From 4f3d45c0583f65aa064ddfb2c3c385d3a1ad414a Mon Sep 17 00:00:00 2001
From: Pogobanane <aenderboy@gmx.de>
Date: Sun, 10 Jul 2022 13:12:14 +0200
Subject: [PATCH] go files for darwin

fixup
---
 default.nix                           |  3 +-
 pkgs/sops-install-secrets/darwin.go   | 48 +++++++++++++++++++
 pkgs/sops-install-secrets/default.nix |  2 +-
 pkgs/sops-install-secrets/linux.go    | 69 +++++++++++++++++++++++++++
 pkgs/sops-install-secrets/main.go     | 55 +--------------------
 5 files changed, 121 insertions(+), 56 deletions(-)
 create mode 100644 pkgs/sops-install-secrets/darwin.go
 create mode 100644 pkgs/sops-install-secrets/linux.go

diff --git a/default.nix b/default.nix
index 6797d84..8809610 100644
--- a/default.nix
+++ b/default.nix
@@ -7,6 +7,7 @@
     inherit vendorSha256;
   };
 in rec {
+  inherit sops-install-secrets;
   sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
   sops-pgp-hook = pkgs.lib.warn ''
     sops-pgp-hook is deprecated, use sops-import-keys-hook instead.
@@ -23,8 +24,6 @@ in rec {
   };
   unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix {};
 } // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
-  inherit sops-install-secrets;
-
   lint = pkgs.callPackage ./pkgs/lint.nix {
     inherit sops-install-secrets;
   };
diff --git a/pkgs/sops-install-secrets/darwin.go b/pkgs/sops-install-secrets/darwin.go
new file mode 100644
index 0000000..af1ff35
--- /dev/null
+++ b/pkgs/sops-install-secrets/darwin.go
@@ -0,0 +1,48 @@
+//go:build darwin
+// +build darwin
+
+package main
+
+func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
+	//fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
+	//if err != nil {
+	//	return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
+	//}
+	//defer unix.Close(fd)
+
+	//buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
+	//n, err := unix.Readlinkat(fd, "", buf)
+	//if err != nil {
+	//	return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
+	//}
+	//if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
+	//	return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
+	//}
+	//err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
+	//if err != nil {
+	//	return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
+	//}
+	return nil
+}
+
+func MountSecretFs(mountpoint string, keysGid int) error {
+	//if err := os.MkdirAll(mountpoint, 0751); err != nil {
+	//	return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
+	//}
+
+	//buf := unix.Statfs_t{}
+	//if err := unix.Statfs(mountpoint, &buf); err != nil {
+	//	return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
+	//}
+	//if int32(buf.Type) != RAMFS_MAGIC {
+	//	if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
+	//		return fmt.Errorf("Cannot mount: %s", err)
+	//	}
+	//}
+
+	//if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
+	//	return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
+	//}
+
+	return nil
+}
diff --git a/pkgs/sops-install-secrets/default.nix b/pkgs/sops-install-secrets/default.nix
index 579d52a..cc79bef 100644
--- a/pkgs/sops-install-secrets/default.nix
+++ b/pkgs/sops-install-secrets/default.nix
@@ -33,6 +33,6 @@ buildGoModule {
     homepage = "https://github.com/Mic92/sops-nix";
     license = licenses.mit;
     maintainers = with maintainers; [ mic92 ];
-    platforms = platforms.linux;
+    platforms = platforms.linux ++ platforms.darwin;
   };
 }
diff --git a/pkgs/sops-install-secrets/linux.go b/pkgs/sops-install-secrets/linux.go
new file mode 100644
index 0000000..35c760a
--- /dev/null
+++ b/pkgs/sops-install-secrets/linux.go
@@ -0,0 +1,69 @@
+//go:build linux
+// +build linux
+
+package main
+
+import (
+  "fmt"
+  "os"
+
+	"golang.org/x/sys/unix"
+)
+
+func RuntimeDir() (string, error) {
+  rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
+  if !ok {
+  	return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
+  }
+  return rundir, nil
+}
+
+func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
+	// fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
+	fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
+	if err != nil {
+		return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
+	}
+	defer unix.Close(fd)
+
+	buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
+	n, err := unix.Readlinkat(fd, "", buf)
+	if err != nil {
+		return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
+	}
+	if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
+		return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
+	}
+	err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
+	if err != nil {
+		return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
+	}
+	return nil
+}
+
+func MountSecretFs(mountpoint string, keysGid int, userMode bool) error {
+	if err := os.MkdirAll(mountpoint, 0751); err != nil {
+		return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
+	}
+
+  // We can't create a ramfs as user
+	if userMode {
+		return nil
+	}
+
+	buf := unix.Statfs_t{}
+	if err := unix.Statfs(mountpoint, &buf); err != nil {
+		return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
+	}
+	if int32(buf.Type) != RAMFS_MAGIC {
+		if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
+			return fmt.Errorf("Cannot mount: %s", err)
+		}
+	}
+
+	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
+		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
+	}
+
+	return nil
+}
diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index aac9f65..b8b6908 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -1,5 +1,3 @@
-// +build linux
-
 package main
 
 import (
@@ -133,28 +131,6 @@ type appContext struct {
 	ignorePasswd bool
 }
 
-func secureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
-	fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
-	if err != nil {
-		return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
-	}
-	defer unix.Close(fd)
-
-	buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
-	n, err := unix.Readlinkat(fd, "", buf)
-	if err != nil {
-		return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
-	}
-	if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
-		return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
-	}
-	err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
-	if err != nil {
-		return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
-	}
-	return nil
-}
-
 func readManifest(path string) (*manifest, error) {
 	file, err := os.Open(path)
 	if err != nil {
@@ -188,7 +164,7 @@ func symlinkSecret(targetFile string, secret *secret, userMode bool) error {
 				return fmt.Errorf("Cannot create symlink '%s': %w", secret.Path, err)
 			}
 			if !userMode {
-				if err := secureSymlinkChown(secret.Path, targetFile, secret.owner, secret.group); err != nil {
+				if err := SecureSymlinkChown(secret.Path, targetFile, secret.owner, secret.group); err != nil {
 					return fmt.Errorf("Cannot chown symlink '%s': %w", secret.Path, err)
 				}
 			}
@@ -331,33 +307,6 @@ func decryptSecrets(secrets []secret) error {
 
 const RAMFS_MAGIC int32 = -2054924042
 
-func mountSecretFs(mountpoint string, keysGid int, userMode bool) error {
-	if err := os.MkdirAll(mountpoint, 0751); err != nil {
-		return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
-	}
-
-	// We can't create a ramfs as user
-	if userMode {
-		return nil
-	}
-
-	buf := unix.Statfs_t{}
-	if err := unix.Statfs(mountpoint, &buf); err != nil {
-		return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
-	}
-	if int32(buf.Type) != RAMFS_MAGIC {
-		if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
-			return fmt.Errorf("Cannot mount: %s", err)
-		}
-	}
-
-	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
-		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
-	}
-
-	return nil
-}
-
 func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
 	var generation uint64
 	linkTarget, err := os.Readlink(linkName)
@@ -973,7 +922,7 @@ func installSecrets(args []string) error {
 
 	isDry := os.Getenv("NIXOS_ACTION") == "dry-activate"
 
-	if err := mountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UserMode); err != nil {
+	if err := MountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UserMode); err != nil {
 		return fmt.Errorf("Failed to mount filesystem for secrets: %w", err)
 	}