secrets: add sandbox user

2024-01-30 11:56:22 +01:00 · 2024-01-30 11:56:22 +01:00 · 0dbfe52d62
commit 0dbfe52d62
parent a0ebf882c5
2 changed files with 15 additions and 3 deletions
--- a/nixosModules/clanCore/secrets/default.nix
+++ b/nixosModules/clanCore/secrets/default.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
  options.clanCore.secretStore = lib.mkOption {
    type = lib.types.enum [ "sops" "password-store" "custom" ];
@ -69,8 +69,18 @@
                  readOnly = true;
                  internal = true;
                  default = ''
-                    export PATH="${lib.makeBinPath config.path}"
-                    set -efu -o pipefail
+                    set -eu -o pipefail
+
+                    export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
+
+                    # prepare sandbox user
+                    mkdir -p /etc
+                    cp ${pkgs.runCommand "fake-etc" {} ''
+                      export PATH="${pkgs.coreutils}/bin"
+                      mkdir -p $out
+                      cp /etc/* $out/
+                    ''}/* /etc/
+
                    ${config.script}
                  '';
                };
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@ -56,6 +56,8 @@ def generate_secrets(machine: Machine) -> None:
                        "--bind", str(facts_dir), str(facts_dir),
                        "--bind", str(secrets_dir), str(secrets_dir),
                        "--unshare-all",
+                        "--unshare-user",
+                        "--uid", "1000",
                        "--",
                        "bash", "-c", machine.secrets_data[service]["generator"]
                    ],