3 files changed, 159 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/vault/default.nix b/nixpkgs/pkgs/tools/security/vault/default.nix
new file mode 100644
index 000000000000..fb9ce6fd6d5a
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/vault/default.nix
@@ -0,0 +1,53 @@
+{ stdenv, lib, fetchFromGitHub, buildGoModule, installShellFiles, nixosTests
+, makeWrapper
+, gawk
+, glibc
+}:
+
+buildGoModule rec {
+  pname = "vault";
+  version = "1.14.4";
+
+  src = fetchFromGitHub {
+    owner = "hashicorp";
+    repo = "vault";
+    rev = "v${version}";
+    sha256 = "sha256-E7lEKsbl2L6KhLgAZbemCaTIjbsvl3wg3oCURn/Judc=";
+  };
+
+  vendorHash = "sha256-8ytAT7qVXAIfoeMyTBMJ6DiWn74sRM1WrrOYaKTlKMo=";
+
+  proxyVendor = true;
+
+  subPackages = [ "." ];
+
+  nativeBuildInputs = [ installShellFiles makeWrapper ];
+
+  tags = [ "vault" ];
+
+  ldflags = [
+    "-s" "-w"
+    "-X github.com/hashicorp/vault/sdk/version.GitCommit=${src.rev}"
+    "-X github.com/hashicorp/vault/sdk/version.Version=${version}"
+    "-X github.com/hashicorp/vault/sdk/version.VersionPrerelease="
+  ];
+
+  postInstall = ''
+    echo "complete -C $out/bin/vault vault" > vault.bash
+    installShellCompletion vault.bash
+  '' + lib.optionalString stdenv.isLinux ''
+    wrapProgram $out/bin/vault \
+      --prefix PATH ${lib.makeBinPath [ gawk glibc ]}
+  '';
+
+  passthru.tests = { inherit (nixosTests) vault vault-postgresql vault-dev vault-agent; };
+
+  meta = with lib; {
+    homepage = "https://www.vaultproject.io/";
+    description = "A tool for managing secrets";
+    changelog = "https://github.com/hashicorp/vault/blob/v${version}/CHANGELOG.md";
+    license = licenses.mpl20;
+    mainProgram = "vault";
+    maintainers = with maintainers; [ rushmorem lnl7 offline pradeepchhetri Chili-Man techknowlogick ];
+  };
+}
diff --git a/nixpkgs/pkgs/tools/security/vault/update-bin.sh b/nixpkgs/pkgs/tools/security/vault/update-bin.sh
new file mode 100755
index 000000000000..25f41e2aad12
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/vault/update-bin.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused gawk nix-prefetch
+
+set -euo pipefail
+
+ROOT="$(dirname "$(readlink -f "$0")")"
+NIX_DRV="$ROOT/vault-bin.nix"
+if [ ! -f "$NIX_DRV" ]; then
+  echo "ERROR: cannot find vault-bin in $ROOT"
+  exit 1
+fi
+
+fetch_arch() {
+  VER="$1"; ARCH="$2"
+  URL="https://releases.hashicorp.com/vault/${VER}/vault_${VER}_${ARCH}.zip"
+  nix-prefetch "{ stdenv, fetchzip }:
+stdenv.mkDerivation rec {
+  pname = \"vault-bin\"; version = \"${VER}\";
+  src = fetchzip { url = \"$URL\"; };
+}
+"
+}
+
+replace_sha() {
+  sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV"
+}
+
+# https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_arm64.zip
+VAULT_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/hashicorp/vault/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//')
+
+VAULT_LINUX_X86_SHA256=$(fetch_arch "$VAULT_VER" "linux_386")
+VAULT_LINUX_X64_SHA256=$(fetch_arch "$VAULT_VER" "linux_amd64")
+VAULT_DARWIN_X64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_amd64")
+VAULT_LINUX_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "linux_arm64")
+VAULT_DARWIN_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_arm64")
+
+sed -i "s/version = \".*\"/version = \"$VAULT_VER\"/" "$NIX_DRV"
+
+replace_sha "i686-linux" "$VAULT_LINUX_X86_SHA256"
+replace_sha "x86_64-linux" "$VAULT_LINUX_X64_SHA256"
+replace_sha "x86_64-darwin" "$VAULT_DARWIN_X64_SHA256"
+replace_sha "aarch64-linux" "$VAULT_LINUX_AARCH64_SHA256"
+replace_sha "aarch64-darwin" "$VAULT_DARWIN_AARCH64_SHA256"
diff --git a/nixpkgs/pkgs/tools/security/vault/vault-bin.nix b/nixpkgs/pkgs/tools/security/vault/vault-bin.nix
new file mode 100644
index 000000000000..ca392d68a96d
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/vault/vault-bin.nix
@@ -0,0 +1,63 @@
+{ lib, stdenv, fetchzip }:
+
+stdenv.mkDerivation rec {
+  pname = "vault-bin";
+  version = "1.15.2";
+
+  src =
+    let
+      inherit (stdenv.hostPlatform) system;
+      selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
+      suffix = selectSystem {
+        x86_64-linux = "linux_amd64";
+        aarch64-linux = "linux_arm64";
+        i686-linux = "linux_386";
+        x86_64-darwin = "darwin_amd64";
+        aarch64-darwin = "darwin_arm64";
+      };
+      sha256 = selectSystem {
+        x86_64-linux = "sha256-aawDrQu8wEZqJ/uyCJjtWcgy8Ut34B5P+odqddE5P3M=";
+        aarch64-linux = "sha256-thLVw//yIgPCAV9CdrRlINLg+cO5aB279I2aboZMF6w=";
+        i686-linux = "sha256-bUhtnQB5YZdDuB4uondln0D3itoTr+1FaqjgTiT76WA=";
+        x86_64-darwin = "sha256-+wZrWwbpibtCla1ydhDnLJsHrVymLzEXVE1KftZ+pOs=";
+        aarch64-darwin = "sha256-2FGiCzIAEyXTqRaKEDZK5d/PWl4EmvJl9NieiOdgOeY=";
+      };
+    in
+    fetchzip {
+      url = "https://releases.hashicorp.com/vault/${version}/vault_${version}_${suffix}.zip";
+      inherit sha256;
+    };
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontStrip = stdenv.isDarwin;
+
+  installPhase = ''
+    runHook preInstall
+    install -D vault $out/bin/vault
+    runHook postInstall
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+    $out/bin/vault --help
+    $out/bin/vault version
+    runHook postInstallCheck
+  '';
+
+  dontPatchELF = true;
+  dontPatchShebangs = true;
+
+  passthru.updateScript = ./update-bin.sh;
+
+  meta = with lib; {
+    description = "A tool for managing secrets, this binary includes the UI";
+    homepage = "https://www.vaultproject.io";
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+    license = licenses.mpl20;
+    maintainers = with maintainers; teams.serokell.members ++ [ offline psyanticy Chili-Man techknowlogick mkaito ];
+    mainProgram = "vault";
+    platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" "aarch64-darwin" "aarch64-linux" ];
+  };
+}