diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/vault')
-rw-r--r-- | nixpkgs/pkgs/tools/security/vault/default.nix | 53 | ||||
-rwxr-xr-x | nixpkgs/pkgs/tools/security/vault/update-bin.sh | 43 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/vault/vault-bin.nix | 63 |
3 files changed, 159 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/vault/default.nix b/nixpkgs/pkgs/tools/security/vault/default.nix new file mode 100644 index 000000000000..fb9ce6fd6d5a --- /dev/null +++ b/nixpkgs/pkgs/tools/security/vault/default.nix @@ -0,0 +1,53 @@ +{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests +, makeWrapper +, gawk +, glibc +}: + +buildGoModule rec { + pname = "vault"; + version = "1.14.4"; + + src = fetchFromGitHub { + owner = "hashicorp"; + repo = "vault"; + rev = "v${version}"; + sha256 = "sha256-E7lEKsbl2L6KhLgAZbemCaTIjbsvl3wg3oCURn/Judc="; + }; + + vendorHash = "sha256-8ytAT7qVXAIfoeMyTBMJ6DiWn74sRM1WrrOYaKTlKMo="; + + proxyVendor = true; + + subPackages = [ "." ]; + + nativeBuildInputs = [ installShellFiles makeWrapper ]; + + tags = [ "vault" ]; + + ldflags = [ + "-s" "-w" + "-X github.com/hashicorp/vault/sdk/version.GitCommit=${src.rev}" + "-X github.com/hashicorp/vault/sdk/version.Version=${version}" + "-X github.com/hashicorp/vault/sdk/version.VersionPrerelease=" + ]; + + postInstall = '' + echo "complete -C $out/bin/vault vault" > vault.bash + installShellCompletion vault.bash + '' + lib.optionalString stdenv.isLinux '' + wrapProgram $out/bin/vault \ + --prefix PATH ${lib.makeBinPath [ gawk glibc ]} + ''; + + passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; }; + + meta = with lib; { + homepage = "https://www.vaultproject.io/"; + description = "A tool for managing secrets"; + changelog = "https://github.com/hashicorp/vault/blob/v${version}/CHANGELOG.md"; + license = licenses.mpl20; + mainProgram = "vault"; + maintainers = with maintainers; [ rushmorem lnl7 offline pradeepchhetri Chili-Man techknowlogick ]; + }; +} diff --git a/nixpkgs/pkgs/tools/security/vault/update-bin.sh b/nixpkgs/pkgs/tools/security/vault/update-bin.sh new file mode 100755 index 000000000000..25f41e2aad12 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/vault/update-bin.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnused gawk nix-prefetch + +set -euo pipefail + +ROOT="$(dirname "$(readlink -f "$0")")" +NIX_DRV="$ROOT/vault-bin.nix" +if [ ! -f "$NIX_DRV" ]; then + echo "ERROR: cannot find vault-bin in $ROOT" + exit 1 +fi + +fetch_arch() { + VER="$1"; ARCH="$2" + URL="https://releases.hashicorp.com/vault/${VER}/vault_${VER}_${ARCH}.zip" + nix-prefetch "{ stdenv, fetchzip }: +stdenv.mkDerivation rec { + pname = \"vault-bin\"; version = \"${VER}\"; + src = fetchzip { url = \"$URL\"; }; +} +" +} + +replace_sha() { + sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV" +} + +# https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_arm64.zip +VAULT_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/hashicorp/vault/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//') + +VAULT_LINUX_X86_SHA256=$(fetch_arch "$VAULT_VER" "linux_386") +VAULT_LINUX_X64_SHA256=$(fetch_arch "$VAULT_VER" "linux_amd64") +VAULT_DARWIN_X64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_amd64") +VAULT_LINUX_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "linux_arm64") +VAULT_DARWIN_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_arm64") + +sed -i "s/version = \".*\"/version = \"$VAULT_VER\"/" "$NIX_DRV" + +replace_sha "i686-linux" "$VAULT_LINUX_X86_SHA256" +replace_sha "x86_64-linux" "$VAULT_LINUX_X64_SHA256" +replace_sha "x86_64-darwin" "$VAULT_DARWIN_X64_SHA256" +replace_sha "aarch64-linux" "$VAULT_LINUX_AARCH64_SHA256" +replace_sha "aarch64-darwin" "$VAULT_DARWIN_AARCH64_SHA256" diff --git a/nixpkgs/pkgs/tools/security/vault/vault-bin.nix b/nixpkgs/pkgs/tools/security/vault/vault-bin.nix new file mode 100644 index 000000000000..ca392d68a96d --- /dev/null +++ b/nixpkgs/pkgs/tools/security/vault/vault-bin.nix @@ -0,0 +1,63 @@ +{ lib, stdenv, fetchzip }: + +stdenv.mkDerivation rec { + pname = "vault-bin"; + version = "1.15.2"; + + src = + let + inherit (stdenv.hostPlatform) system; + selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}"); + suffix = selectSystem { + x86_64-linux = "linux_amd64"; + aarch64-linux = "linux_arm64"; + i686-linux = "linux_386"; + x86_64-darwin = "darwin_amd64"; + aarch64-darwin = "darwin_arm64"; + }; + sha256 = selectSystem { + x86_64-linux = "sha256-aawDrQu8wEZqJ/uyCJjtWcgy8Ut34B5P+odqddE5P3M="; + aarch64-linux = "sha256-thLVw//yIgPCAV9CdrRlINLg+cO5aB279I2aboZMF6w="; + i686-linux = "sha256-bUhtnQB5YZdDuB4uondln0D3itoTr+1FaqjgTiT76WA="; + x86_64-darwin = "sha256-+wZrWwbpibtCla1ydhDnLJsHrVymLzEXVE1KftZ+pOs="; + aarch64-darwin = "sha256-2FGiCzIAEyXTqRaKEDZK5d/PWl4EmvJl9NieiOdgOeY="; + }; + in + fetchzip { + url = "https://releases.hashicorp.com/vault/${version}/vault_${version}_${suffix}.zip"; + inherit sha256; + }; + + dontConfigure = true; + dontBuild = true; + dontStrip = stdenv.isDarwin; + + installPhase = '' + runHook preInstall + install -D vault $out/bin/vault + runHook postInstall + ''; + + doInstallCheck = true; + installCheckPhase = '' + runHook preInstallCheck + $out/bin/vault --help + $out/bin/vault version + runHook postInstallCheck + ''; + + dontPatchELF = true; + dontPatchShebangs = true; + + passthru.updateScript = ./update-bin.sh; + + meta = with lib; { + description = "A tool for managing secrets, this binary includes the UI"; + homepage = "https://www.vaultproject.io"; + sourceProvenance = with sourceTypes; [ binaryNativeCode ]; + license = licenses.mpl20; + maintainers = with maintainers; teams.serokell.members ++ [ offline psyanticy Chili-Man techknowlogick mkaito ]; + mainProgram = "vault"; + platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" "aarch64-darwin" "aarch64-linux" ]; + }; +} |