BUG: `rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/.`

[kai-tub]

Hey, thank you very much for providing a way to customize configuration files that require some sops-managed passwords!
This is exactly what I've been looking for! ❤️
Though, I am having some issues and am relatively new to NixOS so sorry for not being able to provide a minimal example.

1. When I execute the container there is no issue
2. But when I call it via my flake configuration, I get the following issues:

rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/.`
rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/..`
Activation script snippet 'scalpelCreateStore' failed (1)

Looking at the code, the issue seems to come from

scalpel/modules/scalpel/default.nix

Lines 113 to 124 in 16c2103

	config = mkIf (cfg.trafos != { }) {
	system.activationScripts.scalpelCreateStore = {
	text = ''
	echo "[scalpel] Ensuring existance of ${cfg.secretsDir}"
	mkdir -p ${cfg.secretsDir}
	grep -q "${cfg.secretsDir} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsDir}" -o nodev,nosuid,mode=0751
	echo "[scalpel] Clearing old secrets from ${cfg.secretsDir}"
	rm -rf ${cfg.secretsDir}/{*,.*}
	'';
	deps = [ "specialfs" ];
	};

Where the shell is safeguarding recursively deleting . and ..

I've cloned this repository and changed it to:

system.activationScripts.scalpelCreateStore = { 
       text = '' 
         echo "[scalpel] Ensuring existance of ${cfg.secretsDir}" 
         mkdir -p ${cfg.secretsDir} 
         grep -q "${cfg.secretsDir} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsDir}" -o nodev,nosuid,mode=0751 
  
         echo "[scalpel] Clearing old secrets from ${cfg.secretsDir}" 
         find . -name . -o -prune -exec rm -rf -- {} +
       ''; 
       deps = [ "specialfs" ]; 
     }; 

With inspiration from: https://unix.stackexchange.com/a/77313

Which allowed me to run the flake without any issues. :)
I would be happy to open a PR if you think this change would fix it.

[ThinkChaos]

I don't use scalpel, but don't use this as is, it'll nuke your system!

The find command should be: find '${cfg.secretsDir}' -name . -o -prune -exec rm -rf -- {} +
Which I think is equivalent to: rm -rf "$(ls --almost-all '${cfg.secretsDir}')"

[ahbnr]

I don't use scalpel, but don't use this as is, it'll nuke your system!

to be clear, I think this is only the case for the code suggested at the top of this issue and the fork automatically linked above by GitHub which we discussed here: ndarwincorn@6ab08ad#commitcomment-95094918

But be careful in any case

[polygon]

Sorry, I must have missed this when it was posted. I'll have a look at it. Thanks for the contribution.

[kai-tub]

Wow, yeah that is a pretty bad mistake I made 😰
Sorry for that!