Merge pull request 'fix secret generation on macos' (#1669) from fix-macos-deploy into main
All checks were successful
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-no-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
deploy / deploy-docs (push) Successful in 31s
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-pytest Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-inventory-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.container Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.template-minimal Build done.
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-eval Build done.
buildbot/nix-build .#checks.x86_64-linux.module-clan-vars-eval Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-install-test-ubuntu-22-04 Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.postgresql Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
buildbot/nix-build .#checks.x86_64-linux.flash Build done.
checks / checks-impure (push) Successful in 2m24s
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
buildbot/nix-eval Build done.
All checks were successful
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-no-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
deploy / deploy-docs (push) Successful in 31s
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-pytest Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-inventory-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.container Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.template-minimal Build done.
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-eval Build done.
buildbot/nix-build .#checks.x86_64-linux.module-clan-vars-eval Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-install-test-ubuntu-22-04 Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.postgresql Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
buildbot/nix-build .#checks.x86_64-linux.flash Build done.
checks / checks-impure (push) Successful in 2m24s
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
buildbot/nix-eval Build done.
This commit is contained in:
commit
0f95bfd279
|
@ -121,7 +121,8 @@
|
||||||
|
|
||||||
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
||||||
|
|
||||||
# prepare sandbox user
|
${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
|
||||||
|
# prepare sandbox user on platforms where this is supported
|
||||||
mkdir -p /etc
|
mkdir -p /etc
|
||||||
|
|
||||||
cat > /etc/group <<EOF
|
cat > /etc/group <<EOF
|
||||||
|
@ -140,7 +141,7 @@
|
||||||
127.0.0.1 localhost
|
127.0.0.1 localhost
|
||||||
::1 localhost
|
::1 localhost
|
||||||
EOF
|
EOF
|
||||||
|
''}
|
||||||
${config.script}
|
${config.script}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
@ -182,10 +182,28 @@ in
|
||||||
secret.zerotier-identity-secret = { };
|
secret.zerotier-identity-secret = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
config.services.zerotierone.package
|
config.services.zerotierone.package
|
||||||
pkgs.fakeroot
|
|
||||||
pkgs.python3
|
pkgs.python3
|
||||||
];
|
];
|
||||||
generator.script = ''
|
generator.script =
|
||||||
|
let
|
||||||
|
library = "libfakeroot${pkgs.stdenv.hostPlatform.extensions.sharedLibrary}";
|
||||||
|
minifakeroot = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "minifakeroot";
|
||||||
|
dontUnpack = true;
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/lib
|
||||||
|
${
|
||||||
|
if pkgs.stdenv.isDarwin then
|
||||||
|
"$CC -dynamiclib -o $out/lib/libfakeroot.dylib ${./fake_root.c}"
|
||||||
|
else
|
||||||
|
"$CC -shared -o $out/lib/libfakeroot.so ${./fake_root.c}"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
varName = if pkgs.stdenv.isDarwin then "DYLD_INSERT_LIBRARIES" else "LD_PRELOAD";
|
||||||
|
in
|
||||||
|
''
|
||||||
|
export ${varName}=${minifakeroot}/lib/${library}
|
||||||
python3 ${./generate.py} --mode network \
|
python3 ${./generate.py} --mode network \
|
||||||
--ip "$facts/zerotier-ip" \
|
--ip "$facts/zerotier-ip" \
|
||||||
--identity-secret "$secrets/zerotier-identity-secret" \
|
--identity-secret "$secrets/zerotier-identity-secret" \
|
||||||
|
|
28
nixosModules/clanCore/zerotier/fake_root.c
Normal file
28
nixosModules/clanCore/zerotier/fake_root.c
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
#include <stdint.h>
|
||||||
|
typedef uint32_t uid_t;
|
||||||
|
|
||||||
|
#ifdef __APPLE__
|
||||||
|
struct dyld_interpose {
|
||||||
|
const void * replacement;
|
||||||
|
const void * replacee;
|
||||||
|
};
|
||||||
|
#define WRAPPER(ret, name) static ret _fakeroot_wrapper_##name
|
||||||
|
#define WRAPPER_DEF(name) \
|
||||||
|
__attribute__((used)) static struct dyld_interpose _fakeroot_interpose_##name \
|
||||||
|
__attribute__((section("__DATA,__interpose"))) = { &_fakeroot_wrapper_##name, &name };
|
||||||
|
#else
|
||||||
|
#define WRAPPER(ret, name) ret name
|
||||||
|
#define WRAPPER_DEF(name)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
WRAPPER(uid_t, geteuid)(const char * path, int flags, ...)
|
||||||
|
{
|
||||||
|
return 0; // Fake root
|
||||||
|
}
|
||||||
|
WRAPPER_DEF(geteuid)
|
||||||
|
|
||||||
|
WRAPPER(uid_t, getuid)(const char * path, int flags, ...)
|
||||||
|
{
|
||||||
|
return 0; // Fake root
|
||||||
|
}
|
||||||
|
WRAPPER_DEF(getuid)
|
|
@ -111,12 +111,11 @@ def zerotier_controller() -> Iterator[ZerotierController]:
|
||||||
home = tempdir / "zerotier-one"
|
home = tempdir / "zerotier-one"
|
||||||
home.mkdir()
|
home.mkdir()
|
||||||
cmd = [
|
cmd = [
|
||||||
"fakeroot",
|
|
||||||
"--",
|
|
||||||
"zerotier-one",
|
"zerotier-one",
|
||||||
f"-p{controller_port}",
|
f"-p{controller_port}",
|
||||||
str(home),
|
str(home),
|
||||||
]
|
]
|
||||||
|
|
||||||
with subprocess.Popen(
|
with subprocess.Popen(
|
||||||
cmd,
|
cmd,
|
||||||
preexec_fn=os.setsid,
|
preexec_fn=os.setsid,
|
||||||
|
|
|
@ -3,6 +3,7 @@ import importlib
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import sys
|
||||||
from collections.abc import Callable
|
from collections.abc import Callable
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from tempfile import TemporaryDirectory
|
from tempfile import TemporaryDirectory
|
||||||
|
@ -36,6 +37,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
|
||||||
return proc.stdout
|
return proc.stdout
|
||||||
|
|
||||||
|
|
||||||
|
def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
|
||||||
|
# fmt: off
|
||||||
|
return nix_shell(
|
||||||
|
[
|
||||||
|
"nixpkgs#bash",
|
||||||
|
"nixpkgs#bubblewrap",
|
||||||
|
],
|
||||||
|
[
|
||||||
|
"bwrap",
|
||||||
|
"--ro-bind", "/nix/store", "/nix/store",
|
||||||
|
"--tmpfs", "/usr/lib/systemd",
|
||||||
|
"--dev", "/dev",
|
||||||
|
"--bind", str(facts_dir), str(facts_dir),
|
||||||
|
"--bind", str(secrets_dir), str(secrets_dir),
|
||||||
|
"--unshare-all",
|
||||||
|
"--unshare-user",
|
||||||
|
"--uid", "1000",
|
||||||
|
"--",
|
||||||
|
"bash", "-c", generator
|
||||||
|
],
|
||||||
|
)
|
||||||
|
# fmt: on
|
||||||
|
|
||||||
|
|
||||||
def generate_service_facts(
|
def generate_service_facts(
|
||||||
machine: Machine,
|
machine: Machine,
|
||||||
service: str,
|
service: str,
|
||||||
|
@ -70,27 +95,10 @@ def generate_service_facts(
|
||||||
if machine.facts_data[service]["generator"]["prompt"]:
|
if machine.facts_data[service]["generator"]["prompt"]:
|
||||||
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
||||||
env["prompt_value"] = prompt_value
|
env["prompt_value"] = prompt_value
|
||||||
# fmt: off
|
if sys.platform == "linux":
|
||||||
cmd = nix_shell(
|
cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
|
||||||
[
|
else:
|
||||||
"nixpkgs#bash",
|
cmd = ["bash", "-c", generator]
|
||||||
"nixpkgs#bubblewrap",
|
|
||||||
],
|
|
||||||
[
|
|
||||||
"bwrap",
|
|
||||||
"--ro-bind", "/nix/store", "/nix/store",
|
|
||||||
"--tmpfs", "/usr/lib/systemd",
|
|
||||||
"--dev", "/dev",
|
|
||||||
"--bind", str(facts_dir), str(facts_dir),
|
|
||||||
"--bind", str(secrets_dir), str(secrets_dir),
|
|
||||||
"--unshare-all",
|
|
||||||
"--unshare-user",
|
|
||||||
"--uid", "1000",
|
|
||||||
"--",
|
|
||||||
"bash", "-c", generator
|
|
||||||
],
|
|
||||||
)
|
|
||||||
# fmt: on
|
|
||||||
run(
|
run(
|
||||||
cmd,
|
cmd,
|
||||||
env=env,
|
env=env,
|
||||||
|
|
|
@ -15,7 +15,6 @@
|
||||||
setuptools,
|
setuptools,
|
||||||
sops,
|
sops,
|
||||||
stdenv,
|
stdenv,
|
||||||
fakeroot,
|
|
||||||
rsync,
|
rsync,
|
||||||
bash,
|
bash,
|
||||||
sshpass,
|
sshpass,
|
||||||
|
@ -38,7 +37,6 @@ let
|
||||||
runtimeDependencies = [
|
runtimeDependencies = [
|
||||||
bash
|
bash
|
||||||
nix
|
nix
|
||||||
fakeroot
|
|
||||||
openssh
|
openssh
|
||||||
sshpass
|
sshpass
|
||||||
zbar
|
zbar
|
||||||
|
|
Loading…
Reference in New Issue
Block a user