Xpra-web service

machines/kcnhub/servers/xpra.nix

@@ -1,14 +1,48 @@
-{ config, pkgs, lib, ...}: {
+{ config, pkgs, lib, ...}: let
-  services.xserver.displayManager.xpra = {
+  xpra-html5 = pkgs.fetchFromGitHub {
-    enable = false;
+    owner = "Xpra-org";
-
+    repo = "xpra-html5";
-    # Where to bind port/address:
+    rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
-    bindTcp = "127.0.0.1:10000";
+    hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
-
-    # Use system login creds:
-    auth = "pam";
-    
-    # Should sound be streamed?
-    pulseaudio = false;
   };
+  xpra-web = pkgs.writeScript "xpra-web" ''
+    #!${pkgs.bash}/bin/bash
+    ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
+  '';
+in {
+  environment.systemPackages = [ pkgs.xpra ];
+  systemd.sockets.xpra-web = {
+    description = "Xpra Web Socket";
+    partOf = [ "xpra-web.service" ];
+    wantedBy = [ "sockets.target" ];
+    socketConfig = {
+      # ListenStream = 14500;
+      ListenStream = "/run/xpra/system";
+      SocketUser = "root";
+      SocketGroup = "users";
+      PassCredentials = "true";
+    };
+  };
+  systemd.services.xpra-web = {
+    description = "xpra-web";
+    after = [ "network.target" "xpra-web.socket" ];
+    requires = [ "xpra-web.socket" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
+                       --socket-dirs=/run/xpra --socket-permissions=666 \
+                       --log-dir=/var/log --pidfile=/run/xpra/proxy.pid \
+                       --auth=pam --bind-tcp=0.0.0.0:10000'';
+      Restart = "always";
+      # Security
+      NoNewPrivileges = true;
+      ReadWritePaths = [ "/run/xpra" "/tmp" ];
+      # Sandboxing
+      ProtectSystem = "strict";
+      ProtectKernelTunables = true;
+      ProtectControlGroups = true;
+    };
+  };  
 }