WS-KCNHUB/machines/kcnhub/servers/xpra.nix

{ config, pkgs, lib, ...}: let
  xpra-html5 = pkgs.fetchFromGitHub {
    owner = "Xpra-org";
    repo = "xpra-html5";
    rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
    hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
  };
  xpra-web = pkgs.writeScript "xpra-web" ''
    #!${pkgs.bash}/bin/bash
    ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
  '';
in {
  nixpkgs.overlays = [
    (final: prev: {
      xpra = prev.xpra.overrideAttrs (old: {
        postPatch = old.postPatch or "" + ''
          sed -e 's#"%s/share/xsessions" % sys.prefix#"${config.services.xserver.displayManager.sessionData.desktops}/share/xsessions"#g' -i xpra/platform/xposix/menu_helper.py
        '';
      });
    })
  ];
  # To use instead of Plasma
  services.xserver.windowManager.fluxbox.enable = true;
  environment.systemPackages = [ pkgs.xpra ];
  security.pam.services = {
    xpra = {
      text = ''
        # Account management.
        account required pam_unix.so

        # Authentication management.
        auth sufficient pam_unix.so   likeauth try_first_pass
        auth required pam_deny.so

        # Password management.
        password sufficient pam_unix.so nullok yescrypt

        session required pam_unix.so

        #account    required     pam_nologin.so
        # account    include      system-auth
        # password   include      system-auth

        # pam_selinux.so close should be the first session rule
        #session    required     pam_selinux.so close
        session    required     pam_loginuid.so
        #to require a local user account, uncomment this line:
        #session    required     pam_localuser.so
        # session    sufficient   pam_systemd.so class=background type=x11

        # pam_selinux.so open should only be followed by sessions to be executed in the user context
        # session    required     pam_selinux.so open
        # session    required     pam_namespace.so
        # session    optional     pam_keyinit.so force revoke
        # session    include      system-auth
        # session    include      postlogin
        -session   optional     pam_ck_connector.so
      '';
    };
  };
  systemd.sockets.xpra-web = {
    description = "Xpra Web Socket";
    partOf = [ "xpra-web.service" ];
    wantedBy = [ "sockets.target" ];
    socketConfig = {
      # ListenStream = 14500;
      ListenStream = "/run/xpra/system";
      SocketUser = "root";
      SocketGroup = "users";
      PassCredentials = "true";
    };
  };
  systemd.services.xpra-web = {
    description = "xpra-web";
    after = [ "network.target" "xpra-web.socket" ];
    requires = [ "xpra-web.socket" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
                      --tcp-auth=pam --auth=pam --bind=none \
                      --log-dir=/var/log --pidfile=/run/xpra/proxy.pid --bind-tcp=:10000'';
      Restart = "always";
      # Security
      NoNewPrivileges = true;
      ReadWritePaths = [ "/run/xpra" "/tmp" ];
      # Sandboxing
      ProtectSystem = "strict";
      ProtectKernelTunables = true;
      ProtectControlGroups = true;
    };
  };
  services.caddy.virtualHosts = {
    "remote.ws.kcnhub.com" = {
      extraConfig = ''
        reverse_proxy 127.0.0.1:${toString 10000}
      '';           
    };
  };
}
Xpra-web service 2023-09-07 12:20:30 -04:00			`{ config, pkgs, lib, ...}: let`
			`xpra-html5 = pkgs.fetchFromGitHub {`
			`owner = "Xpra-org";`
			`repo = "xpra-html5";`
			`rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";`
			`hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";`
Xpra configuration 2023-08-31 10:28:14 -04:00			`};`
Xpra-web service 2023-09-07 12:20:30 -04:00			`xpra-web = pkgs.writeScript "xpra-web" ''`
			`#!${pkgs.bash}/bin/bash`
			`${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5`
			`'';`
			`in {`
XPRA Fixes TODO: Matlab not working??? 2023-10-27 11:52:31 -04:00			`nixpkgs.overlays = [`
			`(final: prev: {`
			`xpra = prev.xpra.overrideAttrs (old: {`
			`postPatch = old.postPatch or "" + ''`
			`sed -e 's#"%s/share/xsessions" % sys.prefix#"${config.services.xserver.displayManager.sessionData.desktops}/share/xsessions"#g' -i xpra/platform/xposix/menu_helper.py`
			`'';`
			`});`
			`})`
			`];`
			`# To use instead of Plasma`
			`services.xserver.windowManager.fluxbox.enable = true;`
Xpra-web service 2023-09-07 12:20:30 -04:00			`environment.systemPackages = [ pkgs.xpra ];`
XPRA Fixes TODO: Matlab not working??? 2023-10-27 11:52:31 -04:00			`security.pam.services = {`
			`xpra = {`
			`text = ''`
			`# Account management.`
			`account required pam_unix.so`

			`# Authentication management.`
			`auth sufficient pam_unix.so likeauth try_first_pass`
			`auth required pam_deny.so`

			`# Password management.`
			`password sufficient pam_unix.so nullok yescrypt`

			`session required pam_unix.so`

			`#account required pam_nologin.so`
			`# account include system-auth`
			`# password include system-auth`

			`# pam_selinux.so close should be the first session rule`
			`#session required pam_selinux.so close`
			`session required pam_loginuid.so`
			`#to require a local user account, uncomment this line:`
			`#session required pam_localuser.so`
			`# session sufficient pam_systemd.so class=background type=x11`

			`# pam_selinux.so open should only be followed by sessions to be executed in the user context`
			`# session required pam_selinux.so open`
			`# session required pam_namespace.so`
			`# session optional pam_keyinit.so force revoke`
			`# session include system-auth`
			`# session include postlogin`
			`-session optional pam_ck_connector.so`
			`'';`
			`};`
			`};`
Xpra-web service 2023-09-07 12:20:30 -04:00			`systemd.sockets.xpra-web = {`
			`description = "Xpra Web Socket";`
			`partOf = [ "xpra-web.service" ];`
			`wantedBy = [ "sockets.target" ];`
			`socketConfig = {`
			`# ListenStream = 14500;`
			`ListenStream = "/run/xpra/system";`
			`SocketUser = "root";`
			`SocketGroup = "users";`
			`PassCredentials = "true";`
			`};`
			`};`
			`systemd.services.xpra-web = {`
			`description = "xpra-web";`
			`after = [ "network.target" "xpra-web.socket" ];`
			`requires = [ "xpra-web.socket" ];`
			`wantedBy = [ "multi-user.target" ];`

			`serviceConfig = {`
			`Type = "simple";`
			`ExecStart = ''${xpra-web} proxy :14500 --daemon=no \`
XPRA Fixes TODO: Matlab not working??? 2023-10-27 11:52:31 -04:00			`--tcp-auth=pam --auth=pam --bind=none \`
			`--log-dir=/var/log --pidfile=/run/xpra/proxy.pid --bind-tcp=:10000'';`
Xpra-web service 2023-09-07 12:20:30 -04:00			`Restart = "always";`
			`# Security`
			`NoNewPrivileges = true;`
			`ReadWritePaths = [ "/run/xpra" "/tmp" ];`
			`# Sandboxing`
			`ProtectSystem = "strict";`
			`ProtectKernelTunables = true;`
			`ProtectControlGroups = true;`
			`};`
Add External Xpra domain 2023-10-26 14:37:19 -04:00			`};`
			`services.caddy.virtualHosts = {`
			`"remote.ws.kcnhub.com" = {`
			`extraConfig = ''`
			`reverse_proxy 127.0.0.1:${toString 10000}`
			`'';`
			`};`
			`};`
Xpra configuration 2023-08-31 10:28:14 -04:00			`}`