prepare fs.generated.script users to not assume a shell

2023-07-08 10:34:46 +00:00 · 2023-07-08 10:34:46 +00:00 · 558b35fee0
commit 558b35fee0
parent 3ce2716fbe
10 changed files with 48 additions and 28 deletions
--- a/hosts/common/home/keyring/default.nix
+++ b/hosts/common/home/keyring/default.nix
@ -1,10 +1,16 @@
-{ config, sane-lib, ... }:
+{ config, pkgs, sane-lib, ... }:
 let
  init-keyring = pkgs.static-nix-shell.mkBash {
    pname = "init-keyring";
    src = ./.;
  };
 in
 {
  sane.user.persist.private = [ ".local/share/keyrings" ];
  sane.user.fs."private/.local/share/keyrings/default" = {
-    generated.script.script = builtins.readFile ./init-keyring;
+    generated.script.script = "${init-keyring}/bin/init-keyring";
    # TODO: is this `wantedBy` needed? can we inherit it?
    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
    wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
--- a/hosts/common/home/keyring/init-keyring
+++ b/hosts/common/home/keyring/init-keyring
@ -1,4 +1,5 @@
-#!/bin/sh
+#!/usr/bin/env nix-shell
 #!nix-shell -i bash
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
--- a/hosts/modules/default.nix
+++ b/hosts/modules/default.nix
@ -2,7 +2,7 @@
 {
  imports = [
-    ./derived-secrets.nix
+    ./derived-secrets
    ./gui
    ./hardware
    ./hostnames.nix
--- a/hosts/modules/derived-secrets/default.nix
+++ b/hosts/modules/derived-secrets/default.nix
@ -1,8 +1,14 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  inherit (builtins) toString;
  inherit (lib) mapAttrs mkOption types;
  hash-path-with-salt = pkgs.static-nix-shell.mkBash {
    pname = "hash-path-with-salt";
    src = ./.;
  };
  cfg = config.sane.derived-secrets;
  secret = types.submodule {
    options = {
@ -31,15 +37,7 @@ in
  config = {
    sane.fs = mapAttrs (path: c: {
-      generated.script.script = ''
+      generated.script.script = ''${hash-path-with-salt}/bin/hash-path-with-salt "$@"'';
        echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
          | sha512sum \
          | cut -c 1-${toString (c.len * 2)} \
          | tr a-z A-Z \
          | basenc -d --base16 \
          | basenc --${c.encoding} \
          > "$1"
      '';
      generated.script.scriptArgs = [ path ];
      generated.acl.mode = "0600";
    }) cfg;
--- a/hosts/modules/derived-secrets/hash-path-with-salt
+++ b/hosts/modules/derived-secrets/hash-path-with-salt
@ -0,0 +1,9 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash
 echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
  | sha512sum \
  | cut -c 1-${toString (c.len * 2)} \
  | tr a-z A-Z \
  | basenc -d --base16 \
  | basenc --${c.encoding} \
  > "$1"
--- a/hosts/modules/roles/client/bluetooth-pairings.nix
+++ b/hosts/modules/roles/client/bluetooth-pairings.nix
@ -15,11 +15,8 @@ in
    sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
    sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
      wantedBeforeBy = [ "bluetooth.service" ];
-      generated.script.script = ''
+      generated.script.script = ''${install-bluetooth}/bin/install-bluetooth "$@"'';
-        ${install-bluetooth}/bin/install-bluetooth $@
+      generated.script.scriptArgs = [ "/run/secrets/bt" "" "/var/lib/bluetooth/.secrets.stamp" ];
        touch "/var/lib/bluetooth/.secrets.stamp"
      '';
      generated.script.scriptArgs = [ "/run/secrets/bt" ];
    };
  };
 }
--- a/hosts/modules/roles/client/install-bluetooth
+++ b/hosts/modules/roles/client/install-bluetooth
@ -12,6 +12,7 @@
 srcdir="$1"
 destdir="$2"
 stamp="$3"
 if [ "x$destdir" = "x" ]
 then
@ -36,3 +37,8 @@ do
    touch "$condir/attributes"
  fi
 done
 if [ "x$stamp" != "x" ]
 then
  touch "$stamp"
 fi
--- a/hosts/modules/roles/client/install-iwd
+++ b/hosts/modules/roles/client/install-iwd
@ -10,6 +10,7 @@
 src_dir="$1"
 dest_dir="$2"
 stamp="$3"
 for f in $(ls "$src_dir")
 do
        if [ -f "$src_dir/$f" ]; then
@ -21,3 +22,4 @@ do
                chmod 600 "$dest_dir/$ssid.psk"
        fi
 done
 touch "$stamp"
--- a/hosts/modules/roles/client/wifi-pairings.nix
+++ b/hosts/modules/roles/client/wifi-pairings.nix
@ -12,11 +12,8 @@ in
    sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
      wantedBeforeBy = [ "iwd.service" ];
      generated.acl.mode = "0600";
-      generated.script.script = ''
+      generated.script.script = ''${install-iwd}/bin/install-iwd "$@"'';
-        ${install-iwd}/bin/install-iwd $@
+      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" "/var/lib/iwd/.secrets.psk.stamp" ];
        touch "/var/lib/iwd/.secrets.psk.stamp"
      '';
      generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" ];
    };
  };
 }
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@ -41,8 +41,8 @@ lib.mkIf config.sane.persist.enable
  # let sane.fs know how to initialize the gocryptfs store,
  # and that it MUST do so
-  sane.fs."${underlying}/gocryptfs.conf".generated = {
+  sane.fs."${underlying}/gocryptfs.conf".generated = let
-    script.script = ''
+    script = pkgs.writeShellScript "init-gocryptfs-store" ''
      backing="$1"
      passfile="$2"
      # clear the backing store
@ -50,16 +50,20 @@ lib.mkIf config.sane.persist.enable
      rm -rf "''${backing:?}"/*
      ${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
    '';
  in {
    script.script = ''${script} "$@"'';
    script.scriptArgs = [ underlying key ];
    # we need the key in order to initialize the store
    depends = [ config.sane.fs."${key}".unit ];
  };
  # let sane.fs know how to generate the key for gocryptfs
-  sane.fs."${key}".generated = {
+  sane.fs."${key}".generated = let
-    script.script = ''
+    script = pkgs.writeShellScript "gen-random-gocryptfs-key" ''
      dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
    '';
  in {
    script.script = ''${script} "$@"'';
    script.scriptArgs = [ key ];
    # no need for anyone else to be able to read the key
    acl.mode = "0400";