From e8f7009c730e9371b66159c406a6432a08cf0cce Mon Sep 17 00:00:00 2001 From: David Crompton Date: Tue, 31 Oct 2023 11:22:35 -0400 Subject: [PATCH] Reorganize Services (Xpra -> Guac) --- machines/kcnhub/configuration.nix | 8 +- machines/kcnhub/secrets/system.yaml | 22 ++++ machines/kcnhub/servers.nix | 5 +- machines/kcnhub/servers/guac.nix | 93 ++++++++++++++++ machines/kcnhub/servers/xpra.nix | 101 ------------------ machines/kcnhub/services.nix | 4 +- machines/kcnhub/services/containers.nix | 15 --- .../kcnhub/services/remote-desktop-guac.nix | 18 ---- machines/kcnhub/services/ssh.nix | 3 + .../kcnhub/services/{rdp.nix => xrdp.nix} | 0 10 files changed, 126 insertions(+), 143 deletions(-) create mode 100644 machines/kcnhub/secrets/system.yaml create mode 100644 machines/kcnhub/servers/guac.nix delete mode 100644 machines/kcnhub/servers/xpra.nix delete mode 100644 machines/kcnhub/services/containers.nix delete mode 100644 machines/kcnhub/services/remote-desktop-guac.nix create mode 100644 machines/kcnhub/services/ssh.nix rename machines/kcnhub/services/{rdp.nix => xrdp.nix} (100%) diff --git a/machines/kcnhub/configuration.nix b/machines/kcnhub/configuration.nix index 901c730..cfff934 100644 --- a/machines/kcnhub/configuration.nix +++ b/machines/kcnhub/configuration.nix @@ -20,6 +20,8 @@ ./nosleep.nix ]; + sops.defaultSopsFile = ./secrets/system.yaml; + # Support NTFS(3g) boot.supportedFilesystems = ["ntfs"]; @@ -78,12 +80,6 @@ nix.registry.nixpkgs.flake = nixpkgs; - # TODO: Make services directory for with a nix for each service that is enabled and what options it has - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/machines/kcnhub/secrets/system.yaml b/machines/kcnhub/secrets/system.yaml new file mode 100644 index 0000000..162c9a4 --- /dev/null +++ b/machines/kcnhub/secrets/system.yaml @@ -0,0 +1,22 @@ +guacamole: + properties: ENC[AES256_GCM,data:L+xiZBm1282zV1GUfp9RfV0blpOfotUhIYX4DF48Har3pWur3WcKfWcc67ZzVsfafeQtOLmH1MLq8EL1DX594qnE0mr19/vrdYldeHgK2RgE8DQ9wNOFLZGiK2WjIBcHJdq4mnV+Wb7xNZ8q6XC6sOBcDNqr7ROpGC2E1hBKPlQJn/IlTwf6HNBROoasNFI+2uXdssCbWml3juwSCOSTvXA9m3LZCgUuCKLbuAfTtVh1HQqy,iv:SaY+nIOnw0m6DA2IPJUJKwcVVIn34hmEDIFyNdq/rG4=,tag:T32EiZ5PUZIaI11OJl/wqg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cvmffz227lhsvy4ufh0gnkfsvs5f27hv5l90m0lf4558uphteefsj2t74j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTd1bkxQODRaZXZPSDhU + N2JhY2JCanR2aXlaaWN1Mi9WT2hjSjVBVnlvCmd5Q0IrZUUraC9ySmZKeDRkcDNq + UUlTL3NBQXRlcEx0NnB3WXdHUTRaZmcKLS0tIG9nV0cxeDFBdGU0UGxVb3YyV29Q + WlhEWlJXeitFTGRMYlZJV0c1YjFPa28KCvxqVERVc7dAkBZUTq/lN/8KiHT96mXe + GB71RxixJyoctcpIuddQX1wBZLtQk4KPxWQYXW7it7YeyfFdGkStpA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-31T17:56:39Z" + mac: ENC[AES256_GCM,data:aUIudcJ2BgkDIu9XQTIibcr2SghNieR7L445tkTgnf71oecTUp21BuVHzljggllNF9kvucH5jIkjHJmGeF7vP59RT5ERB2ziXZeulB+NBo3Kad8XbeBjdzkQev6rf3XRhlv9XtysAEvrE+KGS0j4e4WFrfqoHZW9BBS/NnTLoJM=,iv:z3A+Ise+POIqaQLU6Q/w1kmjUmaoxjKR+3pDPk+D6u0=,tag:PnjeaDBfq299Jj5F7yxMDQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/kcnhub/servers.nix b/machines/kcnhub/servers.nix index 383bf4d..4cc9d96 100644 --- a/machines/kcnhub/servers.nix +++ b/machines/kcnhub/servers.nix @@ -1,7 +1,10 @@ { ... }: { imports = [ + # Reverse Proxying of Forward Facing Servers ./servers/caddy.nix - ./servers/xpra.nix + # Git Instances for WS-KCNHUB Projects ./servers/gitea.nix + # Online Remote Connectivity + ./servers/guac.nix ]; } diff --git a/machines/kcnhub/servers/guac.nix b/machines/kcnhub/servers/guac.nix new file mode 100644 index 0000000..2bcb20e --- /dev/null +++ b/machines/kcnhub/servers/guac.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, nixpkgs-unstable, ... }: { + imports = [ + "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix" + "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix" + ]; + + services.guacamole-server.enable = true; + services.guacamole-server.package = pkgs.unstable.guacamole-server; + services.guacamole-server.port = 4822; + + # Configure Database Authentication + environment.etc = let + dbauth-src = pkgs.fetchurl { + url = "https://dlcdn.apache.org/guacamole/1.5.3/binary/guacamole-auth-jdbc-1.5.3.tar.gz"; + hash = "sha256-7Tuncc5Io4oOVvApkTuAUSSdvr/dMv/tvOLfDbEyJH8="; + }; + dbauth = pkgs.stdenv.mkDerivation { + name = "jdbc"; + version = "1.5.3"; + src = dbauth-src; + installPhase = '' + mkdir $out + cp -r * $out + ''; + }; + in { + "guacamole/extensions/postgresql.jar" = { + source = "${dbauth}/postgresql/guacamole-auth-jdbc-postgresql-1.5.3.jar"; + }; + "guacamole/lib/postgresql.jar" = { + source = pkgs.fetchurl { + url = "https://jdbc.postgresql.org/download/postgresql-42.6.0.jar"; + hash = "sha256-uBfGekDJQkn9WdTmhuMyftDT0/rkJrINoPHnVlLPxGE="; + }; + }; + }; + + # User user perms for psql login + users = { + users.guacamole = { + isSystemUser = true; + group = "guacamole"; + }; + groups.guacamole = {}; + }; + systemd.services.guacamole-server.serviceConfig = { + User = "guacamole"; + Group = "guacamole"; + DynamicUser = pkgs.lib.mkForce false; + }; + + # TODO: Write description that autoruns schemas in dbauth/postgresql/schemas + services.postgresql = { + enable = true; + port = 5432; + ensureDatabases = [ + "guacamole" + ]; + ensureUsers = [{ + name = "guacamole"; + ensurePermissions = { + "DATABASE \"guacamole\"" = "ALL PRIVILEGES"; + }; + ensureClauses = { + createdb = true; + }; + }]; + }; + + services.guacamole-client.enable = true; + services.guacamole-client.enableWebserver = true; + services.guacamole-client.package = pkgs.unstable.guacamole-client; + services.guacamole-client.settings = { + guacd-hostname = "localhost"; + guacd-port = 4822; + + # Postgresql Auth Settings: + postgresql-hostname = "localhost"; + postgresql-database = "guacamole"; + postgresql-username = "guacamole"; + # Password is superfluous: only can be used through guacamole user. + postgresql-password = ""; + }; + services.caddy.virtualHosts = { + "remote.ws.kcnhub.com" = { + # Proxy to default tomcat port ( 8080 ) + extraConfig = '' + rewrite * /guacamole{uri} + reverse_proxy 127.0.0.1:8080 + ''; + }; + }; +} diff --git a/machines/kcnhub/servers/xpra.nix b/machines/kcnhub/servers/xpra.nix deleted file mode 100644 index 8c3ff9c..0000000 --- a/machines/kcnhub/servers/xpra.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, pkgs, lib, ...}: let - xpra-html5 = pkgs.fetchFromGitHub { - owner = "Xpra-org"; - repo = "xpra-html5"; - rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045"; - hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk="; - }; - xpra-web = pkgs.writeScript "xpra-web" '' - #!${pkgs.bash}/bin/bash - ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5 - ''; -in { - nixpkgs.overlays = [ - (final: prev: { - xpra = prev.xpra.overrideAttrs (old: { - postPatch = old.postPatch or "" + '' - sed -e 's#"%s/share/xsessions" % sys.prefix#"${config.services.xserver.displayManager.sessionData.desktops}/share/xsessions"#g' -i xpra/platform/xposix/menu_helper.py - ''; - }); - }) - ]; - # To use instead of Plasma - services.xserver.windowManager.fluxbox.enable = true; - environment.systemPackages = [ pkgs.xpra ]; - security.pam.services = { - xpra = { - text = '' - # Account management. - account required pam_unix.so - - # Authentication management. - auth sufficient pam_unix.so likeauth try_first_pass - auth required pam_deny.so - - # Password management. - password sufficient pam_unix.so nullok yescrypt - - session required pam_unix.so - - #account required pam_nologin.so - # account include system-auth - # password include system-auth - - # pam_selinux.so close should be the first session rule - #session required pam_selinux.so close - session required pam_loginuid.so - #to require a local user account, uncomment this line: - #session required pam_localuser.so - # session sufficient pam_systemd.so class=background type=x11 - - # pam_selinux.so open should only be followed by sessions to be executed in the user context - # session required pam_selinux.so open - # session required pam_namespace.so - # session optional pam_keyinit.so force revoke - # session include system-auth - # session include postlogin - -session optional pam_ck_connector.so - ''; - }; - }; - systemd.sockets.xpra-web = { - description = "Xpra Web Socket"; - partOf = [ "xpra-web.service" ]; - wantedBy = [ "sockets.target" ]; - socketConfig = { - # ListenStream = 14500; - ListenStream = "/run/xpra/system"; - SocketUser = "root"; - SocketGroup = "users"; - PassCredentials = "true"; - }; - }; - systemd.services.xpra-web = { - description = "xpra-web"; - after = [ "network.target" "xpra-web.socket" ]; - requires = [ "xpra-web.socket" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - ExecStart = ''${xpra-web} proxy :14500 --daemon=no \ - --tcp-auth=pam --auth=pam --bind=none \ - --log-dir=/var/log --pidfile=/run/xpra/proxy.pid --bind-tcp=:10000''; - Restart = "always"; - # Security - NoNewPrivileges = true; - ReadWritePaths = [ "/run/xpra" "/tmp" ]; - # Sandboxing - ProtectSystem = "strict"; - ProtectKernelTunables = true; - ProtectControlGroups = true; - }; - }; - services.caddy.virtualHosts = { - "remote.ws.kcnhub.com" = { - extraConfig = '' - reverse_proxy 127.0.0.1:${toString 10000} - ''; - }; - }; -} diff --git a/machines/kcnhub/services.nix b/machines/kcnhub/services.nix index eb297bf..ae8750c 100644 --- a/machines/kcnhub/services.nix +++ b/machines/kcnhub/services.nix @@ -1,6 +1,6 @@ { ... }: { imports = [ - # ./services/remote-desktop-guac.nix - ./services/rdp.nix + ./services/ssh.nix + ./services/xrdp.nix ]; } diff --git a/machines/kcnhub/services/containers.nix b/machines/kcnhub/services/containers.nix deleted file mode 100644 index 6b868c5..0000000 --- a/machines/kcnhub/services/containers.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: { - virtualization = { - podman = { - enable = true; - }; - dockerCompat = true; - }; - - environment.systemPackages = with pkgs; [ - # Nicely Make and Run Container Sets - podman-compose - # For Running Simulations Containerized - apptainer - ]; -} diff --git a/machines/kcnhub/services/remote-desktop-guac.nix b/machines/kcnhub/services/remote-desktop-guac.nix deleted file mode 100644 index 03a18e2..0000000 --- a/machines/kcnhub/services/remote-desktop-guac.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, lib, pkgs, nixpkgs-unstable, ... }: { - imports = [ - "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix" - "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix" - ]; - - services.guacamole-server.enable = true; - services.guacamole-server.package = pkgs.unstable.guacamole-server; - services.guacamole-server.port = 4822; - - services.guacamole-client.enable = true; - services.guacamole-client.enableWebserver = true; - services.guacamole-client.package = pkgs.unstable.guacamole-client; - services.guacamole-client.settings = { - guacd-hostname = "localhost"; - guacd-port = 4822; - }; -} diff --git a/machines/kcnhub/services/ssh.nix b/machines/kcnhub/services/ssh.nix new file mode 100644 index 0000000..914b807 --- /dev/null +++ b/machines/kcnhub/services/ssh.nix @@ -0,0 +1,3 @@ +{ ... }: { + services.openssh.enable = true; +} diff --git a/machines/kcnhub/services/rdp.nix b/machines/kcnhub/services/xrdp.nix similarity index 100% rename from machines/kcnhub/services/rdp.nix rename to machines/kcnhub/services/xrdp.nix