clan-cli secrets: generate secrets inside bubblewrap

2024-01-24 19:19:02 +01:00 · 2024-01-24 19:19:02 +01:00 · 3afed7a563
commit 3afed7a563
parent a3ef8ce832
1 changed files with 17 additions and 3 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@ -42,11 +42,25 @@ def generate_secrets(machine: Machine) -> None:
                secrets_dir = tmpdir / "secrets"
                secrets_dir.mkdir(parents=True)
                env["secrets"] = str(secrets_dir)
-                # TODO use bubblewrap here
+                # fmt: off
                cmd = nix_shell(
-                    ["nixpkgs#bash"],
-                    ["bash", "-c", machine.secrets_data[service]["generator"]],
+                    [
+                        "nixpkgs#bash",
+                        "nixpkgs#bubblewrap",
+                    ],
+                    [
+                        "bwrap",
+                        "--ro-bind", "/nix/store", "/nix/store",
+                        "--tmpfs",  "/usr/lib/systemd",
+                        "--dev", "/dev",
+                        "--bind", str(facts_dir), str(facts_dir),
+                        "--bind", str(secrets_dir), str(secrets_dir),
+                        "--unshare-all",
+                        "--",
+                        "bash", "-c", machine.secrets_data[service]["generator"]
+                    ],
                )
+                # fmt: on
                run(
                    cmd,
                    env=env,