From 140973270ae16998f397c3deb25212ce15d54bf6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 30 Jan 2024 11:56:22 +0100 Subject: [PATCH] secrets: add sandbox user --- nixosModules/clanCore/secrets/default.nix | 16 +++++++++++++--- pkgs/clan-cli/clan_cli/secrets/generate.py | 2 ++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/nixosModules/clanCore/secrets/default.nix b/nixosModules/clanCore/secrets/default.nix index 5f6211b28..6c477ca8a 100644 --- a/nixosModules/clanCore/secrets/default.nix +++ b/nixosModules/clanCore/secrets/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { options.clanCore.secretStore = lib.mkOption { type = lib.types.enum [ "sops" "password-store" "custom" ]; @@ -69,8 +69,18 @@ readOnly = true; internal = true; default = '' - export PATH="${lib.makeBinPath config.path}" - set -efu -o pipefail + set -eu -o pipefail + + export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" + + # prepare sandbox user + mkdir -p /etc + cp ${pkgs.runCommand "fake-etc" {} '' + export PATH="${pkgs.coreutils}/bin" + mkdir -p $out + cp /etc/* $out/ + ''}/* /etc/ + ${config.script} ''; }; diff --git a/pkgs/clan-cli/clan_cli/secrets/generate.py b/pkgs/clan-cli/clan_cli/secrets/generate.py index 586549eaa..8c5d7fdfb 100644 --- a/pkgs/clan-cli/clan_cli/secrets/generate.py +++ b/pkgs/clan-cli/clan_cli/secrets/generate.py @@ -56,6 +56,8 @@ def generate_secrets(machine: Machine) -> None: "--bind", str(facts_dir), str(facts_dir), "--bind", str(secrets_dir), str(secrets_dir), "--unshare-all", + "--unshare-user", + "--uid", "1000", "--", "bash", "-c", machine.secrets_data[service]["generator"] ],