Reorganize Services (Xpra -> Guac)

machines/kcnhub/configuration.nix

@@ -20,6 +20,8 @@
       ./nosleep.nix
     ];
 
+  sops.defaultSopsFile = ./secrets/system.yaml;
+
   # Support NTFS(3g)
   boot.supportedFilesystems = ["ntfs"];
   
@@ -78,12 +80,6 @@
 
   nix.registry.nixpkgs.flake = nixpkgs;
   
-  # TODO: Make services directory for with a nix for each service that is enabled and what options it has
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
   # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];

machines/kcnhub/secrets/system.yaml

@@ -0,0 +1,22 @@
+guacamole:
+    properties: ENC[AES256_GCM,data:L+xiZBm1282zV1GUfp9RfV0blpOfotUhIYX4DF48Har3pWur3WcKfWcc67ZzVsfafeQtOLmH1MLq8EL1DX594qnE0mr19/vrdYldeHgK2RgE8DQ9wNOFLZGiK2WjIBcHJdq4mnV+Wb7xNZ8q6XC6sOBcDNqr7ROpGC2E1hBKPlQJn/IlTwf6HNBROoasNFI+2uXdssCbWml3juwSCOSTvXA9m3LZCgUuCKLbuAfTtVh1HQqy,iv:SaY+nIOnw0m6DA2IPJUJKwcVVIn34hmEDIFyNdq/rG4=,tag:T32EiZ5PUZIaI11OJl/wqg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1cvmffz227lhsvy4ufh0gnkfsvs5f27hv5l90m0lf4558uphteefsj2t74j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTd1bkxQODRaZXZPSDhU
+            N2JhY2JCanR2aXlaaWN1Mi9WT2hjSjVBVnlvCmd5Q0IrZUUraC9ySmZKeDRkcDNq
+            UUlTL3NBQXRlcEx0NnB3WXdHUTRaZmcKLS0tIG9nV0cxeDFBdGU0UGxVb3YyV29Q
+            WlhEWlJXeitFTGRMYlZJV0c1YjFPa28KCvxqVERVc7dAkBZUTq/lN/8KiHT96mXe
+            GB71RxixJyoctcpIuddQX1wBZLtQk4KPxWQYXW7it7YeyfFdGkStpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-31T17:56:39Z"
+    mac: ENC[AES256_GCM,data:aUIudcJ2BgkDIu9XQTIibcr2SghNieR7L445tkTgnf71oecTUp21BuVHzljggllNF9kvucH5jIkjHJmGeF7vP59RT5ERB2ziXZeulB+NBo3Kad8XbeBjdzkQev6rf3XRhlv9XtysAEvrE+KGS0j4e4WFrfqoHZW9BBS/NnTLoJM=,iv:z3A+Ise+POIqaQLU6Q/w1kmjUmaoxjKR+3pDPk+D6u0=,tag:PnjeaDBfq299Jj5F7yxMDQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

machines/kcnhub/servers.nix

@@ -1,7 +1,10 @@
 { ... }: {
   imports = [
+    # Reverse Proxying of Forward Facing Servers
     ./servers/caddy.nix
-    ./servers/xpra.nix
+    # Git Instances for WS-KCNHUB Projects
     ./servers/gitea.nix
+    # Online Remote Connectivity
+    ./servers/guac.nix
   ];
 }

machines/kcnhub/servers/guac.nix

@@ -0,0 +1,93 @@
+{ config, lib, pkgs, nixpkgs-unstable, ... }: {
+  imports = [
+    "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
+    "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
+  ];
+
+  services.guacamole-server.enable = true;
+  services.guacamole-server.package = pkgs.unstable.guacamole-server;
+  services.guacamole-server.port = 4822;
+
+  # Configure Database Authentication
+  environment.etc = let
+    dbauth-src = pkgs.fetchurl {
+      url = "https://dlcdn.apache.org/guacamole/1.5.3/binary/guacamole-auth-jdbc-1.5.3.tar.gz";
+      hash = "sha256-7Tuncc5Io4oOVvApkTuAUSSdvr/dMv/tvOLfDbEyJH8=";
+    };
+    dbauth = pkgs.stdenv.mkDerivation {
+      name = "jdbc";
+      version = "1.5.3";
+      src = dbauth-src;
+      installPhase = ''
+        mkdir $out
+        cp -r * $out
+      '';
+    };
+  in {
+    "guacamole/extensions/postgresql.jar" = {
+      source = "${dbauth}/postgresql/guacamole-auth-jdbc-postgresql-1.5.3.jar";
+    };
+    "guacamole/lib/postgresql.jar" = {
+      source = pkgs.fetchurl {
+        url = "https://jdbc.postgresql.org/download/postgresql-42.6.0.jar";
+        hash = "sha256-uBfGekDJQkn9WdTmhuMyftDT0/rkJrINoPHnVlLPxGE=";
+      };
+    };
+  };
+
+  # User user perms for psql login
+  users = {
+    users.guacamole = {
+      isSystemUser = true;
+      group = "guacamole";
+    };
+    groups.guacamole = {};
+  };
+  systemd.services.guacamole-server.serviceConfig = {
+    User = "guacamole";
+    Group = "guacamole";
+    DynamicUser = pkgs.lib.mkForce false;
+  };
+  
+  # TODO: Write description that autoruns schemas in dbauth/postgresql/schemas
+  services.postgresql = {
+    enable = true;
+    port = 5432;
+    ensureDatabases = [
+      "guacamole"
+    ];
+    ensureUsers = [{
+      name = "guacamole";
+      ensurePermissions = {
+        "DATABASE \"guacamole\"" = "ALL PRIVILEGES";
+      };
+      ensureClauses = {
+        createdb = true;
+      };
+    }];
+  };
+  
+  services.guacamole-client.enable = true;
+  services.guacamole-client.enableWebserver = true;
+  services.guacamole-client.package = pkgs.unstable.guacamole-client;
+  services.guacamole-client.settings = {
+    guacd-hostname = "localhost";
+    guacd-port = 4822;
+
+    # Postgresql Auth Settings:
+    postgresql-hostname = "localhost";
+    postgresql-database = "guacamole";
+    postgresql-username = "guacamole";
+    # Password is superfluous: only can be used through guacamole user.
+    postgresql-password = "";
+  };
+  services.caddy.virtualHosts = {
+    "remote.ws.kcnhub.com" = {
+      # Proxy to default tomcat port ( 8080 )
+      extraConfig = ''
+        rewrite * /guacamole{uri}
+        reverse_proxy 127.0.0.1:8080
+      '';           
+    };
+  };
+}

machines/kcnhub/servers/xpra.nix

@@ -1,101 +0,0 @@
-{ config, pkgs, lib, ...}: let
-  xpra-html5 = pkgs.fetchFromGitHub {
-    owner = "Xpra-org";
-    repo = "xpra-html5";
-    rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
-    hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
-  };
-  xpra-web = pkgs.writeScript "xpra-web" ''
-    #!${pkgs.bash}/bin/bash
-    ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
-  '';
-in {
-  nixpkgs.overlays = [
-    (final: prev: {
-      xpra = prev.xpra.overrideAttrs (old: {
-        postPatch = old.postPatch or "" + ''
-          sed -e 's#"%s/share/xsessions" % sys.prefix#"${config.services.xserver.displayManager.sessionData.desktops}/share/xsessions"#g' -i xpra/platform/xposix/menu_helper.py
-        '';
-      });
-    })
-  ];
-  # To use instead of Plasma
-  services.xserver.windowManager.fluxbox.enable = true;
-  environment.systemPackages = [ pkgs.xpra ];
-  security.pam.services = {
-    xpra = {
-      text = ''
-        # Account management.
-        account required pam_unix.so
-
-        # Authentication management.
-        auth sufficient pam_unix.so   likeauth try_first_pass
-        auth required pam_deny.so
-
-        # Password management.
-        password sufficient pam_unix.so nullok yescrypt
-
-        session required pam_unix.so
-
-        #account    required     pam_nologin.so
-        # account    include      system-auth
-        # password   include      system-auth
-
-        # pam_selinux.so close should be the first session rule
-        #session    required     pam_selinux.so close
-        session    required     pam_loginuid.so
-        #to require a local user account, uncomment this line:
-        #session    required     pam_localuser.so
-        # session    sufficient   pam_systemd.so class=background type=x11
-
-        # pam_selinux.so open should only be followed by sessions to be executed in the user context
-        # session    required     pam_selinux.so open
-        # session    required     pam_namespace.so
-        # session    optional     pam_keyinit.so force revoke
-        # session    include      system-auth
-        # session    include      postlogin
-        -session   optional     pam_ck_connector.so
-      '';
-    };
-  };
-  systemd.sockets.xpra-web = {
-    description = "Xpra Web Socket";
-    partOf = [ "xpra-web.service" ];
-    wantedBy = [ "sockets.target" ];
-    socketConfig = {
-      # ListenStream = 14500;
-      ListenStream = "/run/xpra/system";
-      SocketUser = "root";
-      SocketGroup = "users";
-      PassCredentials = "true";
-    };
-  };
-  systemd.services.xpra-web = {
-    description = "xpra-web";
-    after = [ "network.target" "xpra-web.socket" ];
-    requires = [ "xpra-web.socket" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      Type = "simple";
-      ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
-                      --tcp-auth=pam --auth=pam --bind=none \
-                      --log-dir=/var/log --pidfile=/run/xpra/proxy.pid --bind-tcp=:10000'';
-      Restart = "always";
-      # Security
-      NoNewPrivileges = true;
-      ReadWritePaths = [ "/run/xpra" "/tmp" ];
-      # Sandboxing
-      ProtectSystem = "strict";
-      ProtectKernelTunables = true;
-      ProtectControlGroups = true;
-    };
-  };
-  services.caddy.virtualHosts = {
-    "remote.ws.kcnhub.com" = {
-      extraConfig = ''
-        reverse_proxy 127.0.0.1:${toString 10000}
-      '';           
-    };
-  };
-}

machines/kcnhub/services.nix

@@ -1,6 +1,6 @@
 { ... }: {
   imports = [
-    # ./services/remote-desktop-guac.nix
-    ./services/rdp.nix
+    ./services/ssh.nix
+    ./services/xrdp.nix
   ];
 }

machines/kcnhub/services/containers.nix

@@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  virtualization = {
-    podman = {
-      enable = true;
-    };
-    dockerCompat = true;
-  };
-
-  environment.systemPackages = with pkgs; [
-    # Nicely Make and Run Container Sets
-    podman-compose
-    # For Running Simulations Containerized
-    apptainer
-  ];
-}

machines/kcnhub/services/remote-desktop-guac.nix

@@ -1,18 +0,0 @@
-{ config, lib, pkgs, nixpkgs-unstable, ... }: {
-  imports = [
-    "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
-    "${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
-  ];
-
-  services.guacamole-server.enable = true;
-  services.guacamole-server.package = pkgs.unstable.guacamole-server;
-  services.guacamole-server.port = 4822;
-
-  services.guacamole-client.enable = true;
-  services.guacamole-client.enableWebserver = true;
-  services.guacamole-client.package = pkgs.unstable.guacamole-client;
-  services.guacamole-client.settings = {
-    guacd-hostname = "localhost";
-    guacd-port = 4822;
-  };
-}

machines/kcnhub/services/ssh.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  services.openssh.enable = true;
+}