make bubblewrap in fact generation optional
This commit is contained in:
parent
bc0e727bd7
commit
bae0a888c9
|
@ -121,26 +121,27 @@
|
||||||
|
|
||||||
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
||||||
|
|
||||||
# prepare sandbox user
|
${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
|
||||||
mkdir -p /etc
|
# prepare sandbox user on platforms where this is supported
|
||||||
|
mkdir -p /etc
|
||||||
|
|
||||||
cat > /etc/group <<EOF
|
cat > /etc/group <<EOF
|
||||||
root:x:0:
|
root:x:0:
|
||||||
nixbld:!:$(id -g):
|
nixbld:!:$(id -g):
|
||||||
nogroup:x:65534:
|
nogroup:x:65534:
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/passwd <<EOF
|
cat > /etc/passwd <<EOF
|
||||||
root:x:0:0:Nix build user:/build:/noshell
|
root:x:0:0:Nix build user:/build:/noshell
|
||||||
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
|
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
|
||||||
nobody:x:65534:65534:Nobody:/:/noshell
|
nobody:x:65534:65534:Nobody:/:/noshell
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/hosts <<EOF
|
|
||||||
127.0.0.1 localhost
|
|
||||||
::1 localhost
|
|
||||||
EOF
|
|
||||||
|
|
||||||
|
cat > /etc/hosts <<EOF
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost
|
||||||
|
EOF
|
||||||
|
''}
|
||||||
${config.script}
|
${config.script}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
@ -36,6 +36,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
|
||||||
return proc.stdout
|
return proc.stdout
|
||||||
|
|
||||||
|
|
||||||
|
def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
|
||||||
|
# fmt: off
|
||||||
|
return nix_shell(
|
||||||
|
[
|
||||||
|
"nixpkgs#bash",
|
||||||
|
"nixpkgs#bubblewrap",
|
||||||
|
],
|
||||||
|
[
|
||||||
|
"bwrap",
|
||||||
|
"--ro-bind", "/nix/store", "/nix/store",
|
||||||
|
"--tmpfs", "/usr/lib/systemd",
|
||||||
|
"--dev", "/dev",
|
||||||
|
"--bind", str(facts_dir), str(facts_dir),
|
||||||
|
"--bind", str(secrets_dir), str(secrets_dir),
|
||||||
|
"--unshare-all",
|
||||||
|
"--unshare-user",
|
||||||
|
"--uid", "1000",
|
||||||
|
"--",
|
||||||
|
"bash", "-c", generator
|
||||||
|
],
|
||||||
|
)
|
||||||
|
# fmt: on
|
||||||
|
|
||||||
|
|
||||||
def generate_service_facts(
|
def generate_service_facts(
|
||||||
machine: Machine,
|
machine: Machine,
|
||||||
service: str,
|
service: str,
|
||||||
|
@ -70,27 +94,10 @@ def generate_service_facts(
|
||||||
if machine.facts_data[service]["generator"]["prompt"]:
|
if machine.facts_data[service]["generator"]["prompt"]:
|
||||||
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
||||||
env["prompt_value"] = prompt_value
|
env["prompt_value"] = prompt_value
|
||||||
# fmt: off
|
if sys.platform == "linux":
|
||||||
cmd = nix_shell(
|
cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
|
||||||
[
|
else:
|
||||||
"nixpkgs#bash",
|
cmd = ["bash", "-c", generator]
|
||||||
"nixpkgs#bubblewrap",
|
|
||||||
],
|
|
||||||
[
|
|
||||||
"bwrap",
|
|
||||||
"--ro-bind", "/nix/store", "/nix/store",
|
|
||||||
"--tmpfs", "/usr/lib/systemd",
|
|
||||||
"--dev", "/dev",
|
|
||||||
"--bind", str(facts_dir), str(facts_dir),
|
|
||||||
"--bind", str(secrets_dir), str(secrets_dir),
|
|
||||||
"--unshare-all",
|
|
||||||
"--unshare-user",
|
|
||||||
"--uid", "1000",
|
|
||||||
"--",
|
|
||||||
"bash", "-c", generator
|
|
||||||
],
|
|
||||||
)
|
|
||||||
# fmt: on
|
|
||||||
run(
|
run(
|
||||||
cmd,
|
cmd,
|
||||||
env=env,
|
env=env,
|
||||||
|
|
Loading…
Reference in New Issue
Block a user