diff --git a/flake.lock b/flake.lock index 2fe9a1da2..7180b041f 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "crane": { "locked": { - "lastModified": 1730652660, - "narHash": "sha256-+XVYfmVXAiYA0FZT7ijHf555dxCe+AoAT5A6RU+6vSo=", + "lastModified": 1736101677, + "narHash": "sha256-iKOPq86AOWCohuzxwFy/MtC8PcSVGnrxBOvxpjpzrAY=", "owner": "ipetkov", "repo": "crane", - "rev": "a4ca93905455c07cb7e3aca95d4faf7601cba458", + "rev": "61ba163d85e5adeddc7b3a69bb174034965965b2", "type": "github" }, "original": { @@ -50,17 +50,17 @@ ] }, "locked": { - "lastModified": 1731669088, - "narHash": "sha256-D95Q0Q6fbrTOcvgwctBAvL23oZItoheXjQGXbBwYLWc=", + "lastModified": 1734007455, + "narHash": "sha256-sNKlhoaGdOdDD+nxXkWJgV8pdwAiqiHZxiP2bH4jdyE=", "owner": "tiiuae", "repo": "ghaf-ctrl-panel", - "rev": "5ca381ba51c05cf370299056f6e377cd6003283f", + "rev": "ef4b843c975030a8156390e3aa6f5536da0ad5c9", "type": "github" }, "original": { "owner": "tiiuae", "repo": "ghaf-ctrl-panel", - "rev": "5ca381ba51c05cf370299056f6e377cd6003283f", + "rev": "ef4b843c975030a8156390e3aa6f5536da0ad5c9", "type": "github" } }, @@ -294,17 +294,17 @@ ] }, "locked": { - "lastModified": 1732205024, - "narHash": "sha256-EabYKJfE0sX7NcXW6c2QIjJNR/CVIzFLyu2A8EPONUE=", + "lastModified": 1736514572, + "narHash": "sha256-Ma/Df1nHIgMkd2NPZRkpVVDqeKPEQuEUD+wCEP4Asco=", "owner": "tiiuae", "repo": "ghaf-givc", - "rev": "63e19e1b61a669a21c1bdd0ae5a8e169b2f2d2f6", + "rev": "be9c368d935bd1b2bc61b89df8dbf62c3b5d8395", "type": "github" }, "original": { "owner": "tiiuae", "repo": "ghaf-givc", - "rev": "63e19e1b61a669a21c1bdd0ae5a8e169b2f2d2f6", + "rev": "be9c368d935bd1b2bc61b89df8dbf62c3b5d8395", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 952a5a684..df6cc903e 100644 --- a/flake.nix +++ b/flake.nix @@ -144,7 +144,7 @@ }; givc = { - url = "github:tiiuae/ghaf-givc/63e19e1b61a669a21c1bdd0ae5a8e169b2f2d2f6"; + url = "github:tiiuae/ghaf-givc/be9c368d935bd1b2bc61b89df8dbf62c3b5d8395"; inputs = { nixpkgs.follows = "nixpkgs"; flake-parts.follows = "flake-parts"; @@ -156,7 +156,7 @@ }; ctrl-panel = { - url = "github:tiiuae/ghaf-ctrl-panel/5ca381ba51c05cf370299056f6e377cd6003283f"; + url = "github:tiiuae/ghaf-ctrl-panel/ef4b843c975030a8156390e3aa6f5536da0ad5c9"; inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; @@ -170,31 +170,38 @@ let lib = import ./lib.nix { inherit inputs; }; in - flake-parts.lib.mkFlake { inherit inputs; } { - # Toggle this to allow debugging in the repl - # see:https://flake.parts/debug - debug = false; - - systems = [ - "x86_64-linux" - "aarch64-linux" - # RISC-V is a target built from cross compilation and is not - # included as a host build possibility at this point - # Future HW permitting this can be re-evaluated - #"riscv64-linux" - ]; - - imports = [ - ./overlays/flake-module.nix - ./modules/flake-module.nix - ./nix/flake-module.nix - ./packages/flake-module.nix - ./targets/flake-module.nix - ./hydrajobs/flake-module.nix - ./templates/flake-module.nix - ./tests/flake-module.nix - ]; - - flake.lib = lib; - }; + flake-parts.lib.mkFlake + { + inherit inputs; + specialArgs = { + inherit lib; + }; + } + { + # Toggle this to allow debugging in the repl + # see:https://flake.parts/debug + debug = false; + + systems = [ + "x86_64-linux" + "aarch64-linux" + # RISC-V is a target built from cross compilation and is not + # included as a host build possibility at this point + # Future HW permitting this can be re-evaluated + #"riscv64-linux" + ]; + + imports = [ + ./overlays/flake-module.nix + ./modules/flake-module.nix + ./nix/flake-module.nix + ./packages/flake-module.nix + ./targets/flake-module.nix + ./hydrajobs/flake-module.nix + ./templates/flake-module.nix + ./tests/flake-module.nix + ]; + + flake.lib = lib; + }; } diff --git a/modules/common/common.nix b/modules/common/common.nix index ac905a797..aabae3a19 100644 --- a/modules/common/common.nix +++ b/modules/common/common.nix @@ -3,7 +3,20 @@ # # TODO: Refactor even more. # This is the old "host/default.nix" file. -{ lib, ... }: +# +# ghaf.common: Interface to share ghaf configs from host to VMs +# +{ config, lib, ... }: +let + inherit (builtins) attrNames hasAttr; + inherit (lib) + mkOption + types + optionalAttrs + optionalString + attrsets + ; +in { imports = [ # TODO remove this when the minimal config is defined @@ -14,7 +27,49 @@ #(modulesPath + "/profiles/minimal.nix") ]; + options.ghaf = { + common = { + vms = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of VMs currently enabled."; + }; + systemHosts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of system hosts currently enabled."; + }; + appHosts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of app hosts currently enabled."; + }; + }; + type = mkOption { + description = "Type of the ghaf component. One of 'host', 'system-vm', or 'app-vm'."; + type = types.str; + }; + }; + config = { + + # Populate the shared namespace + ghaf = optionalAttrs (hasAttr "microvm" config) { + common = optionalAttrs (hasAttr "vms" config.microvm) { + vms = attrNames config.microvm.vms; + systemHosts = lib.lists.remove "" ( + lib.attrsets.mapAttrsToList ( + n: v: lib.optionalString (v.config.config.ghaf.type == "system-vm") n + ) config.microvm.vms + ); + appHosts = lib.lists.remove "" ( + lib.attrsets.mapAttrsToList ( + n: v: lib.optionalString (v.config.config.ghaf.type == "app-vm") n + ) config.microvm.vms + ); + }; + }; + system.stateVersion = lib.trivial.release; #### diff --git a/modules/common/networking/default.nix b/modules/common/networking/default.nix index d488e28fb..1aecb04ce 100644 --- a/modules/common/networking/default.nix +++ b/modules/common/networking/default.nix @@ -1,3 +1,7 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ imports = [ ./hosts.nix ]; } +{ + imports = [ + ./hosts.nix + ]; +} diff --git a/modules/common/networking/hosts.nix b/modules/common/networking/hosts.nix index a8ad1c0d6..e7cb7f90f 100644 --- a/modules/common/networking/hosts.nix +++ b/modules/common/networking/hosts.nix @@ -2,17 +2,20 @@ # SPDX-License-Identifier: Apache-2.0 { config, lib, ... }: let - cfg = config.ghaf.networking.hosts; inherit (lib) foldr - mkIf mkOption - optionals recursiveUpdate + optionalString types + trivial + listToAttrs + nameValuePair ; - hostsEntrySubmodule = types.submodule { + # Internal network host entry + # TODO Add sockets + hostEntrySubmodule = types.submodule { options = { name = mkOption { type = types.str; @@ -20,92 +23,64 @@ let Host name as string. ''; }; - ip = mkOption { + mac = mkOption { type = types.str; description = '' - Host IPv4 address as string. + MAC address as string. + ''; + }; + ipv4 = mkOption { + type = types.str; + description = '' + IPv4 address as string. + ''; + }; + ipv6 = mkOption { + type = types.str; + description = '' + IPv6 address as string. ''; }; }; }; - # please note that .100. network is not - # reachable from ghaf-host. It's only reachable - # guest-to-guest. - # Use to .101. (debug) to access guests from host. - # debug network hosts are post-fixed: -debug - ipBase = "192.168.100"; - debugBase = "192.168.101"; - hostsEntries = [ - { - ip = 1; - name = "net-vm"; - } - { - ip = 2; - name = "ghaf-host"; - } - { - ip = 3; - name = "gui-vm"; - } - { - ip = 4; - name = "ids-vm"; - } - { - ip = 5; - name = "audio-vm"; - } - { - ip = 10; - name = "admin-vm"; - } - { - ip = 100; - name = "chrome-vm"; - } - { - ip = 101; - name = "gala-vm"; - } - { - ip = 102; - name = "zathura-vm"; - } - { - ip = 103; - name = "comms-vm"; - } - { - ip = 104; - name = "business-vm"; - } - ]; + # Re-order hosts to ensure net-vm is always first in list to reserve .1 + hostList = [ + "net-vm" + "ghaf-host" + ] ++ lib.lists.remove "net-vm" config.ghaf.common.systemHosts; - mkHostEntry = - { ip, name }: - { - name = "${name}"; - ip = "${ipBase}.${toString ip}"; - }; - mkHostEntryDebug = - { ip, name }: - { - name = "${name}-debug"; - ip = "${debugBase}.${toString ip}"; - }; - entries = - (map mkHostEntry hostsEntries) - ++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries); + # Address bases + macBaseAddress = "02:AD:00:00:00:"; + ipv4BaseAddress = "192.168.100."; + ipv6BaseAddress = "fd00::100:"; + + # Generate host entries + # TODO Add sockets + hosts = + lib.lists.imap1 (idx: name: { + inherit name; + mac = "${macBaseAddress}${optionalString (idx < 16) "0"}${trivial.toHexString idx}"; + ipv4 = "${ipv4BaseAddress}${toString idx}"; + ipv6 = "${ipv6BaseAddress}${toString idx}"; + }) hostList + ++ lib.lists.imap1 ( + index: name: + let + idx = index + 100; + in + { + inherit name; + mac = "${macBaseAddress}${optionalString (idx < 16) "0"}${trivial.toHexString idx}"; + ipv4 = "${ipv4BaseAddress}${toString idx}"; + ipv6 = "${ipv6BaseAddress}${toString idx}"; + } + ) config.ghaf.common.appHosts; in { - options.ghaf.networking.hosts = { - enable = (lib.mkEnableOption "Ghaf hosts entries") // { - default = true; - }; - entries = mkOption { - type = types.listOf hostsEntrySubmodule; + options.ghaf.networking = { + hosts = mkOption { + type = types.attrsOf hostEntrySubmodule; description = '' List of hosts entries. ''; @@ -113,15 +88,21 @@ in }; }; - config = mkIf cfg.enable { - ghaf.networking.hosts = { - inherit entries; - }; + config = { + + assertions = [ + { + assertion = lib.length config.ghaf.common.vms < 255; + message = "Too many VMs defined - maximum is 254"; + } + ]; + + ghaf.networking.hosts = listToAttrs (map (host: nameValuePair "${host.name}" host) hosts); networking.hosts = foldr recursiveUpdate { } ( map (vm: { - "${vm.ip}" = [ "${vm.name}" ]; - }) config.ghaf.networking.hosts.entries + "${vm.ipv4}" = [ "${vm.name}" ]; + }) hosts ); }; } diff --git a/modules/common/security/apparmor/profiles/google-chrome.nix b/modules/common/security/apparmor/profiles/google-chrome.nix index 361fe4b5b..d93d35865 100644 --- a/modules/common/security/apparmor/profiles/google-chrome.nix +++ b/modules/common/security/apparmor/profiles/google-chrome.nix @@ -169,6 +169,7 @@ @{ETC}/profiles/** r, @{NIX}/var r, @{NIX}/var/** r, + @{RUN}/givc/** rx, owner @{run}/user/[0-9]*/ rw, owner @{run}/user/[0-9]*/** rw, diff --git a/modules/common/services/default.nix b/modules/common/services/default.nix index 18f920387..2e81ad06d 100644 --- a/modules/common/services/default.nix +++ b/modules/common/services/default.nix @@ -8,7 +8,6 @@ ./firmware.nix ./xdgopener.nix ./xdghandlers.nix - ./namespaces.nix ./yubikey.nix ./bluetooth.nix ./disks.nix diff --git a/modules/common/services/desktop.nix b/modules/common/services/desktop.nix index 62e6ff0f6..2fd6f1cf0 100644 --- a/modules/common/services/desktop.nix +++ b/modules/common/services/desktop.nix @@ -7,13 +7,12 @@ ... }: let - inherit (builtins) hasAttr replaceStrings; + inherit (builtins) hasAttr; inherit (lib) mkIf mkEnableOption optionals optionalAttrs - optionalString ; cfg = config.ghaf.services.desktop; @@ -26,6 +25,7 @@ let { } else { }; + inherit (config.ghaf.givc) cliArgs; in # TODO: The desktop configuration needs to be re-worked. # TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here @@ -39,17 +39,6 @@ in profiles.graphics.compositor = "labwc"; graphics = { launchers = - let - cliArgs = replaceStrings [ "\n" ] [ " " ] '' - --name ${config.ghaf.givc.adminConfig.name} - --addr ${config.ghaf.givc.adminConfig.addr} - --port ${config.ghaf.givc.adminConfig.port} - ${optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} - ${optionalString config.ghaf.givc.enableTls "--cert /run/givc/gui-vm-cert.pem"} - ${optionalString config.ghaf.givc.enableTls "--key /run/givc/gui-vm-key.pem"} - ${optionalString (!config.ghaf.givc.enableTls) "--notls"} - ''; - in [ # { # # The SPKI fingerprint is calculated like this: @@ -215,7 +204,7 @@ in { name = "Control panel"; - path = "${pkgs.ctrl-panel}/bin/ctrl-panel"; + path = "${pkgs.ctrl-panel}/bin/ctrl-panel ${config.ghaf.givc.cliArgs}"; icon = "utilities-tweak-tool"; } ] diff --git a/modules/common/services/namespaces.nix b/modules/common/services/namespaces.nix deleted file mode 100644 index c654fdf9f..000000000 --- a/modules/common/services/namespaces.nix +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors -# SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: -let - inherit (builtins) attrNames hasAttr; - inherit (lib) mkOption types optionalAttrs; -in -{ - options.ghaf.namespaces = { - vms = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "List of VMs currently enabled."; - }; - }; - config = { - ghaf = optionalAttrs (hasAttr "microvm" config) { - namespaces = optionalAttrs (hasAttr "vms" config.microvm) { vms = attrNames config.microvm.vms; }; - }; - }; -} diff --git a/modules/common/systemd/hardened-configs/common/alloy.nix b/modules/common/systemd/hardened-configs/common/alloy.nix index 45c1d90fe..fc577b5cd 100644 --- a/modules/common/systemd/hardened-configs/common/alloy.nix +++ b/modules/common/systemd/hardened-configs/common/alloy.nix @@ -5,7 +5,6 @@ IPAccounting = true; IPAddressAllow = [ "192.168.100.0/24" - "192.168.101.0/24" ]; RestrictAddressFamilies = [ "~AF_INET6" ]; diff --git a/modules/desktop/graphics/ewwbar.nix b/modules/desktop/graphics/ewwbar.nix index 5fd13f279..a7cf5aae1 100644 --- a/modules/desktop/graphics/ewwbar.nix +++ b/modules/desktop/graphics/ewwbar.nix @@ -635,7 +635,7 @@ in (widget_button :icon "${settings-icon}" :header "Settings" - :onclick "''${EWW_CMD} close quick-settings closer & ${pkgs.ctrl-panel}/bin/ctrl-panel >/dev/null &"))) + :onclick "''${EWW_CMD} close quick-settings closer & ${pkgs.ctrl-panel}/bin/ctrl-panel ${config.ghaf.givc.cliArgs} >/dev/null &"))) ''} ;; Quick Settings Widget ;; diff --git a/modules/givc/adminvm.nix b/modules/givc/adminvm.nix index 7b61b6301..9c063703c 100644 --- a/modules/givc/adminvm.nix +++ b/modules/givc/adminvm.nix @@ -16,9 +16,7 @@ in enable = true; inherit (config.ghaf.givc) debug; inherit (config.ghaf.givc.adminConfig) name; - inherit (config.ghaf.givc.adminConfig) addr; - inherit (config.ghaf.givc.adminConfig) port; - inherit (config.ghaf.givc.adminConfig) protocol; + inherit (config.ghaf.givc.adminConfig) addresses; services = [ "givc-ghaf-host-debug.service" "givc-net-vm.service" diff --git a/modules/givc/appvm.nix b/modules/givc/appvm.nix index cb94b626d..4439da2a4 100644 --- a/modules/givc/appvm.nix +++ b/modules/givc/appvm.nix @@ -14,17 +14,12 @@ let mkIf types ; - vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; - address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); + inherit (config.ghaf.networking) hosts; + inherit (config.networking) hostName; in { options.ghaf.givc.appvm = { enable = mkEnableOption "Enable appvm givc module."; - name = mkOption { - type = types.str; - default = "appvm"; - description = "Name of the appvm."; - }; applications = mkOption { type = types.listOf types.attrs; default = [ { } ]; @@ -37,14 +32,15 @@ in givc.appvm = { enable = true; inherit (config.ghaf.givc) debug; - agent = { - inherit (cfg) name; - addr = address cfg.name; + inherit (config.ghaf.users.loginUser) uid; + transport = { + name = hostName; + addr = hosts.${hostName}.ipv4; port = "9000"; }; inherit (cfg) applications; tls.enable = config.ghaf.givc.enableTls; - admin = config.ghaf.givc.adminConfig; + admin = lib.head config.ghaf.givc.adminConfig.addresses; }; }; } diff --git a/modules/givc/audiovm.nix b/modules/givc/audiovm.nix index 9accd06bc..7c73576f1 100644 --- a/modules/givc/audiovm.nix +++ b/modules/givc/audiovm.nix @@ -1,13 +1,19 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ + config, + lib, + ... +}: let cfg = config.ghaf.givc.audiovm; - inherit (lib) mkEnableOption mkIf; - hostName = "audio-vm"; + inherit (lib) + mkEnableOption + mkIf + ; guivmName = "gui-vm"; - vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; - address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); + inherit (config.ghaf.networking) hosts; + inherit (config.networking) hostName; in { options.ghaf.givc.audiovm = { @@ -19,18 +25,18 @@ in givc.sysvm = { enable = true; inherit (config.ghaf.givc) debug; - agent = { + transport = { name = hostName; - addr = address hostName; + addr = hosts.${hostName}.ipv4; port = "9000"; }; tls.enable = config.ghaf.givc.enableTls; - admin = config.ghaf.givc.adminConfig; + admin = lib.head config.ghaf.givc.adminConfig.addresses; socketProxy = [ { transport = { name = guivmName; - addr = address guivmName; + addr = hosts.${guivmName}.ipv4; port = "9011"; protocol = "tcp"; }; diff --git a/modules/givc/common.nix b/modules/givc/common.nix index 0b8e36f24..5ba361ba6 100644 --- a/modules/givc/common.nix +++ b/modules/givc/common.nix @@ -1,6 +1,10 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ + config, + lib, + ... +}: let cfg = config.ghaf.givc; inherit (lib) @@ -8,11 +12,39 @@ let mkEnableOption mkIf types + optionalString ; + addressSubmodule = types.submodule { + options = { + name = mkOption { + description = "Name of the IP range for parsing"; + type = types.str; + }; + addr = mkOption { + description = "IP address of admin server"; + type = types.str; + }; + port = mkOption { + description = "Port of admin server"; + type = types.str; + }; + protocol = mkOption { + description = "Protocol of admin server"; + type = types.str; + }; + }; + }; + inherit (config.ghaf.networking) hosts; + adminAddress = { + name = "admin-vm"; + addr = hosts."admin-vm".ipv4; + port = "9001"; + protocol = "tcp"; + }; mitmEnabled = config.ghaf.virtualization.microvm.idsvm.enable && config.ghaf.virtualization.microvm.idsvm.mitmproxy.enable; - mitmExtraArgs = lib.optionalString mitmEnabled "--user-data-dir=/home/${config.ghaf.users.appUser.name}/.config/google-chrome/Default --test-type --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; + idsExtraArgs = lib.optionalString mitmEnabled "--user-data-dir=/home/${config.ghaf.users.appUser.name}/.config/google-chrome/Default --test-type --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; in { options.ghaf.givc = { @@ -21,17 +53,15 @@ in enableTls = mkOption { description = "Enable TLS for gRPC communication globally, or disable for debugging."; type = types.bool; - default = false; + default = true; }; idsExtraArgs = mkOption { description = "Extra arguments for applications when IDS/MITM is enabled."; type = types.str; - default = mitmExtraArgs; }; appPrefix = mkOption { description = "Common application path prefix."; type = types.str; - default = "/run/current-system/sw/bin"; }; adminConfig = mkOption { description = "Admin server configuration."; @@ -41,34 +71,40 @@ in description = "Host name of admin server"; type = types.str; }; - addr = mkOption { - description = "Address of admin server"; - type = types.str; - }; - port = mkOption { - description = "Port of admin server"; - type = types.str; - }; - protocol = mkOption { - description = "Protocol of admin server"; - type = types.str; + addresses = mkOption { + description = "Addresses of admin server"; + type = types.listOf addressSubmodule; }; }; }; }; + cliArgs = mkOption { + description = "Arguments for the givc-cli to contact the admin service."; + type = types.str; + }; }; + config = mkIf cfg.enable { + # Generic givc configs + ghaf.givc = { + inherit idsExtraArgs; + appPrefix = "/run/current-system/sw/bin"; + cliArgs = builtins.replaceStrings [ "\n" ] [ " " ] '' + --name ${adminAddress.name} + --addr ${adminAddress.addr} + --port ${adminAddress.port} + ${optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} + ${optionalString config.ghaf.givc.enableTls "--cert /run/givc/cert.pem"} + ${optionalString config.ghaf.givc.enableTls "--key /run/givc/key.pem"} + ${optionalString (!config.ghaf.givc.enableTls) "--notls"} + ''; + }; # Givc admin server configuration - ghaf.givc.adminConfig = - let - adminvmEntry = builtins.filter (x: x.name == "admin-vm-debug") config.ghaf.networking.hosts.entries; - addr = lib.head (builtins.map (x: x.ip) adminvmEntry); - in - { - name = "admin-vm-debug"; - inherit addr; - port = "9001"; - protocol = "tcp"; - }; + ghaf.givc.adminConfig = { + inherit (adminAddress) name; + addresses = [ + adminAddress + ]; + }; }; } diff --git a/modules/givc/flake-module.nix b/modules/givc/flake-module.nix index 1e9ae0e89..a71131972 100644 --- a/modules/givc/flake-module.nix +++ b/modules/givc/flake-module.nix @@ -10,6 +10,7 @@ ]; givc-host.imports = [ inputs.givc.nixosModules.host + inputs.givc.nixosModules.tls ./common.nix ./host.nix { diff --git a/modules/givc/guivm.nix b/modules/givc/guivm.nix index c2807127b..6228b93e5 100644 --- a/modules/givc/guivm.nix +++ b/modules/givc/guivm.nix @@ -1,14 +1,20 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ + config, + lib, + ... +}: let cfg = config.ghaf.givc.guivm; - inherit (lib) mkEnableOption mkIf; - hostName = "gui-vm"; + inherit (lib) + mkEnableOption + mkIf + ; netvmName = "net-vm"; audiovmName = "audio-vm"; - vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; - address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); + inherit (config.ghaf.networking) hosts; + inherit (config.networking) hostName; in { options.ghaf.givc.guivm = { @@ -19,19 +25,20 @@ in # Configure guivm service givc.sysvm = { enable = true; - agent = { + inherit (config.ghaf.givc) debug; + transport = { name = hostName; - addr = address hostName; + addr = hosts.${hostName}.ipv4; port = "9000"; }; - inherit (config.ghaf.givc) debug; + admin = lib.head config.ghaf.givc.adminConfig.addresses; tls.enable = config.ghaf.givc.enableTls; - admin = config.ghaf.givc.adminConfig; + enableUserTlsAccess = true; socketProxy = [ { transport = { name = netvmName; - addr = address netvmName; + addr = hosts.${netvmName}.ipv4; port = "9010"; protocol = "tcp"; }; @@ -40,7 +47,7 @@ in { transport = { name = audiovmName; - addr = address audiovmName; + addr = hosts.${audiovmName}.ipv4; port = "9011"; protocol = "tcp"; }; diff --git a/modules/givc/host.nix b/modules/givc/host.nix index 1b1ceeb8e..c7c7582fb 100644 --- a/modules/givc/host.nix +++ b/modules/givc/host.nix @@ -8,11 +8,14 @@ }: let cfg = config.ghaf.givc.host; - inherit (builtins) map filter attrNames; - inherit (lib) mkEnableOption mkIf head; - hostName = "ghaf-host-debug"; - vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; - address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); + inherit (builtins) map attrNames; + inherit (lib) + mkEnableOption + mkIf + head + ; + inherit (config.networking) hostName; + inherit (config.ghaf.networking) hosts; in { options.ghaf.givc.host = { @@ -24,9 +27,9 @@ in givc.host = { enable = true; inherit (config.ghaf.givc) debug; - agent = { + transport = { name = hostName; - addr = address hostName; + addr = hosts.${hostName}.ipv4; port = "9000"; }; services = [ @@ -35,7 +38,19 @@ in "suspend.target" ] ++ map (vmName: "microvm@${vmName}.service") (attrNames config.microvm.vms); tls.enable = config.ghaf.givc.enableTls; - admin = config.ghaf.givc.adminConfig; + admin = head config.ghaf.givc.adminConfig.addresses; + }; + + givc.tls = { + enable = config.ghaf.givc.enableTls; + agents = lib.attrsets.mapAttrsToList (n: v: { + name = n; + addr = v.ipv4; + }) hosts; + adminTlsName = config.ghaf.givc.adminConfig.name; + adminAddresses = config.ghaf.givc.adminConfig.addresses; + generatorHostName = hostName; + storagePath = "/storagevm"; }; }; } diff --git a/modules/givc/netvm.nix b/modules/givc/netvm.nix index b760e76ec..0b510de00 100644 --- a/modules/givc/netvm.nix +++ b/modules/givc/netvm.nix @@ -8,11 +8,13 @@ }: let cfg = config.ghaf.givc.netvm; - inherit (lib) mkEnableOption mkIf; - hostName = "net-vm"; + inherit (lib) + mkEnableOption + mkIf + ; guivmName = "gui-vm"; - vmEntry = vm: builtins.filter (x: x.name == vm) config.ghaf.networking.hosts.entries; - address = vm: lib.head (builtins.map (x: x.ip) (vmEntry vm)); + inherit (config.ghaf.networking) hosts; + inherit (config.networking) hostName; in { options.ghaf.givc.netvm = { @@ -24,20 +26,19 @@ in givc.sysvm = { enable = true; inherit (config.ghaf.givc) debug; - agent = { - name = hostName; - addr = address hostName; + transport = { + name = config.networking.hostName; + addr = hosts.${hostName}.ipv4; port = "9000"; }; - wifiManager = true; hwidService = true; tls.enable = config.ghaf.givc.enableTls; - admin = config.ghaf.givc.adminConfig; + admin = lib.head config.ghaf.givc.adminConfig.addresses; socketProxy = [ { transport = { name = guivmName; - addr = address guivmName; + addr = hosts.${guivmName}.ipv4; port = "9010"; protocol = "tcp"; }; @@ -45,7 +46,6 @@ in } ]; }; - givc.dbusproxy = { enable = true; system = { diff --git a/modules/microvm/networking.nix b/modules/microvm/networking.nix index 01d075856..7bfdfb974 100644 --- a/modules/microvm/networking.nix +++ b/modules/microvm/networking.nix @@ -8,24 +8,32 @@ }: let cfg = config.ghaf.host.networking; + inherit (lib) + mkEnableOption + mkIf + optionals + ; sshKeysHelper = pkgs.callPackage ../../packages/ssh-keys-helper { inherit pkgs; inherit config; }; + inherit (config.ghaf.networking) hosts; + inherit (config.networking) hostName; in { options.ghaf.host.networking = { - enable = lib.mkEnableOption "Host networking"; + enable = mkEnableOption "Host networking"; # TODO add options to configure the network, e.g. ip addr etc }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { networking = { enableIPv6 = false; useNetworkd = true; interfaces.virbr0.useDHCP = false; }; + # TODO Remove host networking systemd.network = { netdevs."10-virbr0".netdevConfig = { Kind = "bridge"; @@ -35,7 +43,8 @@ in networks."10-virbr0" = { matchConfig.Name = "virbr0"; networkConfig.DHCPServer = false; - addresses = [ { Address = "192.168.101.2/24"; } ]; + addresses = [ { Address = "${hosts.${hostName}.ipv4}/24"; } ]; + gateway = optionals (builtins.hasAttr "net-vm" config.microvm.vms) [ "${hosts."net-vm".ipv4}" ]; }; # Connect VM tun/tap device to the bridge # TODO configure this based on IF the netvm is enabled diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix index 8fdee3b58..9121b2cc4 100644 --- a/modules/microvm/virtualization/microvm/adminvm.nix +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -1,11 +1,14 @@ # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 { inputs }: -{ config, lib, ... }: +{ + config, + lib, + ... +}: let configHost = config; vmName = "admin-vm"; - macAddress = "02:00:00:AD:01:01"; isLoggingEnabled = config.ghaf.logging.client.enable; adminvmBaseConfiguration = { @@ -17,11 +20,8 @@ let config lib vmName - macAddress ; - internalIP = 10; }) - ./common/storagevm.nix # We need to retrieve mac address and start log aggregator ../../../common/logging/hw-mac-retrieve.nix ../../../common/logging/logs-aggregator.nix @@ -41,6 +41,7 @@ let }; # System + type = "system-vm"; systemd = { enable = true; withName = "adminvm-systemd"; @@ -77,14 +78,6 @@ let system.stateVersion = lib.trivial.release; - systemd.network = { - enable = true; - networks."10-ethint0" = { - matchConfig.MACAddress = macAddress; - linkConfig.ActivationPolicy = "always-up"; - }; - }; - nixpkgs = { buildPlatform.system = configHost.nixpkgs.buildPlatform.system; hostPlatform.system = configHost.nixpkgs.hostPlatform.system; diff --git a/modules/microvm/virtualization/microvm/appvm.nix b/modules/microvm/virtualization/microvm/appvm.nix index 02872ce59..8da1a5a33 100644 --- a/modules/microvm/virtualization/microvm/appvm.nix +++ b/modules/microvm/virtualization/microvm/appvm.nix @@ -38,16 +38,16 @@ let { ghaf.givc.appvm = { enable = true; - name = lib.mkForce vmName; applications = givcApplications; }; } (import ./common/vm-networking.nix { - inherit config lib vmName; - inherit (vm) macAddress; - internalIP = vmIndex + 100; + inherit + config + lib + vmName + ; }) - ./common/ghaf-audio.nix ./common/storagevm.nix ( @@ -94,7 +94,8 @@ let nix-setup.enable = lib.mkDefault configHost.ghaf.development.nix-setup.enable; }; - # Systemd + # System + type = "app-vm"; systemd = { enable = true; withName = "appvm-systemd"; diff --git a/modules/microvm/virtualization/microvm/audiovm.nix b/modules/microvm/virtualization/microvm/audiovm.nix index 8a4a7d356..fb084426a 100644 --- a/modules/microvm/virtualization/microvm/audiovm.nix +++ b/modules/microvm/virtualization/microvm/audiovm.nix @@ -9,7 +9,6 @@ let configHost = config; vmName = "audio-vm"; - macAddress = "02:00:00:03:03:03"; has_acpi_path = config.ghaf.hardware.definition.audio.acpiPath != null; audiovmBaseConfiguration = { @@ -21,9 +20,7 @@ let config lib vmName - macAddress ; - internalIP = 5; }) ./common/storagevm.nix ../../../common/logging/client.nix @@ -49,6 +46,7 @@ let }; # System + type = "system-vm"; systemd = { enable = true; withName = "audiovm-systemd"; diff --git a/modules/microvm/virtualization/microvm/common/storagevm.nix b/modules/microvm/virtualization/microvm/common/storagevm.nix index 71ba7e9d2..9ecd7866c 100644 --- a/modules/microvm/virtualization/microvm/common/storagevm.nix +++ b/modules/microvm/virtualization/microvm/common/storagevm.nix @@ -114,6 +114,7 @@ in hideMounts = true; directories = [ "/var/lib/nixos" + "/etc/givc" ]; files = [ "/etc/ssh/ssh_host_ed25519_key.pub" diff --git a/modules/microvm/virtualization/microvm/common/vm-networking.nix b/modules/microvm/virtualization/microvm/common/vm-networking.nix index 6d9dc1886..3a335f7a8 100644 --- a/modules/microvm/virtualization/microvm/common/vm-networking.nix +++ b/modules/microvm/virtualization/microvm/common/vm-networking.nix @@ -4,19 +4,16 @@ config, lib, vmName, - macAddress, - internalIP, isGateway ? false, ... }: let - networkName = "ethint0"; - netVmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries; - netVmAddress = builtins.map (x: x.ip) netVmEntry; + interfaceName = "ethint0"; + inherit (config.ghaf.networking) hosts; + netVmAddress = hosts."net-vm".ipv4; isIdsvmEnabled = config.ghaf.virtualization.microvm.idsvm.enable; - idsVmEntry = builtins.filter (x: x.name == "ids-vm") config.ghaf.networking.hosts.entries; - idsVmAddress = lib.optionals isIdsvmEnabled (builtins.map (x: x.ip) idsVmEntry); - gateway = if isIdsvmEnabled && (vmName != "ids-vm") then idsVmAddress else netVmAddress; + idsVmAddress = hosts."ids-vm".ipv4; + gateway = if isIdsvmEnabled && (vmName != "ids-vm") then [ idsVmAddress ] else [ netVmAddress ]; in { networking = { @@ -27,7 +24,7 @@ in useNetworkd = true; nat = { enable = true; - internalInterfaces = [ networkName ]; + internalInterfaces = [ interfaceName ]; }; }; @@ -36,27 +33,20 @@ in type = "tap"; # The interface names must have maximum length of 15 characters id = "tap-${vmName}"; - mac = macAddress; + inherit (hosts.${vmName}) mac; } ]; systemd.network = { enable = true; - # Set internal network's interface name to networkName - links."10-${networkName}" = { - matchConfig.PermanentMACAddress = macAddress; - linkConfig.Name = networkName; + # Set internal network's interface name + links."10-${interfaceName}" = { + matchConfig.PermanentMACAddress = hosts.${vmName}.mac; + linkConfig.Name = interfaceName; }; - networks."10-${networkName}" = { - matchConfig.MACAddress = macAddress; - addresses = - [ { Address = "192.168.100.${toString internalIP}/24"; } ] - ++ lib.optionals config.ghaf.profiles.debug.enable [ - { - # IP-address for debugging subnet - Address = "192.168.101.${toString internalIP}/24"; - } - ]; + networks."10-${interfaceName}" = { + matchConfig.MACAddress = hosts.${vmName}.mac; + addresses = [ { Address = "${hosts.${vmName}.ipv4}/24"; } ]; linkConfig.RequiredForOnline = "routable"; linkConfig.ActivationPolicy = "always-up"; } // lib.optionalAttrs (!isGateway) { inherit gateway; }; diff --git a/modules/microvm/virtualization/microvm/guivm.nix b/modules/microvm/virtualization/microvm/guivm.nix index 8b0b54d8c..234cc8f2d 100644 --- a/modules/microvm/virtualization/microvm/guivm.nix +++ b/modules/microvm/virtualization/microvm/guivm.nix @@ -9,7 +9,6 @@ }: let vmName = "gui-vm"; - macAddress = "02:00:00:02:02:02"; inherit (import ../../../../lib/launcher.nix { inherit pkgs lib; }) rmDesktopEntries; guivmBaseConfiguration = { imports = [ @@ -20,9 +19,7 @@ let config lib vmName - macAddress ; - internalIP = 3; }) ./common/storagevm.nix @@ -32,16 +29,6 @@ let ( { lib, pkgs, ... }: let - inherit (builtins) replaceStrings; - cliArgs = replaceStrings [ "\n" ] [ " " ] '' - --name ${config.ghaf.givc.adminConfig.name} - --addr ${config.ghaf.givc.adminConfig.addr} - --port ${config.ghaf.givc.adminConfig.port} - ${lib.optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--cert /run/givc/ghaf-host-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--key /run/givc/ghaf-host-key.pem"} - ${lib.optionalString (!config.ghaf.givc.enableTls) "--notls"} - ''; # A list of applications from all AppVMs virtualApps = lib.lists.concatMap ( vm: map (app: app // { vmName = "${vm.name}-vm"; }) vm.applications @@ -53,7 +40,7 @@ let inherit (app) description; #inherit (app) givcName; vm = app.vmName; - path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm ${vm} ${app.givcName}"; + path = "${pkgs.givc-cli}/bin/givc-cli ${config.ghaf.givc.cliArgs} start --vm ${vm} ${app.givcName}"; inherit (app) icon; }) virtualApps; # Launchers for all desktop, non-virtualized applications that run in the GUIVM @@ -80,6 +67,7 @@ let }; # System + type = "system-vm"; systemd = { enable = true; withName = "guivm-systemd"; @@ -136,7 +124,7 @@ let fi # Initiate Suspension - ${pkgs.givc-cli}/bin/givc-cli ${cliArgs} suspend + ${pkgs.givc-cli}/bin/givc-cli ${config.ghaf.givc.cliArgs} suspend # Enable display if [ "$wl_running" -eq 1 ]; then diff --git a/modules/microvm/virtualization/microvm/idsvm/idsvm.nix b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix index ab868988a..e54963ef9 100644 --- a/modules/microvm/virtualization/microvm/idsvm/idsvm.nix +++ b/modules/microvm/virtualization/microvm/idsvm/idsvm.nix @@ -9,22 +9,21 @@ let configHost = config; vmName = "ids-vm"; - macAddress = "02:00:00:01:01:02"; idsvmBaseConfiguration = { imports = [ (import ../common/vm-networking.nix { inherit config lib + pkgs vmName - macAddress ; - internalIP = 4; }) ( { lib, ... }: { ghaf = { + type = "system-vm"; profiles.debug.enable = lib.mkDefault configHost.ghaf.profiles.debug.enable; virtualization.microvm.idsvm.mitmproxy.enable = diff --git a/modules/microvm/virtualization/microvm/microvm-host.nix b/modules/microvm/virtualization/microvm/microvm-host.nix index fd64d436c..5f59a1276 100644 --- a/modules/microvm/virtualization/microvm/microvm-host.nix +++ b/modules/microvm/virtualization/microvm/microvm-host.nix @@ -53,26 +53,29 @@ in config = mkMerge [ (mkIf cfg.enable { microvm.host.enable = true; - microvm.host.useNotifySockets = true; + # microvm.host.useNotifySockets = true; - ghaf.systemd = { - withName = "host-systemd"; - enable = true; - withAudit = config.ghaf.profiles.debug.enable; - withPolkit = true; - withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; - withRepart = true; - withFido2 = true; - withCryptsetup = true; - withLocaled = true; - withTimesyncd = cfg.networkSupport; - withNss = cfg.networkSupport; - withResolved = cfg.networkSupport; - withSerial = config.ghaf.profiles.debug.enable; - withDebug = config.ghaf.profiles.debug.enable; - withHardenedConfigs = true; + ghaf = { + type = "host"; + systemd = { + withName = "host-systemd"; + enable = true; + withAudit = config.ghaf.profiles.debug.enable; + withPolkit = true; + withTpm2Tss = pkgs.stdenv.hostPlatform.isx86; + withRepart = true; + withFido2 = true; + withCryptsetup = true; + withLocaled = true; + withTimesyncd = cfg.networkSupport; + withNss = cfg.networkSupport; + withResolved = cfg.networkSupport; + withSerial = config.ghaf.profiles.debug.enable; + withDebug = config.ghaf.profiles.debug.enable; + withHardenedConfigs = true; + }; + givc.host.enable = true; }; - ghaf.givc.host.enable = true; services.logind.lidSwitch = "ignore"; # TODO: remove hardcoded paths diff --git a/modules/microvm/virtualization/microvm/modules.nix b/modules/microvm/virtualization/microvm/modules.nix index 6079968f5..a34750f0b 100644 --- a/modules/microvm/virtualization/microvm/modules.nix +++ b/modules/microvm/virtualization/microvm/modules.nix @@ -46,11 +46,17 @@ let inherit (config.ghaf.qemu) audiovm; }; + # Common namespace to pass parameters at built-time from host to VMs + commonModule = { + config.ghaf.common = config.ghaf.common; + }; + # Service modules serviceModules = { # Givc module givc = { config.ghaf.givc.enable = config.ghaf.givc.enable; + config.ghaf.givc.debug = config.ghaf.givc.debug; }; # Audio module @@ -72,11 +78,6 @@ let # Yubikey module yubikey = optionalAttrs cfg.guivm.yubikey { config.ghaf.services.yubikey.enable = true; }; - - # Common namespace to share (built-time) between host and VMs - commonNamespace = { - config.ghaf.namespaces = config.ghaf.namespaces; - }; }; # User account settings @@ -146,6 +147,7 @@ in serviceModules.givc referenceServiceModule managedUserAccounts + commonModule ]; # Audiovm modules audiovm.extraModules = optionals cfg.audiovm.enable [ @@ -157,6 +159,7 @@ in serviceModules.givc serviceModules.bluetooth managedUserAccounts + commonModule ]; # Guivm modules guivm.extraModules = optionals cfg.guivm.enable [ @@ -168,18 +171,20 @@ in serviceModules.fprint serviceModules.yubikey serviceModules.xdgOpener - serviceModules.commonNamespace serviceModules.givc referenceProgramsModule managedUserAccounts + commonModule ]; adminvm.extraModules = optionals cfg.adminvm.enable [ serviceModules.givc managedUserAccounts + commonModule ]; appvm.extraModules = optionals cfg.appvm.enable [ serviceModules.givc managedUserAccounts + commonModule ]; }; }; diff --git a/modules/microvm/virtualization/microvm/netvm.nix b/modules/microvm/virtualization/microvm/netvm.nix index e5c0b6500..6b04e358a 100644 --- a/modules/microvm/virtualization/microvm/netvm.nix +++ b/modules/microvm/virtualization/microvm/netvm.nix @@ -8,8 +8,6 @@ }: let vmName = "net-vm"; - macAddress = "02:00:00:01:01:01"; - netvmBaseConfiguration = { imports = [ inputs.impermanence.nixosModules.impermanence @@ -19,9 +17,7 @@ let config lib vmName - macAddress ; - internalIP = 1; isGateway = true; }) @@ -54,6 +50,7 @@ let }; # System + type = "system-vm"; systemd = { enable = true; withName = "netvm-systemd"; diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix index ec42cdc2c..9fcf674d1 100644 --- a/modules/reference/appvms/business.nix +++ b/modules/reference/appvms/business.nix @@ -10,9 +10,6 @@ { name = "business"; packages = lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]; - - # TODO create a repository of mac addresses to avoid conflicts - macAddress = "02:00:00:03:10:01"; ramMb = 6144; cores = 4; borderColor = "#218838"; diff --git a/modules/reference/appvms/chromium.nix b/modules/reference/appvms/chromium.nix index 5888b88de..fb552bb37 100644 --- a/modules/reference/appvms/chromium.nix +++ b/modules/reference/appvms/chromium.nix @@ -10,8 +10,6 @@ { name = "chromium"; packages = lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils; - # TODO create a repository of mac addresses to avoid conflicts - macAddress = "02:00:00:03:05:01"; ramMb = 6144; cores = 4; borderColor = "#B83232"; diff --git a/modules/reference/appvms/comms.nix b/modules/reference/appvms/comms.nix index 3a210ce3a..229c35b62 100644 --- a/modules/reference/appvms/comms.nix +++ b/modules/reference/appvms/comms.nix @@ -16,7 +16,6 @@ in pkgs.google-chrome pkgs.gpsd ] ++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]; - macAddress = "02:00:00:03:09:01"; ramMb = 4096; cores = 4; borderColor = "#337aff"; diff --git a/modules/reference/appvms/gala.nix b/modules/reference/appvms/gala.nix index 657753ffb..52623f69f 100644 --- a/modules/reference/appvms/gala.nix +++ b/modules/reference/appvms/gala.nix @@ -7,7 +7,6 @@ }: { name = "gala"; - macAddress = "02:00:00:03:06:01"; ramMb = 1536; cores = 2; borderColor = "#027d7b"; diff --git a/modules/reference/appvms/google-chrome.nix b/modules/reference/appvms/google-chrome.nix index 0b06cba8d..198e9c9c9 100644 --- a/modules/reference/appvms/google-chrome.nix +++ b/modules/reference/appvms/google-chrome.nix @@ -10,8 +10,6 @@ { name = "chrome"; packages = lib.optional config.ghaf.development.debug.tools.enable pkgs.alsa-utils; - # TODO create a repository of mac addresses to avoid conflicts - macAddress = "02:00:00:03:11:01"; ramMb = 6144; cores = 4; borderColor = "#630505"; diff --git a/modules/reference/appvms/zathura.nix b/modules/reference/appvms/zathura.nix index cf6c58d97..e2ea4c5c8 100644 --- a/modules/reference/appvms/zathura.nix +++ b/modules/reference/appvms/zathura.nix @@ -12,7 +12,6 @@ # Image viewer pkgs.pqiv ]; - macAddress = "02:00:00:03:07:01"; ramMb = 512; cores = 1; borderColor = "#122263"; diff --git a/modules/reference/desktop/applications.nix b/modules/reference/desktop/applications.nix index 9b8b4fc42..a024ece40 100644 --- a/modules/reference/desktop/applications.nix +++ b/modules/reference/desktop/applications.nix @@ -9,12 +9,13 @@ let cfg = config.ghaf.reference.desktop.applications; inherit (config.ghaf.services.audio) pulseaudioTcpControlPort; + inherit (lib) mkIf mkEnableOption; in { options.ghaf.reference.desktop.applications = { - enable = lib.mkEnableOption "desktop applications"; + enable = mkEnableOption "desktop applications"; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { ghaf.virtualization.microvm.guivm.applications = [ { @@ -63,7 +64,7 @@ in name = "Control panel"; description = "Control panel"; icon = "utilities-tweak-tool"; - command = "${pkgs.ctrl-panel}/bin/ctrl-panel"; + command = "${pkgs.ctrl-panel}/bin/ctrl-panel ${config.ghaf.givc.cliArgs}"; } ] ++ lib.optionals config.ghaf.reference.programs.windows-launcher.enable ( diff --git a/modules/reference/profiles/laptop-x86.nix b/modules/reference/profiles/laptop-x86.nix index 0d97c423d..3e43b5004 100644 --- a/modules/reference/profiles/laptop-x86.nix +++ b/modules/reference/profiles/laptop-x86.nix @@ -110,8 +110,7 @@ in }; # Enable givc - # @TODO change this flag to enable givc in release - givc.enable = config.ghaf.profiles.debug.enable; + givc.enable = true; givc.debug = false; host = { @@ -131,7 +130,7 @@ in endpoint = "http://${listenerAddress}:${listenerPort}/loki/api/v1/push"; }; listener = { - address = "admin-vm" + lib.optionalString config.ghaf.profiles.debug.enable "-debug"; + address = "admin-vm"; port = 9999; }; }; diff --git a/modules/reference/programs/chromium.nix b/modules/reference/programs/chromium.nix index ebb9e83b7..204bf5b8e 100644 --- a/modules/reference/programs/chromium.nix +++ b/modules/reference/programs/chromium.nix @@ -35,22 +35,10 @@ in }; "open-normal-extension.cfg" = { - text = - let - cliArgs = builtins.replaceStrings [ "\n" ] [ " " ] '' - --name ${config.ghaf.givc.adminConfig.name} - --addr ${config.ghaf.givc.adminConfig.addr} - --port ${config.ghaf.givc.adminConfig.port} - ${lib.optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--cert /run/givc/business-vm-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--key /run/givc/business-vm-key.pem"} - ${lib.optionalString (!config.ghaf.givc.enableTls) "--notls"} - ''; - in - '' - export GIVC_PATH="${pkgs.givc-cli}" - export GIVC_OPTS="${cliArgs}" - ''; + text = '' + export GIVC_PATH="${pkgs.givc-cli}" + export GIVC_OPTS="${config.ghaf.givc.cliArgs}" + ''; }; }; }; diff --git a/modules/reference/programs/google-chrome.nix b/modules/reference/programs/google-chrome.nix index 543f33a29..3ea8cd8b4 100644 --- a/modules/reference/programs/google-chrome.nix +++ b/modules/reference/programs/google-chrome.nix @@ -94,22 +94,10 @@ in }; "open-normal-extension.cfg" = { - text = - let - cliArgs = builtins.replaceStrings [ "\n" ] [ " " ] '' - --name ${config.ghaf.givc.adminConfig.name} - --addr ${config.ghaf.givc.adminConfig.addr} - --port ${config.ghaf.givc.adminConfig.port} - ${lib.optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--cert /run/givc/business-vm-cert.pem"} - ${lib.optionalString config.ghaf.givc.enableTls "--key /run/givc/business-vm-key.pem"} - ${lib.optionalString (!config.ghaf.givc.enableTls) "--notls"} - ''; - in - '' - export GIVC_PATH="${pkgs.givc-cli}" - export GIVC_OPTS="${cliArgs}" - ''; + text = '' + export GIVC_PATH="${pkgs.givc-cli}" + export GIVC_OPTS="${config.ghaf.givc.cliArgs}" + ''; }; }) ]; diff --git a/modules/reference/programs/windows-launcher.nix b/modules/reference/programs/windows-launcher.nix index 1a63f9532..f5bea6e34 100644 --- a/modules/reference/programs/windows-launcher.nix +++ b/modules/reference/programs/windows-launcher.nix @@ -28,7 +28,7 @@ in spice-host = lib.mkOption { description = "Spice host"; type = lib.types.str; - default = "192.168.101.2"; + default = config.ghaf.networking.hosts."ghaf-host".ipv4; }; }; diff --git a/modules/reference/services/dendrite-pinecone/dendrite-config.nix b/modules/reference/services/dendrite-pinecone/dendrite-config.nix index 4f8409015..dc0cd7d2f 100644 --- a/modules/reference/services/dendrite-pinecone/dendrite-config.nix +++ b/modules/reference/services/dendrite-pinecone/dendrite-config.nix @@ -1,6 +1,11 @@ # Copyright 2024 TII (SSRC) and the Ghaf contributors # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: { config.ghaf.reference.services.dendrite-pinecone = let @@ -13,17 +18,13 @@ internalNic = let vmNetworking = import ../../../microvm/virtualization/microvm/common/vm-networking.nix { - inherit config; - inherit lib; + inherit config lib pkgs; vmName = "net-vm"; - inherit (config.microvm.net-vm) macAddress; - internalIP = 1; }; in "${lib.head vmNetworking.networking.nat.internalInterfaces}"; - getCommsVmEntry = builtins.filter (x: x.name == "comms-vm") config.ghaf.networking.hosts.entries; - serverIpAddr = lib.head (builtins.map (x: x.ip) getCommsVmEntry); + serverIpAddr = config.ghaf.networking.hosts."comms-vm".ipv4; in { enable = lib.mkDefault false; diff --git a/modules/reference/services/proxy-server/3proxy-config.nix b/modules/reference/services/proxy-server/3proxy-config.nix index ed768070c..e6d046a95 100644 --- a/modules/reference/services/proxy-server/3proxy-config.nix +++ b/modules/reference/services/proxy-server/3proxy-config.nix @@ -70,16 +70,13 @@ let flush ''; - - netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries; - netvmAddr = lib.head (builtins.map (x: x.ip) netvmEntry); in { options.ghaf.reference.services.proxy-server = { enable = mkEnableOption "Enable proxy server module"; internalAddress = lib.mkOption { type = lib.types.str; - default = netvmAddr; + default = config.ghaf.networking.hosts."net-vm".ipv4; description = "Internal address for proxy server"; }; bindPort = lib.mkOption { @@ -100,7 +97,7 @@ in users.users.${proxyUserName} = { isSystemUser = true; description = "Proxy User for managing allowlist and services"; - # extraGroups = [ "${proxyGroupName}" ]; # Adding to 'proxy-admin' for specific access + # extraGroups = [ "${proxyGroupName}" ]; # Adding to 'proxy-admin' for specific access group = "${proxyGroupName}"; }; @@ -126,8 +123,8 @@ in polkit = { enable = true; debug = true; - # Polkit rules for allowing proxy-user to run proxy related systemctl - # commands without sudo and password requirement + # Polkit rules for allowing proxy-user to run proxy related systemctl + # commands without sudo and password requirement extraConfig = '' polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.systemd1.manage-units" && diff --git a/packages/ghaf-powercontrol/default.nix b/packages/ghaf-powercontrol/default.nix index dfc4ba474..3679ab6d0 100644 --- a/packages/ghaf-powercontrol/default.nix +++ b/packages/ghaf-powercontrol/default.nix @@ -10,17 +10,6 @@ ... }: let - inherit (builtins) replaceStrings; - inherit (lib) optionalString; - cliArgs = replaceStrings [ "\n" ] [ " " ] '' - --name ${ghafConfig.givc.adminConfig.name} - --addr ${ghafConfig.givc.adminConfig.addr} - --port ${ghafConfig.givc.adminConfig.port} - ${optionalString ghafConfig.givc.enableTls "--cacert /run/givc/ca-cert.pem"} - ${optionalString ghafConfig.givc.enableTls "--cert /run/givc/gui-vm-cert.pem"} - ${optionalString ghafConfig.givc.enableTls "--key /run/givc/gui-vm-key.pem"} - ${optionalString (!ghafConfig.givc.enableTls) "--notls"} - ''; useGivc = ghafConfig.givc.enable; # Handle Wayland display power state waylandDisplayCmd = command: '' @@ -37,7 +26,7 @@ writeShellApplication { text = '' case "$1" in reboot|poweroff) - ${if useGivc then "givc-cli ${cliArgs}" else "systemctl"} "$1" + ${if useGivc then "givc-cli ${ghafConfig.givc.cliArgs}" else "systemctl"} "$1" ;; suspend) # Lock sessions @@ -47,7 +36,7 @@ writeShellApplication { ${waylandDisplayCmd "off"} # Send suspend command to host, ensure screen is on in case of failure - ${if useGivc then "givc-cli ${cliArgs}" else "systemctl"} suspend \ + ${if useGivc then "givc-cli ${ghafConfig.givc.cliArgs}" else "systemctl"} suspend \ || ${waylandDisplayCmd "on"} # Switch on display on wakeup