WIP: GIVC TLS

    - change networking into two different definitions to prepare network
      removal from host
    - add and populate givc tls module
    - add givc-cli wrapper module for easier use in UI
    - remove logging from x86 profile

Signed-off-by: Manuel Bluhm <[email protected]>

flake.nix

@@ -144,7 +144,7 @@
     };
 
     givc = {
-      url = "github:tiiuae/ghaf-givc/63e19e1b61a669a21c1bdd0ae5a8e169b2f2d2f6";
+      url = "github:tiiuae/ghaf-givc/0467bef54a34a23dfd72ad2bb35715b8021651d3";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";

modules/common/networking/hosts.nix

@@ -32,19 +32,12 @@ let
   # please note that .100. network is not
   # reachable from ghaf-host. It's only reachable
   # guest-to-guest.
-  # Use to .101. (debug) to access guests from host.
-  # debug network hosts are post-fixed: <hostname>-debug
-  ipBase = "192.168.100";
-  debugBase = "192.168.101";
+  network = "192.168.100";
   hostsEntries = [
     {
       ip = 1;
       name = "net-vm";
     }
-    {
-      ip = 2;
-      name = "ghaf-host";
-    }
     {
       ip = 3;
       name = "gui-vm";
@@ -83,21 +76,36 @@ let
     }
   ];
 
+  # Use to .101. (debug) to access guests from host. You have to hop over net-vm.
+  # Debug network hosts are post-fixed: <hostname>-debug
+  debugNetwork = "192.168.101";
+  hostsDebugEntries = [
+    {
+      ip = 1;
+      name = "net-vm";
+    }
+    {
+      ip = 2;
+      name = "ghaf-host";
+    }
+    {
+      ip = 10;
+      name = "admin-vm";
+    }
+  ];
+
   mkHostEntry =
+    ipBase:
     { ip, name }:
     {
       name = "${name}";
       ip = "${ipBase}.${toString ip}";
     };
-  mkHostEntryDebug =
-    { ip, name }:
-    {
-      name = "${name}-debug";
-      ip = "${debugBase}.${toString ip}";
-    };
-  entries =
-    (map mkHostEntry hostsEntries)
-    ++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries);
+
+  entries = map (mkHostEntry network) hostsEntries;
+  debugEntries = optionals config.ghaf.profiles.debug.enable (
+    map (mkHostEntry debugNetwork) hostsDebugEntries
+  );
 in
 {
   options.ghaf.networking.hosts = {
@@ -111,17 +119,25 @@ in
       '';
       default = null;
     };
+    debugEntries = mkOption {
+      type = types.listOf hostsEntrySubmodule;
+      description = ''
+        List of hosts entries for the debug network.
+      '';
+      default = null;
+    };
   };
 
   config = mkIf cfg.enable {
     ghaf.networking.hosts = {
       inherit entries;
+      inherit debugEntries;
     };
 
     networking.hosts = foldr recursiveUpdate { } (
       map (vm: {
         "${vm.ip}" = [ "${vm.name}" ];
-      }) config.ghaf.networking.hosts.entries
+      }) (config.ghaf.networking.hosts.entries ++ config.ghaf.networking.hosts.debugEntries)
     );
   };
 }

modules/common/services/desktop.nix

@@ -7,13 +7,12 @@
   ...
 }:
 let
-  inherit (builtins) hasAttr replaceStrings;
+  inherit (builtins) hasAttr;
   inherit (lib)
     mkIf
     mkEnableOption
     optionals
     optionalAttrs
-    optionalString
     ;
 
   cfg = config.ghaf.services.desktop;
@@ -27,6 +26,7 @@ let
         { }
     else
       { };
+  givc-cli-wrapper = pkgs.callPackage ../../../packages/givc-cli-wrapper { inherit config pkgs lib; };
 in
 # TODO: The desktop configuration needs to be re-worked.
 # TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here
@@ -40,17 +40,6 @@ in
       profiles.graphics.compositor = "labwc";
       graphics = {
         launchers =
-          let
-            cliArgs = replaceStrings [ "\n" ] [ " " ] ''
-              --name ${config.ghaf.givc.adminConfig.name}
-              --addr ${config.ghaf.givc.adminConfig.addr}
-              --port ${config.ghaf.givc.adminConfig.port}
-              ${optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"}
-              ${optionalString config.ghaf.givc.enableTls "--cert /run/givc/gui-vm-cert.pem"}
-              ${optionalString config.ghaf.givc.enableTls "--key /run/givc/gui-vm-key.pem"}
-              ${optionalString (!config.ghaf.givc.enableTls) "--notls"}
-            '';
-          in
           [
             # {
             #   # The SPKI fingerprint is calculated like this:
@@ -59,15 +48,15 @@ in
             #   name = "Chromium";
             #   description = "Isolated General Browsing";
             #   vm = "Chromium";
-            #   path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start chromium";
+            #   path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start chromium";
             #   icon = "chromium";
             # }
 
             {
               name = "Trusted Browser";
               description = "Isolated Trusted Browsing";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm google-chrome";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm google-chrome";
               icon = "thorium-browser";
             }
             {
@@ -77,91 +66,91 @@ in
               name = "Google Chrome";
               description = "Isolated General Browsing";
               vm = "Chrome";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm chrome-vm google-chrome";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm chrome-vm google-chrome";
               icon = "google-chrome";
             }
 
             {
               name = "VPN";
               description = "GlobalProtect VPN Client";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm gpclient";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm gpclient";
               icon = "yast-vpn";
             }
 
             {
               name = "Microsoft Outlook";
               description = "Microsoft Email Client";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm outlook";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm outlook";
               icon = "ms-outlook";
             }
             {
               name = "Microsoft 365";
               description = "Microsoft 365 Software Suite";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm office";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm office";
               icon = "microsoft-365";
             }
             {
               name = "Teams";
               description = "Microsoft Teams Collaboration Application";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm teams";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm teams";
               icon = "teams-for-linux";
             }
             {
               name = "Text Editor";
               description = "Simple Text Editor";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm gnome-text-editor";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm gnome-text-editor";
               icon = "org.gnome.TextEditor";
             }
             {
               name = "Xarchiver";
               description = "File Compressor";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm xarchiver";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm xarchiver";
               icon = "xarchiver";
             }
 
             {
               name = "GALA";
               description = "Secure Android-in-the-Cloud";
               vm = "GALA";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start gala";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start gala";
               icon = "distributor-logo-android";
             }
 
             {
               name = "PDF Viewer";
               description = "Isolated PDF Viewer";
               vm = "Zathura";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm zathura-vm zathura";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm zathura-vm zathura";
               icon = "document-viewer";
             }
 
             {
               name = "Element";
               description = "General Messaging Application";
               vm = "Comms";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm element";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm element";
               icon = "element-desktop";
             }
 
             {
               name = "Slack";
               description = "Teams Collaboration & Messaging Application";
               vm = "Comms";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm slack";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm slack";
               icon = "slack";
             }
 
             {
               name = "Zoom";
               description = "Zoom Videoconferencing Application";
               vm = "Comms";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm zoom";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm zoom";
             }
 
             {
@@ -203,7 +192,7 @@ in
               name = "Video Editor";
               description = "Losslesscut Video Editor";
               vm = "Business";
-              path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm losslesscut";
+              path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm losslesscut";
               icon = "${pkgs.losslesscut-bin}/share/icons/losslesscut.png";
             }