diff --git a/nixosModules/clanCore/facts/default.nix b/nixosModules/clanCore/facts/default.nix index 841eeb90..5ae0d1a9 100644 --- a/nixosModules/clanCore/facts/default.nix +++ b/nixosModules/clanCore/facts/default.nix @@ -121,26 +121,27 @@ export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" - # prepare sandbox user - mkdir -p /etc + ${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) '' + # prepare sandbox user on platforms where this is supported + mkdir -p /etc - cat > /etc/group < /etc/group < /etc/passwd < /etc/hosts < /etc/passwd < /etc/hosts < +typedef uint32_t uid_t; + +#ifdef __APPLE__ + struct dyld_interpose { + const void * replacement; + const void * replacee; + }; + #define WRAPPER(ret, name) static ret _fakeroot_wrapper_##name + #define WRAPPER_DEF(name) \ + __attribute__((used)) static struct dyld_interpose _fakeroot_interpose_##name \ + __attribute__((section("__DATA,__interpose"))) = { &_fakeroot_wrapper_##name, &name }; +#else + #define WRAPPER(ret, name) ret name + #define WRAPPER_DEF(name) +#endif + +WRAPPER(uid_t, geteuid)(const char * path, int flags, ...) +{ + return 0; // Fake root +} +WRAPPER_DEF(geteuid) + +WRAPPER(uid_t, getuid)(const char * path, int flags, ...) +{ + return 0; // Fake root +} +WRAPPER_DEF(getuid) diff --git a/nixosModules/clanCore/zerotier/generate.py b/nixosModules/clanCore/zerotier/generate.py index d6b587ff..7bcfecdc 100644 --- a/nixosModules/clanCore/zerotier/generate.py +++ b/nixosModules/clanCore/zerotier/generate.py @@ -111,12 +111,11 @@ def zerotier_controller() -> Iterator[ZerotierController]: home = tempdir / "zerotier-one" home.mkdir() cmd = [ - "fakeroot", - "--", "zerotier-one", f"-p{controller_port}", str(home), ] + with subprocess.Popen( cmd, preexec_fn=os.setsid, diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py index 75abc6cd..ea5fb947 100644 --- a/pkgs/clan-cli/clan_cli/facts/generate.py +++ b/pkgs/clan-cli/clan_cli/facts/generate.py @@ -3,6 +3,7 @@ import importlib import logging import os import subprocess +import sys from collections.abc import Callable from pathlib import Path from tempfile import TemporaryDirectory @@ -36,6 +37,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str: return proc.stdout +def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]: + # fmt: off + return nix_shell( + [ + "nixpkgs#bash", + "nixpkgs#bubblewrap", + ], + [ + "bwrap", + "--ro-bind", "/nix/store", "/nix/store", + "--tmpfs", "/usr/lib/systemd", + "--dev", "/dev", + "--bind", str(facts_dir), str(facts_dir), + "--bind", str(secrets_dir), str(secrets_dir), + "--unshare-all", + "--unshare-user", + "--uid", "1000", + "--", + "bash", "-c", generator + ], + ) + # fmt: on + + def generate_service_facts( machine: Machine, service: str, @@ -70,27 +95,10 @@ def generate_service_facts( if machine.facts_data[service]["generator"]["prompt"]: prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"]) env["prompt_value"] = prompt_value - # fmt: off - cmd = nix_shell( - [ - "nixpkgs#bash", - "nixpkgs#bubblewrap", - ], - [ - "bwrap", - "--ro-bind", "/nix/store", "/nix/store", - "--tmpfs", "/usr/lib/systemd", - "--dev", "/dev", - "--bind", str(facts_dir), str(facts_dir), - "--bind", str(secrets_dir), str(secrets_dir), - "--unshare-all", - "--unshare-user", - "--uid", "1000", - "--", - "bash", "-c", generator - ], - ) - # fmt: on + if sys.platform == "linux": + cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir) + else: + cmd = ["bash", "-c", generator] run( cmd, env=env, diff --git a/pkgs/clan-cli/default.nix b/pkgs/clan-cli/default.nix index dabc746c..a78bfe57 100644 --- a/pkgs/clan-cli/default.nix +++ b/pkgs/clan-cli/default.nix @@ -15,7 +15,6 @@ setuptools, sops, stdenv, - fakeroot, rsync, bash, sshpass, @@ -38,7 +37,6 @@ let runtimeDependencies = [ bash nix - fakeroot openssh sshpass zbar