diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-17 14:08:29 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-02-17 14:08:29 +0100 |
commit | cdade8e6c5ef4e02f9eaf7047248d00fae7fd805 (patch) | |
tree | e6e28bbe1965fc7bce5d7d0252b4477d648e000c | |
parent | 52f60bc7653196dd05a1e9e457ee1e3b24428eda (diff) | |
download | nixos-cdade8e6c5ef4e02f9eaf7047248d00fae7fd805.tar nixos-cdade8e6c5ef4e02f9eaf7047248d00fae7fd805.tar.gz nixos-cdade8e6c5ef4e02f9eaf7047248d00fae7fd805.tar.bz2 nixos-cdade8e6c5ef4e02f9eaf7047248d00fae7fd805.tar.xz nixos-cdade8e6c5ef4e02f9eaf7047248d00fae7fd805.zip |
vidhar: ...
-rwxr-xr-x | hosts/vidhar/borg/copy.py | 13 | ||||
-rw-r--r-- | hosts/vidhar/borg/default.nix | 9 | ||||
-rw-r--r-- | hosts/vidhar/borg/pyprctl-packages.nix | 21 |
3 files changed, 36 insertions, 7 deletions
diff --git a/hosts/vidhar/borg/copy.py b/hosts/vidhar/borg/copy.py index 4bfae1cb..9dac86ae 100755 --- a/hosts/vidhar/borg/copy.py +++ b/hosts/vidhar/borg/copy.py | |||
@@ -21,6 +21,7 @@ from xdg import xdg_runtime_dir | |||
21 | import pathlib | 21 | import pathlib |
22 | 22 | ||
23 | import unshare | 23 | import unshare |
24 | import pyprctl | ||
24 | 25 | ||
25 | import signal | 26 | import signal |
26 | from time import sleep | 27 | from time import sleep |
@@ -93,15 +94,19 @@ def copy_archive(src_repo_path, dst_repo_path, entry): | |||
93 | child = os.fork() | 94 | child = os.fork() |
94 | if child == 0: | 95 | if child == 0: |
95 | # print('unshare/chroot', file=stderr) | 96 | # print('unshare/chroot', file=stderr) |
96 | uid_map_content = f'0 {os.getuid()} 1\n0 0 1' | 97 | uid, gid = os.getuid(), os.getgid() |
97 | gid_map_content = f'0 {os.getgid()} 1\n0 0 1' | ||
98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) | 98 | unshare.unshare(unshare.CLONE_NEWNS | unshare.CLONE_NEWUSER) |
99 | with open('/proc/self/setgroups', 'w') as setgroups: | 99 | with open('/proc/self/setgroups', 'w') as setgroups: |
100 | setgroups.write('deny') | 100 | setgroups.write('deny') |
101 | with open('/proc/self/uid_map', 'w') as uid_map: | 101 | with open('/proc/self/uid_map', 'w') as uid_map: |
102 | uid_map.write(uid_map_content) | 102 | uid_map.write(f'0 {uid} 1') |
103 | with open('/proc/self/gid_map', 'w') as gid_map: | 103 | with open('/proc/self/gid_map', 'w') as gid_map: |
104 | gid_map.write(gid_map_content) | 104 | gid_map.write(f'0 {gid} 1') |
105 | pyprctl.cap_ambient_raise(pyprctl.Cap.SYS_ADMIN) | ||
106 | with open('/proc/self/uid_map', 'w') as uid_map: | ||
107 | uid_map.write(f'{uid} {uid} 1') | ||
108 | with open('/proc/self/gid_map', 'w') as gid_map: | ||
109 | gid_map.write(f'{gid} {gid} 1') | ||
105 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) | 110 | subprocess.run(['mount', '--make-rprivate', '/'], check=True) |
106 | chroot = pathlib.Path(tmpdir) / 'chroot' | 111 | chroot = pathlib.Path(tmpdir) / 'chroot' |
107 | upper = pathlib.Path(tmpdir) / 'upper' | 112 | upper = pathlib.Path(tmpdir) / 'upper' |
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 170ef65d..71c0da26 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
@@ -43,7 +43,10 @@ let | |||
43 | }; | 43 | }; |
44 | }; | 44 | }; |
45 | 45 | ||
46 | copyBorg = pkgs.stdenv.mkDerivation rec { | 46 | copyBorg = pkgs.stdenv.mkDerivation (let |
47 | packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; | ||
48 | inpPython = pkgs.python39.override { inherit packageOverrides; }; | ||
49 | in rec { | ||
47 | name = "copy"; | 50 | name = "copy"; |
48 | src = ./copy.py; | 51 | src = ./copy.py; |
49 | 52 | ||
@@ -51,7 +54,7 @@ let | |||
51 | 54 | ||
52 | buildInputs = with pkgs; [makeWrapper]; | 55 | buildInputs = with pkgs; [makeWrapper]; |
53 | 56 | ||
54 | python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]); | 57 | python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare pyprctl halo]); |
55 | 58 | ||
56 | buildPhase = '' | 59 | buildPhase = '' |
57 | substitute $src copy \ | 60 | substitute $src copy \ |
@@ -70,7 +73,7 @@ let | |||
70 | wrapProgram $out/bin/copy \ | 73 | wrapProgram $out/bin/copy \ |
71 | --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])} | 74 | --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])} |
72 | ''; | 75 | ''; |
73 | }; | 76 | }); |
74 | in { | 77 | in { |
75 | config = { | 78 | config = { |
76 | services.borgbackup.repos.jotnar = { | 79 | services.borgbackup.repos.jotnar = { |
diff --git a/hosts/vidhar/borg/pyprctl-packages.nix b/hosts/vidhar/borg/pyprctl-packages.nix new file mode 100644 index 00000000..d3b4256a --- /dev/null +++ b/hosts/vidhar/borg/pyprctl-packages.nix | |||
@@ -0,0 +1,21 @@ | |||
1 | # Generated by pip2nix 0.8.0.dev1 | ||
2 | # See https://github.com/nix-community/pip2nix | ||
3 | |||
4 | { pkgs, fetchurl, fetchgit, fetchhg }: | ||
5 | |||
6 | self: super: { | ||
7 | "pyprctl" = super.buildPythonPackage rec { | ||
8 | pname = "pyprctl"; | ||
9 | version = "0.1.3"; | ||
10 | src = fetchurl { | ||
11 | url = "https://files.pythonhosted.org/packages/bf/5e/62765de39bbce8111fb1f4453a4a804913bf49179fa265fb713ed66c9d15/pyprctl-0.1.3-py3-none-any.whl"; | ||
12 | sha256 = "1pgif990r92za5rx12mjnq5iiz72d455v0wrawzb73q79w8ya0k3"; | ||
13 | }; | ||
14 | format = "wheel"; | ||
15 | doCheck = false; | ||
16 | buildInputs = []; | ||
17 | checkInputs = []; | ||
18 | nativeBuildInputs = []; | ||
19 | propagatedBuildInputs = []; | ||
20 | }; | ||
21 | } | ||