diff --git a/nixosModules/clanCore/secrets/default.nix b/nixosModules/clanCore/secrets/default.nix index 5f6211b28..6c477ca8a 100644 --- a/nixosModules/clanCore/secrets/default.nix +++ b/nixosModules/clanCore/secrets/default.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: { options.clanCore.secretStore = lib.mkOption { type = lib.types.enum [ "sops" "password-store" "custom" ]; @@ -69,8 +69,18 @@ readOnly = true; internal = true; default = '' - export PATH="${lib.makeBinPath config.path}" - set -efu -o pipefail + set -eu -o pipefail + + export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin" + + # prepare sandbox user + mkdir -p /etc + cp ${pkgs.runCommand "fake-etc" {} '' + export PATH="${pkgs.coreutils}/bin" + mkdir -p $out + cp /etc/* $out/ + ''}/* /etc/ + ${config.script} ''; }; diff --git a/pkgs/clan-cli/clan_cli/secrets/generate.py b/pkgs/clan-cli/clan_cli/secrets/generate.py index 586549eaa..f9e07dcbc 100644 --- a/pkgs/clan-cli/clan_cli/secrets/generate.py +++ b/pkgs/clan-cli/clan_cli/secrets/generate.py @@ -56,6 +56,8 @@ def generate_secrets(machine: Machine) -> None: "--bind", str(facts_dir), str(facts_dir), "--bind", str(secrets_dir), str(secrets_dir), "--unshare-all", + "--unshare-user", + "--uid", "1000", "--", "bash", "-c", machine.secrets_data[service]["generator"] ], @@ -72,7 +74,7 @@ def generate_secrets(machine: Machine) -> None: msg = f"did not generate a file for '{secret}' when running the following command:\n" msg += machine.secrets_data[service]["generator"] raise ClanError(msg) - secret_store.set(service, secret, secret_file.read_text()) + secret_store.set(service, secret, secret_file.read_bytes()) # store facts for name, fact_path in machine.secrets_data[service]["facts"].items(): fact_file = facts_dir / name diff --git a/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py b/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py index 52a8c9523..8e1ffc27d 100644 --- a/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py @@ -10,13 +10,13 @@ class SecretStore: def __init__(self, machine: Machine) -> None: self.machine = machine - def set(self, service: str, name: str, value: str) -> None: + def set(self, service: str, name: str, value: bytes) -> None: subprocess.run( nix_shell( ["nixpkgs#pass"], ["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"], ), - input=value.encode("utf-8"), + input=value, check=True, ) diff --git a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py index a9cd10ff8..6c434e329 100644 --- a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py +++ b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py @@ -28,11 +28,11 @@ class SecretStore: ) add_machine(self.machine.flake_dir, self.machine.name, pub_key, False) - def set(self, _service: str, name: str, value: str) -> None: + def set(self, _service: str, name: str, value: bytes) -> None: encrypt_secret( self.machine.flake_dir, sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}", - value, + value.decode(), add_machines=[self.machine.name], )