From 76aecfccf6dc8cc4972e90a6bae3858d30f17c04 Mon Sep 17 00:00:00 2001
From: Mikhail Klementev <blame@dumpstack.io>
Date: Fri, 5 Jul 2019 19:43:28 +0000
Subject: [PATCH] Implements docker-based fhs env wrapper

---
 configuration.nix |  1 +
 docker.nix        | 36 ++++++++++++++++++++++++++++++++++++
 hacks.nix         | 18 ------------------
 security.nix      |  7 ++++++-
 4 files changed, 43 insertions(+), 19 deletions(-)
 create mode 100644 docker.nix

diff --git a/configuration.nix b/configuration.nix
index 644c6a3..d732315 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -15,6 +15,7 @@ in {
       ./desktop.nix
       ./security.nix
       ./hacks.nix
+      ./docker.nix
     ];
 
   time.timeZone = "UTC";
diff --git a/docker.nix b/docker.nix
new file mode 100644
index 0000000..297b6ff
--- /dev/null
+++ b/docker.nix
@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  systemd = {
+    services = {
+      "docker-build-fhs" = {
+        enable = true;
+        description = "Create fhs docker container";
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          mkdir -p /var/docker-fhs && cd /var/docker-fhs
+          cat > Dockerfile <<EOF
+
+          FROM ubuntu:devel
+
+          ENV DEBIAN_FRONTEND noninteractive
+
+          RUN apt update && apt upgrade -y
+          RUN apt install -y git libssl-dev bison flex bc build-essential
+          RUN apt install -y libelf-dev python python3 zsh repo
+
+          RUN groupmod users -g 100
+          RUN useradd user -u 1000 -g 100 -s /bin/zsh
+
+          RUN echo 'cd \$HOST_PWD' >> /etc/zsh/zshrc
+
+          CMD bash -c 'su user'
+
+          EOF
+          ${pkgs.docker}/bin/docker build -t fhs .
+        '';
+        serviceConfig.Type = "oneshot";
+      };
+    };
+  };
+}
diff --git a/hacks.nix b/hacks.nix
index 18f14b1..11baf7b 100644
--- a/hacks.nix
+++ b/hacks.nix
@@ -10,22 +10,4 @@
   };
 
   boot.kernel.sysctl."net.ipv4.ip_default_ttl" = 65;
-
-  systemd = {
-    services = {
-      "sid-chroot-mounts" = {
-        enable = true;
-        description = "Setup mounts for debian sid chroot";
-        wantedBy = [ "multi-user.target" ];
-        script = ''
-          ls /home/user/chroots/sid-root/home/user/.zshrc && exit
-          ${pkgs.utillinux}/bin/mount --bind /home/user /home/user/chroots/sid-root/home/user
-          ${pkgs.utillinux}/bin/mount --bind /dev /home/user/chroots/sid-root/dev
-          ${pkgs.utillinux}/bin/mount --bind /proc /home/user/chroots/sid-root/proc
-          ${pkgs.utillinux}/bin/mount --bind /sys /home/user/chroots/sid-root/sys
-        '';
-        serviceConfig.Type = "oneshot";
-      };
-    };
-  };
 }
diff --git a/security.nix b/security.nix
index 8b767ab..12a6d41 100644
--- a/security.nix
+++ b/security.nix
@@ -1,6 +1,9 @@
 { config, pkgs, ... }:
 
-{
+let
+  fhs = pkgs.writeShellScriptBin "fhs"
+    "${pkgs.docker}/bin/docker run -v /home/user:/home/user -e \"HOST_PWD=$PWD\" -it fhs";
+in {
   security.allowUserNamespaces = true;
   security.allowSimultaneousMultithreading = true;
   security.lockKernelModules = false;
@@ -41,10 +44,12 @@
     extraConfig = ''
       %wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
       %wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
+      %wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
     '';
   };
 
   environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
     (writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
   ];