clan-cli secrets: generate secrets inside bubblewrap

2024-01-24 19:19:02 +01:00
parent a91504f0b2
commit 1b9445b71f
1 changed files with 17 additions and 3 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@@ -42,11 +42,25 @@ def generate_secrets(machine: Machine) -> None:
                secrets_dir = tmpdir / "secrets"
                secrets_dir.mkdir(parents=True)
                env["secrets"] = str(secrets_dir)
-                # TODO use bubblewrap here
+                # fmt: off
                cmd = nix_shell(
-                    ["nixpkgs#bash"],
+                    [
-                    ["bash", "-c", machine.secrets_data[service]["generator"]],
+                        "nixpkgs#bash",
                        "nixpkgs#bubblewrap",
                    ],
                    [
                        "bwrap",
                        "--ro-bind", "/nix/store", "/nix/store",
                        "--tmpfs",  "/usr/lib/systemd",
                        "--dev", "/dev",
                        "--bind", str(facts_dir), str(facts_dir),
                        "--bind", str(secrets_dir), str(secrets_dir),
                        "--unshare-all",
                        "--",
                        "bash", "-c", machine.secrets_data[service]["generator"]
                    ],
                )
                # fmt: on
                run(
                    cmd,
                    env=env,