diff --git a/nixosModules/clanCore/facts/default.nix b/nixosModules/clanCore/facts/default.nix index 841eeb90..5ae0d1a9 100644 --- a/nixosModules/clanCore/facts/default.nix +++ b/nixosModules/clanCore/facts/default.nix @@ -121,26 +121,27 @@ export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" - # prepare sandbox user - mkdir -p /etc + ${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) '' + # prepare sandbox user on platforms where this is supported + mkdir -p /etc - cat > /etc/group < /etc/group < /etc/passwd < /etc/hosts < /etc/passwd < /etc/hosts < str: return proc.stdout +def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]: + # fmt: off + return nix_shell( + [ + "nixpkgs#bash", + "nixpkgs#bubblewrap", + ], + [ + "bwrap", + "--ro-bind", "/nix/store", "/nix/store", + "--tmpfs", "/usr/lib/systemd", + "--dev", "/dev", + "--bind", str(facts_dir), str(facts_dir), + "--bind", str(secrets_dir), str(secrets_dir), + "--unshare-all", + "--unshare-user", + "--uid", "1000", + "--", + "bash", "-c", generator + ], + ) + # fmt: on + + def generate_service_facts( machine: Machine, service: str, @@ -70,27 +94,10 @@ def generate_service_facts( if machine.facts_data[service]["generator"]["prompt"]: prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"]) env["prompt_value"] = prompt_value - # fmt: off - cmd = nix_shell( - [ - "nixpkgs#bash", - "nixpkgs#bubblewrap", - ], - [ - "bwrap", - "--ro-bind", "/nix/store", "/nix/store", - "--tmpfs", "/usr/lib/systemd", - "--dev", "/dev", - "--bind", str(facts_dir), str(facts_dir), - "--bind", str(secrets_dir), str(secrets_dir), - "--unshare-all", - "--unshare-user", - "--uid", "1000", - "--", - "bash", "-c", generator - ], - ) - # fmt: on + if sys.platform == "linux": + cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir) + else: + cmd = ["bash", "-c", generator] run( cmd, env=env,