yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

sshd: client role inherits searchDomains from all servers

Browse Source 
The client role now automatically collects and merges searchDomains from
ALL servers in the instance when not explicitly configured. This eliminates
redundant configuration and ensures clients trust certificates from all
servers.

Also uses lib.mkIf with .exists check to safely handle the openssh-cert
generator access, checking searchDomains first to enable lazy evaluation.
This commit is contained in:
Jörg Thalheim
2025-10-14 11:12:25 +01:00
parent 4566ad9789
commit 37da9fb3e4
1 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
clanServices/sshd/default.nix
View File

@@ -29,7 +29,7 @@
}; };
perInstance = perInstance =
{ settings, ... }: { settings, roles, ... }:
{ {
nixosModule = nixosModule =
{ {
@@ -38,8 +38,19 @@
pkgs, pkgs,
... ...
}: }:
let
uniqueStrings = list: builtins.attrNames (builtins.groupBy lib.id list);
# Collect searchDomains from all servers in this instance
allServerSearchDomains = lib.flatten (
lib.mapAttrsToList (_name: machineConfig: machineConfig.settings.certificate.searchDomains or [ ]) (
roles.server.machines or { }
)
);
# Merge client's searchDomains with all servers' searchDomains
searchDomains = uniqueStrings (settings.certificate.searchDomains ++ allServerSearchDomains);
in
{ {
clan.core.vars.generators.openssh-ca = lib.mkIf (settings.certificate.searchDomains != [ ]) { clan.core.vars.generators.openssh-ca = lib.mkIf (searchDomains != [ ]) {
share = true; share = true;
files.id_ed25519.deploy = false; files.id_ed25519.deploy = false;
files."id_ed25519.pub" = { files."id_ed25519.pub" = {
@@ -54,9 +65,9 @@
''; '';
}; };
programs.ssh.knownHosts.ssh-ca = lib.mkIf (settings.certificate.searchDomains != [ ]) { programs.ssh.knownHosts.ssh-ca = lib.mkIf (searchDomains != [ ]) {
certAuthority = true; certAuthority = true;
extraHostNames = builtins.map (domain: "*.${domain}") settings.certificate.searchDomains; extraHostNames = builtins.map (domain: "*.${domain}") searchDomains;
publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value; publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value;
}; };
}; };