
    name = "upload-vault-container";

    runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];

    text = ''
      echo
      echo Uploading ${imageName}:${imageVersion}
      skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}

      echo
      echo Switching Cloud Run over
      gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
    '';
  };
in container // {
  upload = uploadCmd;
}