Implements docker-based fhs env wrapper

2019-07-05 19:43:28 +00:00 · 2019-07-05 19:43:28 +00:00 · 76aecfccf6
parent 33bee58e3e
commit 76aecfccf6
4 changed files with 43 additions and 19 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -15,6 +15,7 @@ in {
      ./desktop.nix
      ./security.nix
      ./hacks.nix
+      ./docker.nix
    ];

  time.timeZone = "UTC";
--- a/docker.nix
+++ b/docker.nix
@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  systemd = {
+    services = {
+      "docker-build-fhs" = {
+        enable = true;
+        description = "Create fhs docker container";
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          mkdir -p /var/docker-fhs && cd /var/docker-fhs
+          cat > Dockerfile <<EOF
+
+          FROM ubuntu:devel
+
+          ENV DEBIAN_FRONTEND noninteractive
+
+          RUN apt update && apt upgrade -y
+          RUN apt install -y git libssl-dev bison flex bc build-essential
+          RUN apt install -y libelf-dev python python3 zsh repo
+
+          RUN groupmod users -g 100
+          RUN useradd user -u 1000 -g 100 -s /bin/zsh
+
+          RUN echo 'cd \$HOST_PWD' >> /etc/zsh/zshrc
+
+          CMD bash -c 'su user'
+
+          EOF
+          ${pkgs.docker}/bin/docker build -t fhs .
+        '';
+        serviceConfig.Type = "oneshot";
+      };
+    };
+  };
+}
--- a/hacks.nix
+++ b/hacks.nix
@ -10,22 +10,4 @@
  };

  boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
-
-  systemd = {
-    services = {
-      "sid-chroot-mounts" = {
-        enable = true;
-        description = "Setup mounts for debian sid chroot";
-        wantedBy = [ "multi-user.target" ];
-        script = ''
-          ls /home/user/chroots/sid-root/home/user/.zshrc && exit
-          ${pkgs.utillinux}/bin/mount --bind /home/user /home/user/chroots/sid-root/home/user
-          ${pkgs.utillinux}/bin/mount --bind /dev /home/user/chroots/sid-root/dev
-          ${pkgs.utillinux}/bin/mount --bind /proc /home/user/chroots/sid-root/proc
-          ${pkgs.utillinux}/bin/mount --bind /sys /home/user/chroots/sid-root/sys
-        '';
-        serviceConfig.Type = "oneshot";
-      };
-    };
-  };
 }
--- a/security.nix
+++ b/security.nix
@ -1,6 +1,9 @@
 { config, pkgs, ... }:

-{
+let
+  fhs = pkgs.writeShellScriptBin "fhs"
+    "${pkgs.docker}/bin/docker run -v /home/user:/home/user -e \"HOST_PWD=$PWD\" -it fhs";
+in {
  security.allowUserNamespaces = true;
  security.allowSimultaneousMultithreading = true;
  security.lockKernelModules = false;
@ -41,10 +44,12 @@
    extraConfig = ''
      %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
      %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
+      %wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
    '';
  };

  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
    (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
  ];