Merge pull request #945 from kamadorueda/main

feat(build): #944 doas make
fluidattacks · Sep 30, 2022 · 120ea38 · 120ea38
2 parents 38d611a + 3b69cc8
commit 120ea38
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 7 deletions.
diff --git a/makes/container-image/builder.sh b/makes/container-image/builder.sh
@@ -5,12 +5,15 @@
 # shellcheck shell=bash
 
 function configure_nix {
-  mkdir -p "${out}/home/makes/.config/nix" \
+  : \
+    && mkdir -p "${out}/home/makes/.config/nix" \
+    && mkdir -p "${out}/home/root/.config/nix" \
     && mkdir -p "${out}/etc/nix" \
     && mkdir -p "${out}/nix/store/.links" \
-    && mkdir -p "${out}/nix/var" \
+    && mkdir -p "${out}/nix/var/nix" \
     && echo 'build-users-group =' | tee \
       "${out}/home/makes/.config/nix/nix.conf" \
+      "${out}/home/root/.config/nix/nix.conf" \
       "${out}/etc/nix/nix.conf"
 }
 

diff --git a/makes/container-image/main.nix b/makes/container-image/main.nix
@@ -20,17 +20,19 @@ makeContainerImage {
       "SYSTEM_CERTIFICATE_PATH=/etc/ssl/certs/ca-bundle.crt"
       "USER=makes"
     ];
-    User = "makes:makes";
-    WorkingDir = "/makes";
+    User = "root:root";
+    WorkingDir = "/";
   };
   layers = [
     (makeDerivation {
       env = {
         envEtcGroup = ''
-          makes:x:0:
+          root:x:0:
+          makes:x:48:
           nobody:x:65534:
         '';
         envEtcGshadow = ''
+          root:*::
           makes:*::
           nobody:*::
         '';
@@ -41,10 +43,12 @@ makeContainerImage {
           session required pam_unix.so
         '';
         envEtcPasswd = ''
-          makes:x:0:0::/home/makes:${inputs.nixpkgs.bash}/bin/bash
+          root:x:0:0:root:/home/root:${inputs.nixpkgs.bash}/bin/bash
+          makes:x:48:48:makes:/home/makes:${inputs.nixpkgs.bash}/bin/bash
           nobody:x:65534:65534:nobody:/homeless:/bin/false
         '';
         envEtcShadow = ''
+          root:!x:::::::
           makes:!x:::::::
           nobody:!x:::::::
         '';
@@ -61,7 +65,27 @@ makeContainerImage {
     inputs.nixpkgs.gzip
     inputs.nixpkgs.nix
 
-    outputs."/"
+    (inputs.nixpkgs.writeShellScriptBin "m" ''
+      if test -z "''${MAKES_NON_ROOT:-}"; then
+        ${outputs."/"}/bin/m "$@"
+      else
+        echo Using feature flag: MAKES_NON_ROOT
+
+        chown -R makes:makes /nix
+
+        chmod u+w /home/makes
+        chmod u+w /tmp
+        chown makes:makes /home/makes
+        chown makes:makes /tmp
+
+        {
+          echo permit nopass keepenv makes
+          echo permit nopass keepenv root
+        } > /etc/doas.conf
+
+        ${inputs.nixpkgs.doas}/bin/doas -u makes ${outputs."/"}/bin/m "$@"
+      fi
+    '')
   ];
   maxLayers = 20;
 }