Reorganize Services (Xpra -> Guac)

master
David Crompton 2023-10-31 11:22:35 -04:00
parent 123479797f
commit e8f7009c73
10 changed files with 126 additions and 143 deletions

View File

@ -20,6 +20,8 @@
./nosleep.nix
];
sops.defaultSopsFile = ./secrets/system.yaml;
# Support NTFS(3g)
boot.supportedFilesystems = ["ntfs"];
@ -78,12 +80,6 @@
nix.registry.nixpkgs.flake = nixpkgs;
# TODO: Make services directory for with a nix for each service that is enabled and what options it has
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];

View File

@ -0,0 +1,22 @@
guacamole:
properties: ENC[AES256_GCM,data:L+xiZBm1282zV1GUfp9RfV0blpOfotUhIYX4DF48Har3pWur3WcKfWcc67ZzVsfafeQtOLmH1MLq8EL1DX594qnE0mr19/vrdYldeHgK2RgE8DQ9wNOFLZGiK2WjIBcHJdq4mnV+Wb7xNZ8q6XC6sOBcDNqr7ROpGC2E1hBKPlQJn/IlTwf6HNBROoasNFI+2uXdssCbWml3juwSCOSTvXA9m3LZCgUuCKLbuAfTtVh1HQqy,iv:SaY+nIOnw0m6DA2IPJUJKwcVVIn34hmEDIFyNdq/rG4=,tag:T32EiZ5PUZIaI11OJl/wqg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cvmffz227lhsvy4ufh0gnkfsvs5f27hv5l90m0lf4558uphteefsj2t74j
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTd1bkxQODRaZXZPSDhU
N2JhY2JCanR2aXlaaWN1Mi9WT2hjSjVBVnlvCmd5Q0IrZUUraC9ySmZKeDRkcDNq
UUlTL3NBQXRlcEx0NnB3WXdHUTRaZmcKLS0tIG9nV0cxeDFBdGU0UGxVb3YyV29Q
WlhEWlJXeitFTGRMYlZJV0c1YjFPa28KCvxqVERVc7dAkBZUTq/lN/8KiHT96mXe
GB71RxixJyoctcpIuddQX1wBZLtQk4KPxWQYXW7it7YeyfFdGkStpA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-31T17:56:39Z"
mac: ENC[AES256_GCM,data:aUIudcJ2BgkDIu9XQTIibcr2SghNieR7L445tkTgnf71oecTUp21BuVHzljggllNF9kvucH5jIkjHJmGeF7vP59RT5ERB2ziXZeulB+NBo3Kad8XbeBjdzkQev6rf3XRhlv9XtysAEvrE+KGS0j4e4WFrfqoHZW9BBS/NnTLoJM=,iv:z3A+Ise+POIqaQLU6Q/w1kmjUmaoxjKR+3pDPk+D6u0=,tag:PnjeaDBfq299Jj5F7yxMDQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View File

@ -1,7 +1,10 @@
{ ... }: {
imports = [
# Reverse Proxying of Forward Facing Servers
./servers/caddy.nix
./servers/xpra.nix
# Git Instances for WS-KCNHUB Projects
./servers/gitea.nix
# Online Remote Connectivity
./servers/guac.nix
];
}

View File

@ -0,0 +1,93 @@
{ config, lib, pkgs, nixpkgs-unstable, ... }: {
imports = [
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
];
services.guacamole-server.enable = true;
services.guacamole-server.package = pkgs.unstable.guacamole-server;
services.guacamole-server.port = 4822;
# Configure Database Authentication
environment.etc = let
dbauth-src = pkgs.fetchurl {
url = "https://dlcdn.apache.org/guacamole/1.5.3/binary/guacamole-auth-jdbc-1.5.3.tar.gz";
hash = "sha256-7Tuncc5Io4oOVvApkTuAUSSdvr/dMv/tvOLfDbEyJH8=";
};
dbauth = pkgs.stdenv.mkDerivation {
name = "jdbc";
version = "1.5.3";
src = dbauth-src;
installPhase = ''
mkdir $out
cp -r * $out
'';
};
in {
"guacamole/extensions/postgresql.jar" = {
source = "${dbauth}/postgresql/guacamole-auth-jdbc-postgresql-1.5.3.jar";
};
"guacamole/lib/postgresql.jar" = {
source = pkgs.fetchurl {
url = "https://jdbc.postgresql.org/download/postgresql-42.6.0.jar";
hash = "sha256-uBfGekDJQkn9WdTmhuMyftDT0/rkJrINoPHnVlLPxGE=";
};
};
};
# User user perms for psql login
users = {
users.guacamole = {
isSystemUser = true;
group = "guacamole";
};
groups.guacamole = {};
};
systemd.services.guacamole-server.serviceConfig = {
User = "guacamole";
Group = "guacamole";
DynamicUser = pkgs.lib.mkForce false;
};
# TODO: Write description that autoruns schemas in dbauth/postgresql/schemas
services.postgresql = {
enable = true;
port = 5432;
ensureDatabases = [
"guacamole"
];
ensureUsers = [{
name = "guacamole";
ensurePermissions = {
"DATABASE \"guacamole\"" = "ALL PRIVILEGES";
};
ensureClauses = {
createdb = true;
};
}];
};
services.guacamole-client.enable = true;
services.guacamole-client.enableWebserver = true;
services.guacamole-client.package = pkgs.unstable.guacamole-client;
services.guacamole-client.settings = {
guacd-hostname = "localhost";
guacd-port = 4822;
# Postgresql Auth Settings:
postgresql-hostname = "localhost";
postgresql-database = "guacamole";
postgresql-username = "guacamole";
# Password is superfluous: only can be used through guacamole user.
postgresql-password = "";
};
services.caddy.virtualHosts = {
"remote.ws.kcnhub.com" = {
# Proxy to default tomcat port ( 8080 )
extraConfig = ''
rewrite * /guacamole{uri}
reverse_proxy 127.0.0.1:8080
'';
};
};
}

View File

@ -1,101 +0,0 @@
{ config, pkgs, lib, ...}: let
xpra-html5 = pkgs.fetchFromGitHub {
owner = "Xpra-org";
repo = "xpra-html5";
rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
};
xpra-web = pkgs.writeScript "xpra-web" ''
#!${pkgs.bash}/bin/bash
${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
'';
in {
nixpkgs.overlays = [
(final: prev: {
xpra = prev.xpra.overrideAttrs (old: {
postPatch = old.postPatch or "" + ''
sed -e 's#"%s/share/xsessions" % sys.prefix#"${config.services.xserver.displayManager.sessionData.desktops}/share/xsessions"#g' -i xpra/platform/xposix/menu_helper.py
'';
});
})
];
# To use instead of Plasma
services.xserver.windowManager.fluxbox.enable = true;
environment.systemPackages = [ pkgs.xpra ];
security.pam.services = {
xpra = {
text = ''
# Account management.
account required pam_unix.so
# Authentication management.
auth sufficient pam_unix.so likeauth try_first_pass
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok yescrypt
session required pam_unix.so
#account required pam_nologin.so
# account include system-auth
# password include system-auth
# pam_selinux.so close should be the first session rule
#session required pam_selinux.so close
session required pam_loginuid.so
#to require a local user account, uncomment this line:
#session required pam_localuser.so
# session sufficient pam_systemd.so class=background type=x11
# pam_selinux.so open should only be followed by sessions to be executed in the user context
# session required pam_selinux.so open
# session required pam_namespace.so
# session optional pam_keyinit.so force revoke
# session include system-auth
# session include postlogin
-session optional pam_ck_connector.so
'';
};
};
systemd.sockets.xpra-web = {
description = "Xpra Web Socket";
partOf = [ "xpra-web.service" ];
wantedBy = [ "sockets.target" ];
socketConfig = {
# ListenStream = 14500;
ListenStream = "/run/xpra/system";
SocketUser = "root";
SocketGroup = "users";
PassCredentials = "true";
};
};
systemd.services.xpra-web = {
description = "xpra-web";
after = [ "network.target" "xpra-web.socket" ];
requires = [ "xpra-web.socket" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
--tcp-auth=pam --auth=pam --bind=none \
--log-dir=/var/log --pidfile=/run/xpra/proxy.pid --bind-tcp=:10000'';
Restart = "always";
# Security
NoNewPrivileges = true;
ReadWritePaths = [ "/run/xpra" "/tmp" ];
# Sandboxing
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectControlGroups = true;
};
};
services.caddy.virtualHosts = {
"remote.ws.kcnhub.com" = {
extraConfig = ''
reverse_proxy 127.0.0.1:${toString 10000}
'';
};
};
}

View File

@ -1,6 +1,6 @@
{ ... }: {
imports = [
# ./services/remote-desktop-guac.nix
./services/rdp.nix
./services/ssh.nix
./services/xrdp.nix
];
}

View File

@ -1,15 +0,0 @@
{ config, lib, pkgs, ... }: {
virtualization = {
podman = {
enable = true;
};
dockerCompat = true;
};
environment.systemPackages = with pkgs; [
# Nicely Make and Run Container Sets
podman-compose
# For Running Simulations Containerized
apptainer
];
}

View File

@ -1,18 +0,0 @@
{ config, lib, pkgs, nixpkgs-unstable, ... }: {
imports = [
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
];
services.guacamole-server.enable = true;
services.guacamole-server.package = pkgs.unstable.guacamole-server;
services.guacamole-server.port = 4822;
services.guacamole-client.enable = true;
services.guacamole-client.enableWebserver = true;
services.guacamole-client.package = pkgs.unstable.guacamole-client;
services.guacamole-client.settings = {
guacd-hostname = "localhost";
guacd-port = 4822;
};
}

View File

@ -0,0 +1,3 @@
{ ... }: {
services.openssh.enable = true;
}