Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: GIVC TLS #915

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: GIVC TLS #915

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@
};

givc = {
url = "github:tiiuae/ghaf-givc/63e19e1b61a669a21c1bdd0ae5a8e169b2f2d2f6";
url = "github:tiiuae/ghaf-givc/0467bef54a34a23dfd72ad2bb35715b8021651d3";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
Expand Down
52 changes: 34 additions & 18 deletions modules/common/networking/hosts.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,19 +32,12 @@ let
# please note that .100. network is not
# reachable from ghaf-host. It's only reachable
# guest-to-guest.
# Use to .101. (debug) to access guests from host.
# debug network hosts are post-fixed: <hostname>-debug
ipBase = "192.168.100";
debugBase = "192.168.101";
network = "192.168.100";
hostsEntries = [
{
ip = 1;
name = "net-vm";
}
{
ip = 2;
name = "ghaf-host";
}
{
ip = 3;
name = "gui-vm";
Expand Down Expand Up @@ -83,21 +76,36 @@ let
}
];

# Use to .101. (debug) to access guests from host. You have to hop over net-vm.
# Debug network hosts are post-fixed: <hostname>-debug
debugNetwork = "192.168.101";
hostsDebugEntries = [
{
ip = 1;
name = "net-vm";
}
{
ip = 2;
name = "ghaf-host";
}
{
ip = 10;
name = "admin-vm";
}
];

mkHostEntry =
ipBase:
{ ip, name }:
{
name = "${name}";
ip = "${ipBase}.${toString ip}";
};
mkHostEntryDebug =
{ ip, name }:
{
name = "${name}-debug";
ip = "${debugBase}.${toString ip}";
};
entries =
(map mkHostEntry hostsEntries)
++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries);

entries = map (mkHostEntry network) hostsEntries;
debugEntries = optionals config.ghaf.profiles.debug.enable (
map (mkHostEntry debugNetwork) hostsDebugEntries
);
in
{
options.ghaf.networking.hosts = {
Expand All @@ -111,17 +119,25 @@ in
'';
default = null;
};
debugEntries = mkOption {
type = types.listOf hostsEntrySubmodule;
description = ''
List of hosts entries for the debug network.
'';
default = null;
};
};

config = mkIf cfg.enable {
ghaf.networking.hosts = {
inherit entries;
inherit debugEntries;
};

networking.hosts = foldr recursiveUpdate { } (
map (vm: {
"${vm.ip}" = [ "${vm.name}" ];
}) config.ghaf.networking.hosts.entries
}) (config.ghaf.networking.hosts.entries ++ config.ghaf.networking.hosts.debugEntries)
);
};
}
45 changes: 17 additions & 28 deletions modules/common/services/desktop.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,12 @@
...
}:
let
inherit (builtins) hasAttr replaceStrings;
inherit (builtins) hasAttr;
inherit (lib)
mkIf
mkEnableOption
optionals
optionalAttrs
optionalString
;

cfg = config.ghaf.services.desktop;
Expand All @@ -27,6 +26,7 @@ let
{ }
else
{ };
givc-cli-wrapper = pkgs.callPackage ../../../packages/givc-cli-wrapper { inherit config pkgs lib; };
in
# TODO: The desktop configuration needs to be re-worked.
# TODO it needs to be moved out of common and the launchers have to be set bu the reference programs NOT here
Expand All @@ -40,17 +40,6 @@ in
profiles.graphics.compositor = "labwc";
graphics = {
launchers =
let
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They might be needed for ctrl-panel as well, at least ´--notls´ option

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I can add a wrapper for ctrl-panel as well

cliArgs = replaceStrings [ "\n" ] [ " " ] ''
--name ${config.ghaf.givc.adminConfig.name}
--addr ${config.ghaf.givc.adminConfig.addr}
--port ${config.ghaf.givc.adminConfig.port}
${optionalString config.ghaf.givc.enableTls "--cacert /run/givc/ca-cert.pem"}
${optionalString config.ghaf.givc.enableTls "--cert /run/givc/gui-vm-cert.pem"}
${optionalString config.ghaf.givc.enableTls "--key /run/givc/gui-vm-key.pem"}
${optionalString (!config.ghaf.givc.enableTls) "--notls"}
'';
in
[
# {
# # The SPKI fingerprint is calculated like this:
Expand All @@ -59,15 +48,15 @@ in
# name = "Chromium";
# description = "Isolated General Browsing";
# vm = "Chromium";
# path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start chromium";
# path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start chromium";
# icon = "chromium";
# }

{
name = "Trusted Browser";
description = "Isolated Trusted Browsing";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm google-chrome";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm google-chrome";
icon = "thorium-browser";
}
{
Expand All @@ -77,91 +66,91 @@ in
name = "Google Chrome";
description = "Isolated General Browsing";
vm = "Chrome";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm chrome-vm google-chrome";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm chrome-vm google-chrome";
icon = "google-chrome";
}

{
name = "VPN";
description = "GlobalProtect VPN Client";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm gpclient";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm gpclient";
icon = "yast-vpn";
}

{
name = "Microsoft Outlook";
description = "Microsoft Email Client";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm outlook";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm outlook";
icon = "ms-outlook";
}
{
name = "Microsoft 365";
description = "Microsoft 365 Software Suite";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm office";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm office";
icon = "microsoft-365";
}
{
name = "Teams";
description = "Microsoft Teams Collaboration Application";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm teams";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm teams";
icon = "teams-for-linux";
}
{
name = "Text Editor";
description = "Simple Text Editor";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm gnome-text-editor";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm gnome-text-editor";
icon = "org.gnome.TextEditor";
}
{
name = "Xarchiver";
description = "File Compressor";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm xarchiver";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm xarchiver";
icon = "xarchiver";
}

{
name = "GALA";
description = "Secure Android-in-the-Cloud";
vm = "GALA";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start gala";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start gala";
icon = "distributor-logo-android";
}

{
name = "PDF Viewer";
description = "Isolated PDF Viewer";
vm = "Zathura";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm zathura-vm zathura";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm zathura-vm zathura";
icon = "document-viewer";
}

{
name = "Element";
description = "General Messaging Application";
vm = "Comms";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm element";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm element";
icon = "element-desktop";
}

{
name = "Slack";
description = "Teams Collaboration & Messaging Application";
vm = "Comms";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm slack";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm slack";
icon = "slack";
}

{
name = "Zoom";
description = "Zoom Videoconferencing Application";
vm = "Comms";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm comms-vm zoom";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm comms-vm zoom";
}

{
Expand Down Expand Up @@ -203,7 +192,7 @@ in
name = "Video Editor";
description = "Losslesscut Video Editor";
vm = "Business";
path = "${pkgs.givc-cli}/bin/givc-cli ${cliArgs} start --vm business-vm losslesscut";
path = "${givc-cli-wrapper}/bin/givc-cli-wrapper start --vm business-vm losslesscut";
icon = "${pkgs.losslesscut-bin}/share/icons/losslesscut.png";
}

Expand Down
Loading
Loading