yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

secrets: add sandbox user

Browse Source
This commit is contained in:
lassulus
2024-01-30 11:56:22 +01:00
parent 6229cab375
commit 140973270a
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nixosModules/clanCore/secrets/default.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
{ {
options.clanCore.secretStore = lib.mkOption { options.clanCore.secretStore = lib.mkOption {
type = lib.types.enum [ "sops" "password-store" "custom" ]; type = lib.types.enum [ "sops" "password-store" "custom" ];
@@ -69,8 +69,18 @@
readOnly = true; readOnly = true;
internal = true; internal = true;
default = '' default = ''
export PATH="${lib.makeBinPath config.path}" set -eu -o pipefail
set -efu -o pipefail
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
# prepare sandbox user
mkdir -p /etc
cp ${pkgs.runCommand "fake-etc" {} ''
export PATH="${pkgs.coreutils}/bin"
mkdir -p $out
cp /etc/* $out/
''}/* /etc/
${config.script} ${config.script}
''; '';
}; };

2
pkgs/clan-cli/clan_cli/secrets/generate.py
View File

@@ -56,6 +56,8 @@ def generate_secrets(machine: Machine) -> None:
"--bind", str(facts_dir), str(facts_dir), "--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir), "--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all", "--unshare-all",
"--unshare-user",
"--uid", "1000",
"--", "--",
"bash", "-c", machine.secrets_data[service]["generator"] "bash", "-c", machine.secrets_data[service]["generator"]
], ],