vars/fact: isolate secret generation better from the system

pkgs/clan-cli/clan_cli/facts/generate.py

@@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
         ],
         [
             "bwrap",
+            "--unshare-all",
+            "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
-            "--tmpfs",  "/usr/lib/systemd",
             "--dev", "/dev",
+            # not allowed to bind procfs in some sandboxes
             "--bind", str(facts_dir), str(facts_dir),
             "--bind", str(secrets_dir), str(secrets_dir),
-            "--unshare-all",
+            "--chdir", "/",
-            "--unshare-user",
+            # Doesn't work in our CI?
+            #"--proc", "/proc",
+            #"--hostname", "facts",
+            "--bind", "/proc", "/proc",
             "--uid", "1000",
+            "--gid", "1000",
             "--",
             "bash", "-c", generator
         ],

pkgs/clan-cli/clan_cli/vars/generate.py

@@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
         ],
         [
             "bwrap",
+            "--unshare-all",
+            "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
             *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
-            "--tmpfs",  "/usr/lib/systemd",
             "--dev", "/dev",
+            # not allowed to bind procfs in some sandboxes
             "--bind", str(tmpdir), str(tmpdir),
-            "--unshare-all",
+            "--chdir", "/",
-            "--unshare-user",
+            # Doesn't work in our CI?
+            #"--proc", "/proc",
+            #"--hostname", "facts",
+            "--bind", "/proc", "/proc",
             "--uid", "1000",
+            "--gid", "1000",
             "--",
             "bash", "-c", generator
         ],