Merge pull request #39 from serokell/rvem/allow-unfree-vault-package

[Chore] Miscellaneous minor fixes

.github/workflows/check.yml

@@ -1,5 +1,9 @@
 name: Nix flake check
-on: push
+on:
+  pull_request:
+  push:
+    branches: master
+
 
 jobs:
   check:

README.md

@@ -20,7 +20,6 @@ for your machine's hostname.
 let
   vs = config.vault-secrets.secrets;
 in {
-
   vault-secrets = {
     # This applies to all secrets
     vaultPrefix = "kv/servers/${config.networking.hostName}";
@@ -37,6 +36,16 @@ in {
 }
 ```
 
+Note that since version `1.15.0` Vault is distributed under an unfree "Business Source License"
+and if you want to use `vault-secrets` within your Nix configuration, you'll have to explicitly allow
+`vault` unfree package in your configuration. The most convenient way to do this is to add
+```
+nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
+```
+to the configuration of the system that uses `vault-secrets` module.
+Also please note that `allowUnfreePredicate` definitions don't combine and it may override
+this settings in your existing configuration in which case make sure to combine them manually.
+
 In this example, we define a secret `myservice` for a service called
 `myservice`. The AppRole used to log in will be `myservice`. In order to
 log in using such an AppRole, it first needs to be created in Vault, and
@@ -108,6 +117,34 @@ on top of your nixpkgs, and then add `pkgs.vault-push-approles self { /*
 overrides */ }` and `pkgs.vault-push-approle-envs self { /* overrides */
 }` either to your `devShell`, or as separate `apps` in your flake.
 
+Due to the fact that Vault is distributed under unfree license you'll also need
+to explicitly allow this unfree packages in your overlay, for example:
+```
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    vault-secrets = "github:serokell/vault-secrets";
+    ...
+  };
+  outputs = { self, nixpkgs, vault-secrets, .. }@inputs:
+    let
+      pkgs = import nixpkgs {
+        config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
+        overlays = [ vault-secrets.overlays.default ];
+      };
+    in {
+      devShells.x86_64-linux.default = pkgs.mkShell {
+        VAULT_ADDR = "https://my-vault-instance.org";
+        buildInputs = [
+          pkgs.vault
+          (pkgs.vault-push-approle-envs self)
+          (pkgs.vault-push-approles self)
+        ];
+      };
+    }
+}
+```
+
 ### `vault-push-approles`
 
 This script generates approle definitions and policies, and uploads them

flake.nix

@@ -9,7 +9,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, nix, ... }@inputs:
+  outputs = { self, nixpkgs, ... }@inputs:
     let
       forSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" ];
     in

modules/vault-secrets-darwin.nix

@@ -13,7 +13,7 @@ in
   config = {
     launchd.daemons = mkMerge ([(flip mapAttrs' cfg.secrets (
       name: scfg: nameValuePair "${name}-secrets" {
-        path = with pkgs; [ getent jq vault python3 coreutils bash ];
+        path = with pkgs; [ getent jq vault coreutils bash ];
         environment.VAULT_ADDR = cfg.vaultAddress;
         # Needed to store vault token
         environment.HOME = "/var/root";

modules/vault-secrets.nix

@@ -13,7 +13,7 @@ in
   config = {
     systemd.services = mkMerge ([(flip mapAttrs' cfg.secrets (
       name: scfg: nameValuePair "${name}-secrets" {
-        path = with pkgs; [ coreutils getent jq vault-bin ];
+        path = with pkgs; [ coreutils getent jq vault ];
 
         partOf = map (n: "${n}.service") scfg.services;
         wantedBy = optional (scfg.services == []) "multi-user.target" ;

tests/modules/vault-secrets.nix

@@ -8,21 +8,22 @@
   in rec {
     name = "vault-secrets";
     nodes = {
-      server = { pkgs, ... }:
+      server = { pkgs, lib, ... }:
         let
           serverArgs =
             "-dev -dev-root-token-id='root' -dev-listen-address='0.0.0.0:${toString vault-port}'";
         in {
           # An unsealed dummy vault
           networking.firewall.allowedTCPPorts = [ vault-port ];
+          nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
           systemd.services.dummy-vault = {
             wantedBy = [ "multi-user.target" ];
             path = with pkgs; [ getent vault ];
             script = "vault server ${serverArgs}";
           };
         };
 
-      client = { pkgs, config, ... }: {
+      client = { pkgs, config, lib, ... }: {
         imports = [ self.nixosModules.vault-secrets ];
 
         systemd.services.test = {
@@ -50,6 +51,7 @@
           openssh.authorizedKeys.keys = [ ssh-keys.snakeOilPublicKey ];
         };
 
+        nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
         vault-secrets = {
           vaultAddress = vault-address;
           secrets.test = { };
@@ -58,7 +60,8 @@
         networking.hostName = "client";
       };
 
-      supervisor = { pkgs, ... }: {
+      supervisor = { pkgs, lib, ... }: {
+        nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
         environment.systemPackages = [ pkgs.vault ];
       };
     };
@@ -73,8 +76,11 @@
         };
       };
 
-      inherit (self.legacyPackages.${pkgs.system})
-        vault-push-approles vault-push-approle-envs;
+      inherit (import self.inputs.nixpkgs {
+        inherit (pkgs) system;
+        config.allowUnfreePredicate = pkg: builtins.elem (pkg.pname) [ "vault" ];
+        overlays = [ self.outputs.overlays.default ];
+      }) vault-push-approles vault-push-approle-envs;
 
       supervisor-setup = pkgs.writeShellScript "supervisor-setup" ''
         set -euo pipefail