Merge pull request 'sshd: add invalidation hash for certificates' (#2652) from sshd into main
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2652
This commit is contained in:
Mic92
@@ -7,10 +7,12 @@
|
||||
let
|
||||
stringSet = list: builtins.attrNames (builtins.groupBy lib.id list);
|
||||
|
||||
domains = stringSet config.clan.sshd.certificate.searchDomains;
|
||||
|
||||
signArgs = builtins.concatStringsSep " " (
|
||||
builtins.map (domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}") (
|
||||
stringSet config.clan.sshd.certificate.searchDomains
|
||||
)
|
||||
builtins.map (
|
||||
domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}"
|
||||
) domains
|
||||
);
|
||||
cfg = config.clan.sshd;
|
||||
in
|
||||
@@ -51,6 +53,10 @@ in
|
||||
"openssh"
|
||||
"openssh-ca"
|
||||
];
|
||||
validation = {
|
||||
name = config.clan.core.machineName;
|
||||
domains = lib.genAttrs config.clan.sshd.certificate.searchDomains lib.id;
|
||||
};
|
||||
runtimeInputs = [
|
||||
pkgs.openssh
|
||||
pkgs.jq
|
||||
|
||||
@@ -79,22 +79,27 @@ in
|
||||
description = ''
|
||||
A set of values that invalidate the generated values.
|
||||
If any of these values change, the generated values will be re-generated.
|
||||
Lists are not allowed as of now due to potential ordering issues
|
||||
'';
|
||||
default = null;
|
||||
type =
|
||||
let
|
||||
data = nullOr (oneOf [
|
||||
# This is more restrictive than json without lists, but currently
|
||||
# if a value contains a list, we get an infinite recursion which
|
||||
# is hard to understand.
|
||||
type = nullOr (oneOf [
|
||||
bool
|
||||
int
|
||||
str
|
||||
(attrsOf (oneOf [
|
||||
bool
|
||||
int
|
||||
str
|
||||
(attrsOf (oneOf [
|
||||
bool
|
||||
int
|
||||
str
|
||||
(attrsOf data)
|
||||
# lists are not allowed as of now due to potential ordering issues
|
||||
]);
|
||||
in
|
||||
data
|
||||
// {
|
||||
description = "JSON compatible data structure";
|
||||
};
|
||||
]))
|
||||
]))
|
||||
]);
|
||||
};
|
||||
# the validationHash is the validation interface to the outside world
|
||||
validationHash = lib.mkOption {
|
||||
|
||||
@@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
|
||||
],
|
||||
[
|
||||
"bwrap",
|
||||
"--unshare-all",
|
||||
"--tmpfs", "/",
|
||||
"--ro-bind", "/nix/store", "/nix/store",
|
||||
"--tmpfs", "/usr/lib/systemd",
|
||||
"--dev", "/dev",
|
||||
# not allowed to bind procfs in some sandboxes
|
||||
"--bind", str(facts_dir), str(facts_dir),
|
||||
"--bind", str(secrets_dir), str(secrets_dir),
|
||||
"--unshare-all",
|
||||
"--unshare-user",
|
||||
"--chdir", "/",
|
||||
# Doesn't work in our CI?
|
||||
#"--proc", "/proc",
|
||||
#"--hostname", "facts",
|
||||
"--bind", "/proc", "/proc",
|
||||
"--uid", "1000",
|
||||
"--gid", "1000",
|
||||
"--",
|
||||
"bash", "-c", generator
|
||||
],
|
||||
|
||||
@@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
|
||||
],
|
||||
[
|
||||
"bwrap",
|
||||
"--unshare-all",
|
||||
"--tmpfs", "/",
|
||||
"--ro-bind", "/nix/store", "/nix/store",
|
||||
*(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
|
||||
"--tmpfs", "/usr/lib/systemd",
|
||||
"--dev", "/dev",
|
||||
# not allowed to bind procfs in some sandboxes
|
||||
"--bind", str(tmpdir), str(tmpdir),
|
||||
"--unshare-all",
|
||||
"--unshare-user",
|
||||
"--chdir", "/",
|
||||
# Doesn't work in our CI?
|
||||
#"--proc", "/proc",
|
||||
#"--hostname", "facts",
|
||||
"--bind", "/proc", "/proc",
|
||||
"--uid", "1000",
|
||||
"--gid", "1000",
|
||||
"--",
|
||||
"bash", "-c", generator
|
||||
],
|
||||
|
||||
Reference in New Issue
Block a user