From b1d5e1af74f468caeed12577466bf6b865575396 Mon Sep 17 00:00:00 2001
From: David Crompton <david.crompton@mail.utoronto.ca>
Date: Thu, 7 Sep 2023 12:20:30 -0400
Subject: [PATCH] Xpra-web service

---
 machines/kcnhub/servers/xpra.nix | 58 +++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 12 deletions(-)

diff --git a/machines/kcnhub/servers/xpra.nix b/machines/kcnhub/servers/xpra.nix
index d23ecef..544ff97 100644
--- a/machines/kcnhub/servers/xpra.nix
+++ b/machines/kcnhub/servers/xpra.nix
@@ -1,14 +1,48 @@
-{ config, pkgs, lib, ...}: {
-  services.xserver.displayManager.xpra = {
-    enable = false;
-
-    # Where to bind port/address:
-    bindTcp = "127.0.0.1:10000";
-
-    # Use system login creds:
-    auth = "pam";
-    
-    # Should sound be streamed?
-    pulseaudio = false;
+{ config, pkgs, lib, ...}: let
+  xpra-html5 = pkgs.fetchFromGitHub {
+    owner = "Xpra-org";
+    repo = "xpra-html5";
+    rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
+    hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
   };
+  xpra-web = pkgs.writeScript "xpra-web" ''
+    #!${pkgs.bash}/bin/bash
+    ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
+  '';
+in {
+  environment.systemPackages = [ pkgs.xpra ];
+  systemd.sockets.xpra-web = {
+    description = "Xpra Web Socket";
+    partOf = [ "xpra-web.service" ];
+    wantedBy = [ "sockets.target" ];
+    socketConfig = {
+      # ListenStream = 14500;
+      ListenStream = "/run/xpra/system";
+      SocketUser = "root";
+      SocketGroup = "users";
+      PassCredentials = "true";
+    };
+  };
+  systemd.services.xpra-web = {
+    description = "xpra-web";
+    after = [ "network.target" "xpra-web.socket" ];
+    requires = [ "xpra-web.socket" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
+                       --socket-dirs=/run/xpra --socket-permissions=666 \
+                       --log-dir=/var/log --pidfile=/run/xpra/proxy.pid \
+                       --auth=pam --bind-tcp=0.0.0.0:10000'';
+      Restart = "always";
+      # Security
+      NoNewPrivileges = true;
+      ReadWritePaths = [ "/run/xpra" "/tmp" ];
+      # Sandboxing
+      ProtectSystem = "strict";
+      ProtectKernelTunables = true;
+      ProtectControlGroups = true;
+    };
+  };  
 }