Merge #284: Fix containers

2bfb4efbd8 make-container: fix usage comment (Erik Arvstedt) 3403795c86 tests: add example scripts (Erik Arvstedt) ff94985b8b tests: add test 'hardened' (Erik Arvstedt) c8e73c959e fix 'hardened' profile for NixOS 20.09 (Erik Arvstedt) 44b06aea5a extra-container: 0.5-pre -> 0.5 (Erik Arvstedt) a359cdfb66 generate-secrets: use pwgen (Erik Arvstedt) a5a2fc7274 make-container: fix renamed variable (Erik Arvstedt) Pull request description: ACKs for top commit: nixbitcoin: ACK 2bfb4efbd8 jonasnick: utACK 2bfb4efbd8 Tree-SHA512: 421b1fc5bf695d6815f060d129855ae0fecc06f7946ed8ac2bfe53895d7dc9529aad40099fc16844547791010232252f74b1ce32cbc9c6458e6d77f327450e94
2020-12-21 12:24:05 +00:00 · 2020-12-21 12:24:05 +00:00 · 7b32a78de2
commit 7b32a78de2
parent 4195541976 2bfb4efbd8
10 changed files with 54 additions and 20 deletions
--- a/pkgs/extra-container/default.nix
+++ b/pkgs/extra-container/default.nix
@ -4,11 +4,11 @@

 stdenv.mkDerivation rec {
  name = "extra-container-${version}";
-  version = "0.5-pre";
+  version = "0.5";

  src = builtins.fetchTarball {
    url = "https://github.com/erikarvstedt/extra-container/archive/${version}.tar.gz";
-    sha256 = "0gdy2dpqrdv7f4kyqz88j34x1p2fpav04kznv41hwqq88hmzap90";
+    sha256 = "12xqa11v583ajdv51g1833rxvrndmly9h4r62wc3llm8xs6k7ais";
  };

  buildCommand = ''
@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
    share=$out/share/extra-container
    install $src/eval-config.nix -Dt $share

-    # Use existing PATH for systemctl and machinectl (for nixos-container)
+    # Use existing PATH for systemctl and machinectl
    scriptPath="export PATH=${lib.makeBinPath [ nixos-container openssh ]}:\$PATH"

    sed -i \
--- a/pkgs/generate-secrets/default.nix
+++ b/pkgs/generate-secrets/default.nix
@ -10,6 +10,6 @@ let
  '';
 in
 writers.writeBash "generate-secrets" ''
-  export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]}
+  export PATH=${lib.makeBinPath [ coreutils pwgen openssl gnugrep rpcauth ]}
  . ${./generate-secrets.sh} ${./openssl.cnf}
 ''
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@ -5,7 +5,8 @@ set -euo pipefail
 opensslConf=${1:-openssl.cnf}

 makePasswordSecret() {
-    [[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
+    # Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy
+    [[ -e $1 ]] || pwgen -s 20 1 > "$1"
 }
 makeHMAC() {
    user=$1