From bae0a888c9e31711b39d97cf6772ded25baabedc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 26 Jun 2024 12:15:00 +0200
Subject: [PATCH 1/2] make bubblewrap in fact generation optional

---
 nixosModules/clanCore/facts/default.nix  | 35 +++++++++--------
 pkgs/clan-cli/clan_cli/facts/generate.py | 49 ++++++++++++++----------
 2 files changed, 46 insertions(+), 38 deletions(-)

diff --git a/nixosModules/clanCore/facts/default.nix b/nixosModules/clanCore/facts/default.nix
index 841eeb90..5ae0d1a9 100644
--- a/nixosModules/clanCore/facts/default.nix
+++ b/nixosModules/clanCore/facts/default.nix
@@ -121,26 +121,27 @@
 
                         export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
 
-                        # prepare sandbox user
-                        mkdir -p /etc
+                        ${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
+                          # prepare sandbox user on platforms where this is supported
+                          mkdir -p /etc
 
-                        cat > /etc/group <<EOF
-                        root:x:0:
-                        nixbld:!:$(id -g):
-                        nogroup:x:65534:
-                        EOF
+                          cat > /etc/group <<EOF
+                          root:x:0:
+                          nixbld:!:$(id -g):
+                          nogroup:x:65534:
+                          EOF
 
-                        cat > /etc/passwd <<EOF
-                        root:x:0:0:Nix build user:/build:/noshell
-                        nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
-                        nobody:x:65534:65534:Nobody:/:/noshell
-                        EOF
-
-                        cat > /etc/hosts <<EOF
-                        127.0.0.1 localhost
-                        ::1 localhost
-                        EOF
+                          cat > /etc/passwd <<EOF
+                          root:x:0:0:Nix build user:/build:/noshell
+                          nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
+                          nobody:x:65534:65534:Nobody:/:/noshell
+                          EOF
 
+                          cat > /etc/hosts <<EOF
+                          127.0.0.1 localhost
+                          ::1 localhost
+                          EOF
+                        ''}
                         ${config.script}
                       '';
                     };
diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py
index 75abc6cd..2a9e348d 100644
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -36,6 +36,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
     return proc.stdout
 
 
+def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
+    # fmt: off
+    return nix_shell(
+        [
+            "nixpkgs#bash",
+            "nixpkgs#bubblewrap",
+        ],
+        [
+            "bwrap",
+            "--ro-bind", "/nix/store", "/nix/store",
+            "--tmpfs",  "/usr/lib/systemd",
+            "--dev", "/dev",
+            "--bind", str(facts_dir), str(facts_dir),
+            "--bind", str(secrets_dir), str(secrets_dir),
+            "--unshare-all",
+            "--unshare-user",
+            "--uid", "1000",
+            "--",
+            "bash", "-c", generator
+        ],
+    )
+    # fmt: on
+
+
 def generate_service_facts(
     machine: Machine,
     service: str,
@@ -70,27 +94,10 @@ def generate_service_facts(
         if machine.facts_data[service]["generator"]["prompt"]:
             prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
             env["prompt_value"] = prompt_value
-    # fmt: off
-    cmd = nix_shell(
-        [
-            "nixpkgs#bash",
-            "nixpkgs#bubblewrap",
-        ],
-        [
-            "bwrap",
-            "--ro-bind", "/nix/store", "/nix/store",
-            "--tmpfs",  "/usr/lib/systemd",
-            "--dev", "/dev",
-            "--bind", str(facts_dir), str(facts_dir),
-            "--bind", str(secrets_dir), str(secrets_dir),
-            "--unshare-all",
-            "--unshare-user",
-            "--uid", "1000",
-            "--",
-            "bash", "-c", generator
-        ],
-    )
-    # fmt: on
+    if sys.platform == "linux":
+        cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
+    else:
+        cmd = ["bash", "-c", generator]
     run(
         cmd,
         env=env,

From 2e2358d850d2edc88621f25dae84c59f26992355 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 27 Jun 2024 18:20:16 +0200
Subject: [PATCH 2/2] introduce minifakeroot that also works on macos

---
 nixosModules/clanCore/zerotier/default.nix | 32 +++++++++++++++++-----
 nixosModules/clanCore/zerotier/fake_root.c | 28 +++++++++++++++++++
 nixosModules/clanCore/zerotier/generate.py |  3 +-
 pkgs/clan-cli/clan_cli/facts/generate.py   |  1 +
 pkgs/clan-cli/default.nix                  |  2 --
 5 files changed, 55 insertions(+), 11 deletions(-)
 create mode 100644 nixosModules/clanCore/zerotier/fake_root.c

diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix
index c4e9c7a0..8a07f36d 100644
--- a/nixosModules/clanCore/zerotier/default.nix
+++ b/nixosModules/clanCore/zerotier/default.nix
@@ -182,15 +182,33 @@ in
         secret.zerotier-identity-secret = { };
         generator.path = [
           config.services.zerotierone.package
-          pkgs.fakeroot
           pkgs.python3
         ];
-        generator.script = ''
-          python3 ${./generate.py} --mode network \
-            --ip "$facts/zerotier-ip" \
-            --identity-secret "$secrets/zerotier-identity-secret" \
-            --network-id "$facts/zerotier-network-id"
-        '';
+        generator.script =
+          let
+            library = "libfakeroot${pkgs.stdenv.hostPlatform.extensions.sharedLibrary}";
+            minifakeroot = pkgs.stdenv.mkDerivation {
+              name = "minifakeroot";
+              dontUnpack = true;
+              installPhase = ''
+                mkdir -p $out/lib
+                ${
+                  if pkgs.stdenv.isDarwin then
+                    "$CC -dynamiclib -o $out/lib/libfakeroot.dylib ${./fake_root.c}"
+                  else
+                    "$CC -shared -o $out/lib/libfakeroot.so ${./fake_root.c}"
+                }
+              '';
+            };
+            varName = if pkgs.stdenv.isDarwin then "DYLD_INSERT_LIBRARIES" else "LD_PRELOAD";
+          in
+          ''
+            export ${varName}=${minifakeroot}/lib/${library}
+            python3 ${./generate.py} --mode network \
+              --ip "$facts/zerotier-ip" \
+              --identity-secret "$secrets/zerotier-identity-secret" \
+              --network-id "$facts/zerotier-network-id"
+          '';
       };
       clan.core.state.zerotier.folders = [ "/var/lib/zerotier-one" ];
 
diff --git a/nixosModules/clanCore/zerotier/fake_root.c b/nixosModules/clanCore/zerotier/fake_root.c
new file mode 100644
index 00000000..d62bb9b0
--- /dev/null
+++ b/nixosModules/clanCore/zerotier/fake_root.c
@@ -0,0 +1,28 @@
+#include <stdint.h>
+typedef uint32_t uid_t;
+
+#ifdef __APPLE__
+  struct dyld_interpose {
+    const void * replacement;
+    const void * replacee;
+  };
+  #define WRAPPER(ret, name) static ret _fakeroot_wrapper_##name
+  #define WRAPPER_DEF(name) \
+    __attribute__((used)) static struct dyld_interpose _fakeroot_interpose_##name \
+      __attribute__((section("__DATA,__interpose"))) = { &_fakeroot_wrapper_##name, &name };
+#else
+  #define WRAPPER(ret, name) ret name
+  #define WRAPPER_DEF(name)
+#endif
+
+WRAPPER(uid_t, geteuid)(const char * path, int flags, ...)
+{
+    return 0; // Fake root
+}
+WRAPPER_DEF(geteuid)
+
+WRAPPER(uid_t, getuid)(const char * path, int flags, ...)
+{
+    return 0; // Fake root
+}
+WRAPPER_DEF(getuid)
diff --git a/nixosModules/clanCore/zerotier/generate.py b/nixosModules/clanCore/zerotier/generate.py
index d6b587ff..7bcfecdc 100644
--- a/nixosModules/clanCore/zerotier/generate.py
+++ b/nixosModules/clanCore/zerotier/generate.py
@@ -111,12 +111,11 @@ def zerotier_controller() -> Iterator[ZerotierController]:
         home = tempdir / "zerotier-one"
         home.mkdir()
         cmd = [
-            "fakeroot",
-            "--",
             "zerotier-one",
             f"-p{controller_port}",
             str(home),
         ]
+
         with subprocess.Popen(
             cmd,
             preexec_fn=os.setsid,
diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py
index 2a9e348d..ea5fb947 100644
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -3,6 +3,7 @@ import importlib
 import logging
 import os
 import subprocess
+import sys
 from collections.abc import Callable
 from pathlib import Path
 from tempfile import TemporaryDirectory
diff --git a/pkgs/clan-cli/default.nix b/pkgs/clan-cli/default.nix
index dabc746c..a78bfe57 100644
--- a/pkgs/clan-cli/default.nix
+++ b/pkgs/clan-cli/default.nix
@@ -15,7 +15,6 @@
   setuptools,
   sops,
   stdenv,
-  fakeroot,
   rsync,
   bash,
   sshpass,
@@ -38,7 +37,6 @@ let
   runtimeDependencies = [
     bash
     nix
-    fakeroot
     openssh
     sshpass
     zbar