yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'sshd: add invalidation hash for certificates' (#2652) from sshd into main

Browse Source 
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2652
This commit is contained in:
Mic92
2024-12-25 19:21:51 +00:00
parent a314a39875 7b3efcec06
commit ee156c0d24
4 changed files with 43 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
clanModules/sshd/roles/server.nix
View File

@@ -7,10 +7,12 @@
let let
stringSet = list: builtins.attrNames (builtins.groupBy lib.id list); stringSet = list: builtins.attrNames (builtins.groupBy lib.id list);
domains = stringSet config.clan.sshd.certificate.searchDomains;
signArgs = builtins.concatStringsSep " " ( signArgs = builtins.concatStringsSep " " (
builtins.map (domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}") ( builtins.map (
stringSet config.clan.sshd.certificate.searchDomains domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}"
) ) domains
); );
cfg = config.clan.sshd; cfg = config.clan.sshd;
in in
@@ -51,6 +53,10 @@ in
"openssh" "openssh"
"openssh-ca" "openssh-ca"
]; ];
validation = {
name = config.clan.core.machineName;
domains = lib.genAttrs config.clan.sshd.certificate.searchDomains lib.id;
};
runtimeInputs = [ runtimeInputs = [
pkgs.openssh pkgs.openssh
pkgs.jq pkgs.jq

27
nixosModules/clanCore/vars/interface.nix
View File

@@ -79,22 +79,27 @@ in
description = '' description = ''
A set of values that invalidate the generated values. A set of values that invalidate the generated values.
If any of these values change, the generated values will be re-generated. If any of these values change, the generated values will be re-generated.
Lists are not allowed as of now due to potential ordering issues
''; '';
default = null; default = null;
type = # This is more restrictive than json without lists, but currently
let # if a value contains a list, we get an infinite recursion which
data = nullOr (oneOf [ # is hard to understand.
type = nullOr (oneOf [
bool
int
str
(attrsOf (oneOf [
bool
int
str
(attrsOf (oneOf [
bool bool
int int
str str
(attrsOf data) ]))
# lists are not allowed as of now due to potential ordering issues ]))
]); ]);
in
data
// {
description = "JSON compatible data structure";
};
}; };
# the validationHash is the validation interface to the outside world # the validationHash is the validation interface to the outside world
validationHash = lib.mkOption { validationHash = lib.mkOption {

12
pkgs/clan-cli/clan_cli/facts/generate.py
View File

@@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
], ],
[ [
"bwrap", "bwrap",
"--unshare-all",
"--tmpfs", "/",
"--ro-bind", "/nix/store", "/nix/store", "--ro-bind", "/nix/store", "/nix/store",
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev", "--dev", "/dev",
# not allowed to bind procfs in some sandboxes
"--bind", str(facts_dir), str(facts_dir), "--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir), "--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all", "--chdir", "/",
"--unshare-user", # Doesn't work in our CI?
#"--proc", "/proc",
#"--hostname", "facts",
"--bind", "/proc", "/proc",
"--uid", "1000", "--uid", "1000",
"--gid", "1000",
"--", "--",
"bash", "-c", generator "bash", "-c", generator
], ],

12
pkgs/clan-cli/clan_cli/vars/generate.py
View File

@@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
], ],
[ [
"bwrap", "bwrap",
"--unshare-all",
"--tmpfs", "/",
"--ro-bind", "/nix/store", "/nix/store", "--ro-bind", "/nix/store", "/nix/store",
*(["--ro-bind", str(test_store), str(test_store)] if test_store else []), *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
"--tmpfs", "/usr/lib/systemd",
"--dev", "/dev", "--dev", "/dev",
# not allowed to bind procfs in some sandboxes
"--bind", str(tmpdir), str(tmpdir), "--bind", str(tmpdir), str(tmpdir),
"--unshare-all", "--chdir", "/",
"--unshare-user", # Doesn't work in our CI?
#"--proc", "/proc",
#"--hostname", "facts",
"--bind", "/proc", "/proc",
"--uid", "1000", "--uid", "1000",
"--gid", "1000",
"--", "--",
"bash", "-c", generator "bash", "-c", generator
], ],