clan/clan-core
11
2
Fork 13
Code Issues 90 Pull Requests 6 Actions Packages Projects 1 Releases Wiki Activity

Merge pull request 'fix secret generation on macos' (#1669) from fix-macos-deploy into main
All checks were successful
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
Details
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-app-no-breakpoints Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
Details
deploy / deploy-docs (push) Successful in 31s
Details
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
Details
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
Details
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
Details
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
Details
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
Details
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
Details
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
Details
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-app-pytest Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-inventory-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.container Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-app Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-clan-app Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.template-minimal Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.lib-inventory-eval Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.module-clan-vars-eval Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-gui-install-test-ubuntu-22-04 Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.postgresql Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.flash Build done.
Details
checks / checks-impure (push) Successful in 2m24s
Details
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
Details
buildbot/nix-eval Build done.
Details

Browse Source
This commit is contained in:
clan-bot 2024-06-30 06:25:39 +00:00
commit 0f95bfd279
6 changed files with 101 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixosModules/clanCore/facts/default.nix
View File

@ -121,26 +121,27 @@
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
# prepare sandbox user ${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
mkdir -p /etc # prepare sandbox user on platforms where this is supported
mkdir -p /etc
cat > /etc/group <<EOF cat > /etc/group <<EOF
root:x:0: root:x:0:
nixbld:!:$(id -g): nixbld:!:$(id -g):
nogroup:x:65534: nogroup:x:65534:
EOF EOF
cat > /etc/passwd <<EOF cat > /etc/passwd <<EOF
root:x:0:0:Nix build user:/build:/noshell root:x:0:0:Nix build user:/build:/noshell
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
nobody:x:65534:65534:Nobody:/:/noshell nobody:x:65534:65534:Nobody:/:/noshell
EOF EOF
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
EOF
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
EOF
''}
${config.script} ${config.script}
''; '';
}; };

32
nixosModules/clanCore/zerotier/default.nix
View File

@ -182,15 +182,33 @@ in
secret.zerotier-identity-secret = { }; secret.zerotier-identity-secret = { };
generator.path = [ generator.path = [
config.services.zerotierone.package config.services.zerotierone.package
pkgs.fakeroot
pkgs.python3 pkgs.python3
]; ];
generator.script = '' generator.script =
python3 ${./generate.py} --mode network \ let
--ip "$facts/zerotier-ip" \ library = "libfakeroot${pkgs.stdenv.hostPlatform.extensions.sharedLibrary}";
--identity-secret "$secrets/zerotier-identity-secret" \ minifakeroot = pkgs.stdenv.mkDerivation {
--network-id "$facts/zerotier-network-id" name = "minifakeroot";
''; dontUnpack = true;
installPhase = ''
mkdir -p $out/lib
${
if pkgs.stdenv.isDarwin then
"$CC -dynamiclib -o $out/lib/libfakeroot.dylib ${./fake_root.c}"
else
"$CC -shared -o $out/lib/libfakeroot.so ${./fake_root.c}"
}
'';
};
varName = if pkgs.stdenv.isDarwin then "DYLD_INSERT_LIBRARIES" else "LD_PRELOAD";
in
''
export ${varName}=${minifakeroot}/lib/${library}
python3 ${./generate.py} --mode network \
--ip "$facts/zerotier-ip" \
--identity-secret "$secrets/zerotier-identity-secret" \
--network-id "$facts/zerotier-network-id"
'';
}; };
clan.core.state.zerotier.folders = [ "/var/lib/zerotier-one" ]; clan.core.state.zerotier.folders = [ "/var/lib/zerotier-one" ];

28
nixosModules/clanCore/zerotier/fake_root.c Normal file
View File

@ -0,0 +1,28 @@
#include <stdint.h>
typedef uint32_t uid_t;
#ifdef __APPLE__
struct dyld_interpose {
const void * replacement;
const void * replacee;
};
#define WRAPPER(ret, name) static ret _fakeroot_wrapper_##name
#define WRAPPER_DEF(name) \
__attribute__((used)) static struct dyld_interpose _fakeroot_interpose_##name \
__attribute__((section("__DATA,__interpose"))) = { &_fakeroot_wrapper_##name, &name };
#else
#define WRAPPER(ret, name) ret name
#define WRAPPER_DEF(name)
#endif
WRAPPER(uid_t, geteuid)(const char * path, int flags, ...)
{
return 0; // Fake root
}
WRAPPER_DEF(geteuid)
WRAPPER(uid_t, getuid)(const char * path, int flags, ...)
{
return 0; // Fake root
}
WRAPPER_DEF(getuid)

3
nixosModules/clanCore/zerotier/generate.py
View File

@ -111,12 +111,11 @@ def zerotier_controller() -> Iterator[ZerotierController]:
home = tempdir / "zerotier-one" home = tempdir / "zerotier-one"
home.mkdir() home.mkdir()
cmd = [ cmd = [
"fakeroot",
"--",
"zerotier-one", "zerotier-one",
f"-p{controller_port}", f"-p{controller_port}",
str(home), str(home),
] ]
with subprocess.Popen( with subprocess.Popen(
cmd, cmd,
preexec_fn=os.setsid, preexec_fn=os.setsid,

50
pkgs/clan-cli/clan_cli/facts/generate.py
View File

@ -3,6 +3,7 @@ import importlib
import logging import logging
import os import os
import subprocess import subprocess
import sys
from collections.abc import Callable from collections.abc import Callable
from pathlib import Path from pathlib import Path
from tempfile import TemporaryDirectory from tempfile import TemporaryDirectory
@ -36,6 +37,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
return proc.stdout return proc.stdout
def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
# fmt: off
return nix_shell(
[
"nixpkgs#bash",
"nixpkgs#bubblewrap",
],
[
"bwrap",
"--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
"--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all",
"--unshare-user",
"--uid", "1000",
"--",
"bash", "-c", generator
],
)
# fmt: on
def generate_service_facts( def generate_service_facts(
machine: Machine, machine: Machine,
service: str, service: str,
@ -70,27 +95,10 @@ def generate_service_facts(
if machine.facts_data[service]["generator"]["prompt"]: if machine.facts_data[service]["generator"]["prompt"]:
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"]) prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
env["prompt_value"] = prompt_value env["prompt_value"] = prompt_value
# fmt: off if sys.platform == "linux":
cmd = nix_shell( cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
[ else:
"nixpkgs#bash", cmd = ["bash", "-c", generator]
"nixpkgs#bubblewrap",
],
[
"bwrap",
"--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
"--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all",
"--unshare-user",
"--uid", "1000",
"--",
"bash", "-c", generator
],
)
# fmt: on
run( run(
cmd, cmd,
env=env, env=env,

2
pkgs/clan-cli/default.nix
View File

@ -15,7 +15,6 @@
setuptools, setuptools,
sops, sops,
stdenv, stdenv,
fakeroot,
rsync, rsync,
bash, bash,
sshpass, sshpass,
@ -38,7 +37,6 @@ let
runtimeDependencies = [ runtimeDependencies = [
bash bash
nix nix
fakeroot
openssh openssh
sshpass sshpass
zbar zbar