diff --git a/clanModules/sshd/roles/server.nix b/clanModules/sshd/roles/server.nix index 6edf9c43c..c66e21acd 100644 --- a/clanModules/sshd/roles/server.nix +++ b/clanModules/sshd/roles/server.nix @@ -7,10 +7,12 @@ let stringSet = list: builtins.attrNames (builtins.groupBy lib.id list); + domains = stringSet config.clan.sshd.certificate.searchDomains; + signArgs = builtins.concatStringsSep " " ( - builtins.map (domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}") ( - stringSet config.clan.sshd.certificate.searchDomains - ) + builtins.map ( + domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}" + ) domains ); cfg = config.clan.sshd; in @@ -51,6 +53,10 @@ in "openssh" "openssh-ca" ]; + validation = { + name = config.clan.core.machineName; + domains = lib.genAttrs config.clan.sshd.certificate.searchDomains lib.id; + }; runtimeInputs = [ pkgs.openssh pkgs.jq diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix index 77a60b2f0..27208e308 100644 --- a/nixosModules/clanCore/vars/interface.nix +++ b/nixosModules/clanCore/vars/interface.nix @@ -79,22 +79,27 @@ in description = '' A set of values that invalidate the generated values. If any of these values change, the generated values will be re-generated. + Lists are not allowed as of now due to potential ordering issues ''; default = null; - type = - let - data = nullOr (oneOf [ + # This is more restrictive than json without lists, but currently + # if a value contains a list, we get an infinite recursion which + # is hard to understand. + type = nullOr (oneOf [ + bool + int + str + (attrsOf (oneOf [ + bool + int + str + (attrsOf (oneOf [ bool int str - (attrsOf data) - # lists are not allowed as of now due to potential ordering issues - ]); - in - data - // { - description = "JSON compatible data structure"; - }; + ])) + ])) + ]); }; # the validationHash is the validation interface to the outside world validationHash = lib.mkOption { diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py index 39eaa258c..d82855623 100644 --- a/pkgs/clan-cli/clan_cli/facts/generate.py +++ b/pkgs/clan-cli/clan_cli/facts/generate.py @@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s ], [ "bwrap", + "--unshare-all", + "--tmpfs", "/", "--ro-bind", "/nix/store", "/nix/store", - "--tmpfs", "/usr/lib/systemd", "--dev", "/dev", + # not allowed to bind procfs in some sandboxes "--bind", str(facts_dir), str(facts_dir), "--bind", str(secrets_dir), str(secrets_dir), - "--unshare-all", - "--unshare-user", + "--chdir", "/", + # Doesn't work in our CI? + #"--proc", "/proc", + #"--hostname", "facts", + "--bind", "/proc", "/proc", "--uid", "1000", + "--gid", "1000", "--", "bash", "-c", generator ], diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py index 7a4576637..bad8478c1 100644 --- a/pkgs/clan-cli/clan_cli/vars/generate.py +++ b/pkgs/clan-cli/clan_cli/vars/generate.py @@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]: ], [ "bwrap", + "--unshare-all", + "--tmpfs", "/", "--ro-bind", "/nix/store", "/nix/store", *(["--ro-bind", str(test_store), str(test_store)] if test_store else []), - "--tmpfs", "/usr/lib/systemd", "--dev", "/dev", + # not allowed to bind procfs in some sandboxes "--bind", str(tmpdir), str(tmpdir), - "--unshare-all", - "--unshare-user", + "--chdir", "/", + # Doesn't work in our CI? + #"--proc", "/proc", + #"--hostname", "facts", + "--bind", "/proc", "/proc", "--uid", "1000", + "--gid", "1000", "--", "bash", "-c", generator ],