clan/clan-core
11
2
Fork 13
Code Issues 91 Pull Requests 6 Actions Packages Projects 1 Releases Wiki Activity

make bubblewrap in fact generation optional

Browse Source
This commit is contained in:
Jörg Thalheim 2024-06-26 12:15:00 +02:00
parent bc0e727bd7
commit ced0880067
2 changed files with 47 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixosModules/clanCore/facts/default.nix
View File

@ -121,26 +121,27 @@
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
# prepare sandbox user ${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
mkdir -p /etc # prepare sandbox user on platforms where this is supported
mkdir -p /etc
cat > /etc/group <<EOF cat > /etc/group <<EOF
root:x:0: root:x:0:
nixbld:!:$(id -g): nixbld:!:$(id -g):
nogroup:x:65534: nogroup:x:65534:
EOF EOF
cat > /etc/passwd <<EOF cat > /etc/passwd <<EOF
root:x:0:0:Nix build user:/build:/noshell root:x:0:0:Nix build user:/build:/noshell
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
nobody:x:65534:65534:Nobody:/:/noshell nobody:x:65534:65534:Nobody:/:/noshell
EOF EOF
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
EOF
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
EOF
''}
${config.script} ${config.script}
''; '';
}; };

50
pkgs/clan-cli/clan_cli/facts/generate.py
View File

@ -2,6 +2,7 @@ import argparse
import importlib import importlib
import logging import logging
import os import os
import sys
import subprocess import subprocess
from collections.abc import Callable from collections.abc import Callable
from pathlib import Path from pathlib import Path
@ -36,6 +37,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
return proc.stdout return proc.stdout
def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
# fmt: off
return nix_shell(
[
"nixpkgs#bash",
"nixpkgs#bubblewrap",
],
[
"bwrap",
"--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
"--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all",
"--unshare-user",
"--uid", "1000",
"--",
"bash", "-c", generator
],
)
# fmt: on
def generate_service_facts( def generate_service_facts(
machine: Machine, machine: Machine,
service: str, service: str,
@ -70,27 +95,10 @@ def generate_service_facts(
if machine.facts_data[service]["generator"]["prompt"]: if machine.facts_data[service]["generator"]["prompt"]:
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"]) prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
env["prompt_value"] = prompt_value env["prompt_value"] = prompt_value
# fmt: off if sys.platform == "linux":
cmd = nix_shell( cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
[ else:
"nixpkgs#bash", cmd = ["bash", "-c", generator]
"nixpkgs#bubblewrap",
],
[
"bwrap",
"--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev",
"--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all",
"--unshare-user",
"--uid", "1000",
"--",
"bash", "-c", generator
],
)
# fmt: on
run( run(
cmd, cmd,
env=env, env=env,