fix secret generation on macos #1669
|
|
@ -121,26 +121,27 @@
|
||||||
|
|
||||||
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
|
||||||
|
|
||||||
# prepare sandbox user
|
${lib.optionalString (pkgs.stdenv.hostPlatform.isLinux) ''
|
||||||
mkdir -p /etc
|
# prepare sandbox user on platforms where this is supported
|
||||||
|
mkdir -p /etc
|
||||||
|
|
||||||
cat > /etc/group <<EOF
|
cat > /etc/group <<EOF
|
||||||
root:x:0:
|
root:x:0:
|
||||||
nixbld:!:$(id -g):
|
nixbld:!:$(id -g):
|
||||||
nogroup:x:65534:
|
nogroup:x:65534:
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/passwd <<EOF
|
cat > /etc/passwd <<EOF
|
||||||
root:x:0:0:Nix build user:/build:/noshell
|
root:x:0:0:Nix build user:/build:/noshell
|
||||||
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
|
nixbld:x:$(id -u):$(id -g):Nix build user:/build:/noshell
|
||||||
nobody:x:65534:65534:Nobody:/:/noshell
|
nobody:x:65534:65534:Nobody:/:/noshell
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/hosts <<EOF
|
|
||||||
127.0.0.1 localhost
|
|
||||||
::1 localhost
|
|
||||||
EOF
|
|
||||||
|
|
||||||
|
cat > /etc/hosts <<EOF
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost
|
||||||
|
EOF
|
||||||
|
''}
|
||||||
${config.script}
|
${config.script}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -182,15 +182,33 @@ in
|
||||||
secret.zerotier-identity-secret = { };
|
secret.zerotier-identity-secret = { };
|
||||||
generator.path = [
|
generator.path = [
|
||||||
config.services.zerotierone.package
|
config.services.zerotierone.package
|
||||||
pkgs.fakeroot
|
|
||||||
pkgs.python3
|
pkgs.python3
|
||||||
];
|
];
|
||||||
generator.script = ''
|
generator.script =
|
||||||
python3 ${./generate.py} --mode network \
|
let
|
||||||
--ip "$facts/zerotier-ip" \
|
library = "libfakeroot${pkgs.stdenv.hostPlatform.extensions.sharedLibrary}";
|
||||||
--identity-secret "$secrets/zerotier-identity-secret" \
|
minifakeroot = pkgs.stdenv.mkDerivation {
|
||||||
--network-id "$facts/zerotier-network-id"
|
name = "minifakeroot";
|
||||||
'';
|
dontUnpack = true;
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/lib
|
||||||
|
${
|
||||||
|
if pkgs.stdenv.isDarwin then
|
||||||
|
"$CC -dynamiclib -o $out/lib/libfakeroot.dylib ${./fake_root.c}"
|
||||||
|
else
|
||||||
|
"$CC -shared -o $out/lib/libfakeroot.so ${./fake_root.c}"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
varName = if pkgs.stdenv.isDarwin then "DYLD_INSERT_LIBRARIES" else "LD_PRELOAD";
|
||||||
|
in
|
||||||
|
''
|
||||||
|
export ${varName}=${minifakeroot}/lib/${library}
|
||||||
|
python3 ${./generate.py} --mode network \
|
||||||
|
--ip "$facts/zerotier-ip" \
|
||||||
|
--identity-secret "$secrets/zerotier-identity-secret" \
|
||||||
|
--network-id "$facts/zerotier-network-id"
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
clan.core.state.zerotier.folders = [ "/var/lib/zerotier-one" ];
|
clan.core.state.zerotier.folders = [ "/var/lib/zerotier-one" ];
|
||||||
|
|
||||||
|
|
|
||||||
28
nixosModules/clanCore/zerotier/fake_root.c
Normal file
28
nixosModules/clanCore/zerotier/fake_root.c
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
#include <stdint.h>
|
||||||
|
typedef uint32_t uid_t;
|
||||||
|
|
||||||
|
#ifdef __APPLE__
|
||||||
|
struct dyld_interpose {
|
||||||
|
const void * replacement;
|
||||||
|
const void * replacee;
|
||||||
|
};
|
||||||
|
#define WRAPPER(ret, name) static ret _fakeroot_wrapper_##name
|
||||||
|
#define WRAPPER_DEF(name) \
|
||||||
|
__attribute__((used)) static struct dyld_interpose _fakeroot_interpose_##name \
|
||||||
|
__attribute__((section("__DATA,__interpose"))) = { &_fakeroot_wrapper_##name, &name };
|
||||||
|
#else
|
||||||
|
#define WRAPPER(ret, name) ret name
|
||||||
|
#define WRAPPER_DEF(name)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
WRAPPER(uid_t, geteuid)(const char * path, int flags, ...)
|
||||||
|
{
|
||||||
|
return 0; // Fake root
|
||||||
|
}
|
||||||
|
WRAPPER_DEF(geteuid)
|
||||||
|
|
||||||
|
WRAPPER(uid_t, getuid)(const char * path, int flags, ...)
|
||||||
|
{
|
||||||
|
return 0; // Fake root
|
||||||
|
}
|
||||||
|
WRAPPER_DEF(getuid)
|
||||||
|
|
@ -111,12 +111,11 @@ def zerotier_controller() -> Iterator[ZerotierController]:
|
||||||
home = tempdir / "zerotier-one"
|
home = tempdir / "zerotier-one"
|
||||||
home.mkdir()
|
home.mkdir()
|
||||||
cmd = [
|
cmd = [
|
||||||
"fakeroot",
|
|
||||||
"--",
|
|
||||||
"zerotier-one",
|
"zerotier-one",
|
||||||
f"-p{controller_port}",
|
f"-p{controller_port}",
|
||||||
str(home),
|
str(home),
|
||||||
]
|
]
|
||||||
|
|
||||||
with subprocess.Popen(
|
with subprocess.Popen(
|
||||||
cmd,
|
cmd,
|
||||||
preexec_fn=os.setsid,
|
preexec_fn=os.setsid,
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@ import importlib
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import sys
|
||||||
from collections.abc import Callable
|
from collections.abc import Callable
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
from tempfile import TemporaryDirectory
|
from tempfile import TemporaryDirectory
|
||||||
|
|
@ -36,6 +37,30 @@ def read_multiline_input(prompt: str = "Finish with Ctrl-D") -> str:
|
||||||
return proc.stdout
|
return proc.stdout
|
||||||
|
|
||||||
|
|
||||||
|
def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[str]:
|
||||||
|
# fmt: off
|
||||||
|
return nix_shell(
|
||||||
|
[
|
||||||
|
"nixpkgs#bash",
|
||||||
|
"nixpkgs#bubblewrap",
|
||||||
|
],
|
||||||
|
[
|
||||||
|
"bwrap",
|
||||||
|
"--ro-bind", "/nix/store", "/nix/store",
|
||||||
|
"--tmpfs", "/usr/lib/systemd",
|
||||||
|
"--dev", "/dev",
|
||||||
|
"--bind", str(facts_dir), str(facts_dir),
|
||||||
|
"--bind", str(secrets_dir), str(secrets_dir),
|
||||||
|
"--unshare-all",
|
||||||
|
"--unshare-user",
|
||||||
|
"--uid", "1000",
|
||||||
|
"--",
|
||||||
|
"bash", "-c", generator
|
||||||
|
],
|
||||||
|
)
|
||||||
|
# fmt: on
|
||||||
|
|
||||||
|
|
||||||
def generate_service_facts(
|
def generate_service_facts(
|
||||||
machine: Machine,
|
machine: Machine,
|
||||||
service: str,
|
service: str,
|
||||||
|
|
@ -70,27 +95,10 @@ def generate_service_facts(
|
||||||
if machine.facts_data[service]["generator"]["prompt"]:
|
if machine.facts_data[service]["generator"]["prompt"]:
|
||||||
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
prompt_value = prompt(machine.facts_data[service]["generator"]["prompt"])
|
||||||
env["prompt_value"] = prompt_value
|
env["prompt_value"] = prompt_value
|
||||||
# fmt: off
|
if sys.platform == "linux":
|
||||||
cmd = nix_shell(
|
cmd = bubblewrap_cmd(generator, facts_dir, secrets_dir)
|
||||||
[
|
else:
|
||||||
"nixpkgs#bash",
|
cmd = ["bash", "-c", generator]
|
||||||
"nixpkgs#bubblewrap",
|
|
||||||
],
|
|
||||||
[
|
|
||||||
"bwrap",
|
|
||||||
"--ro-bind", "/nix/store", "/nix/store",
|
|
||||||
"--tmpfs", "/usr/lib/systemd",
|
|
||||||
"--dev", "/dev",
|
|
||||||
"--bind", str(facts_dir), str(facts_dir),
|
|
||||||
"--bind", str(secrets_dir), str(secrets_dir),
|
|
||||||
"--unshare-all",
|
|
||||||
"--unshare-user",
|
|
||||||
"--uid", "1000",
|
|
||||||
"--",
|
|
||||||
"bash", "-c", generator
|
|
||||||
],
|
|
||||||
)
|
|
||||||
# fmt: on
|
|
||||||
run(
|
run(
|
||||||
cmd,
|
cmd,
|
||||||
env=env,
|
env=env,
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,6 @@
|
||||||
setuptools,
|
setuptools,
|
||||||
sops,
|
sops,
|
||||||
stdenv,
|
stdenv,
|
||||||
fakeroot,
|
|
||||||
rsync,
|
rsync,
|
||||||
bash,
|
bash,
|
||||||
sshpass,
|
sshpass,
|
||||||
|
|
@ -38,7 +37,6 @@ let
|
||||||
runtimeDependencies = [
|
runtimeDependencies = [
|
||||||
bash
|
bash
|
||||||
nix
|
nix
|
||||||
fakeroot
|
|
||||||
openssh
|
openssh
|
||||||
sshpass
|
sshpass
|
||||||
zbar
|
zbar
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user