Skip to content

Commit

Permalink
Fetcher scripts for MS and Ghaf URLs
Browse files Browse the repository at this point in the history
* A single script to fetch additional MS and Ghaf URLs in net-vm.
* Handling of PAC file by the fetcher script in business-vm.

Signed-off-by: Enes Öztürk <[email protected]>
  • Loading branch information
enesoztrk authored and brianmcgillion committed Nov 29, 2024
1 parent 5178a89 commit da685e3
Show file tree
Hide file tree
Showing 5 changed files with 373 additions and 233 deletions.
152 changes: 139 additions & 13 deletions modules/reference/appvms/business.nix
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,14 @@ let
inherit (lib) mkIf optionalString;
#TODO: Move this to a common place
name = "business";
proxyUserName = "proxy-user";
proxyGroupName = "proxy-admin";
tiiVpnAddr = "151.253.154.18";
vpnOnlyAddr = "${tiiVpnAddr},jira.tii.ae,access.tii.ae,confluence.tii.ae,i-service.tii.ae,catalyst.atrc.ae";
pacFileName = "ghaf.pac";
pacServerAddr = "127.0.0.1:8000";
pacFileUrl = "http://${pacServerAddr}/${pacFileName}";
netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries;
netvmAddress = lib.head (builtins.map (x: x.ip) netvmEntry);
adminvmEntry = builtins.filter (x: x.name == "admin-vm") config.ghaf.networking.hosts.entries;
adminvmAddress = lib.head (builtins.map (x: x.ip) adminvmEntry);
# Remove rounded corners from the text editor window
gnomeTextEditor = pkgs.gnome-text-editor.overrideAttrs (oldAttrs: {
postPatch =
Expand All @@ -25,6 +27,75 @@ let
echo -e '\nwindow { border-radius: 0px; }' >> src/style.css
'';
});

_ghafPacFileFetcher =
let
pacFileDownloadUrl = "https://raw.githubusercontent.com/tiiuae/ghaf-rt-config/refs/heads/main/network/proxy/ghaf.pac";
proxyServerUrl = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
logTag = "ghaf-pac-fetcher";
in
pkgs.writeShellApplication {
name = "ghafPacFileFetcher";
runtimeInputs = [
pkgs.coreutils # Provides 'mv', 'rm', etc.
pkgs.curl # For downloading PAC files
pkgs.inetutils # Provides 'logger'
];
text = ''
# Variables
TEMP_PAC_PATH=$(mktemp)
LOCAL_PAC_PATH="/etc/proxy/${pacFileName}"
# Logging function with timestamp
log() {
logger -t "${logTag}" "$1"
}
log "Starting the pac file fetch process..."
# Fetch the pac file using curl with a proxy
log "Fetching pac file from ${pacFileDownloadUrl} using proxy ${proxyServerUrl}..."
http_status=$(curl --proxy "${proxyServerUrl}" -s -o "$TEMP_PAC_PATH" -w "%{http_code}" "${pacFileDownloadUrl}")
log "HTTP status code: $http_status"
# Check if the fetch was successful
if [[ "$http_status" -ne 200 ]]; then
log "Error: Failed to download pac file from ${pacFileDownloadUrl}. HTTP status code: $http_status"
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 2
fi
# Verify the downloaded file is not empty
if [[ ! -s "$TEMP_PAC_PATH" ]]; then
log "Error: The downloaded pac file is empty."
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 3
fi
# Log the download success
log "Pac file downloaded successfully. Proceeding with update..."
# Copy the content from the temporary pac file to the target file
log "Copying the content from temporary file to the target pac file at $LOCAL_PAC_PATH..."
# Check if the copy was successful
if cat "$TEMP_PAC_PATH" > "$LOCAL_PAC_PATH"; then
log "Pac file successfully updated at $LOCAL_PAC_PATH."
else
log "Error: Failed to update the pac file at $LOCAL_PAC_PATH."
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 4
fi
# Clean up temporary file
rm -f "$TEMP_PAC_PATH"
log "Pac file fetch and update process completed successfully."
exit 0
'';
};

in
{
name = "${name}";
Expand All @@ -36,7 +107,7 @@ in
pkgs.openconnect
gnomeTextEditor
pkgs.xarchiver

pkgs.busybox
]
++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]
++ lib.optionals config.ghaf.givc.enable [ pkgs.open-normal-extension ];
Expand Down Expand Up @@ -71,20 +142,20 @@ in
applications = [
{
name = "google-chrome";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
args = [ "url" ];
}
{
name = "outlook";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "office";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "teams";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "gpclient";
Expand All @@ -107,7 +178,6 @@ in

reference = {
programs.google-chrome.enable = true;

services.globalprotect = {
enable = true;
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
Expand Down Expand Up @@ -149,13 +219,66 @@ in
# Enable dconf and icon pack for gnome text editor
programs.dconf.enable = true;
environment.systemPackages = [ pkgs.adwaita-icon-theme ];
# Define a new group for proxy management
users.groups.${proxyGroupName} = { }; # Create a group named proxy-admin

# Define a new user with a specific username
users.users.${proxyUserName} = {
isSystemUser = true;
description = "Proxy User for managing allowlist and services";
# extraGroups = [ "${proxyGroupName}" ]; # Adding to 'proxy-admin' for specific access
group = "${proxyGroupName}";
};

environment.etc."proxy/${pacFileName}" = {
text = '''';
user = "${proxyUserName}"; # Owner is proxy-user
group = "${proxyGroupName}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};

systemd.services.pacServer = {
description = "Http server to make PAC file accessible for web browsers";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.busybox}/bin/busybox httpd -f -p ${pacServerAddr} -h /etc/proxy";
# Ensure ghafFetchUrl starts after the network is up
Type = "simple";
# Restart policy on failure
Restart = "always"; # Restart the service if it fails
RestartSec = "15s"; # Wait 15 seconds before restarting
User = "${proxyUserName}";
};
};

systemd.services.ghafPacFileFetcher = {
description = "Fetch ghaf pac file periodically with retries if internet is available";

serviceConfig = {
ExecStart = "${_ghafPacFileFetcher}/bin/ghafPacFileFetcher";
# Ensure ghafFetchUrl starts after the network is up
Type = "simple";
# Restart policy on failure
Restart = "on-failure"; # Restart the service if it fails
RestartSec = "15s"; # Wait 15 seconds before restarting
User = "${proxyUserName}";
};
};

systemd.timers.ghafPacFileFetcher = {
description = "Run ghafPacFileFetcher periodically";
wantedBy = [ "timers.target" ];
timerConfig = {
User = "${proxyUserName}";
Persistent = true; # Ensures the timer runs after a system reboot
OnCalendar = "daily"; # Set to your desired schedule
OnBootSec = "90s";
};
};

#Firewall Settings
networking = {
proxy = {
default = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
noProxy = "192.168.101.10,${adminvmAddress},127.0.0.1,localhost,${vpnOnlyAddr}";
};
firewall = {
enable = true;
extraCommands = ''
Expand All @@ -170,6 +293,9 @@ in
# Default policy
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Block any other unwanted traffic (optional)
iptables -N logreject
iptables -A logreject -j LOG
Expand Down
29 changes: 23 additions & 6 deletions modules/reference/programs/google-chrome.nix
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ in
PromptForDownloadLocation = true;
AlwaysOpenPdfExternally = true;
DefaultBrowserSettingEnabled = true;
StartupBrowserWindowLaunchSuppressed = true;
DeviceMetricsReportingEnabled = false;
MetricsReportingEnabled = false;
};
example = lib.literalExpression ''
Expand All @@ -30,6 +28,7 @@ in
}
'';
};

extraOpts = lib.mkOption {
type = lib.types.attrs;
description = ''
Expand All @@ -38,9 +37,9 @@ in
<https://cloud.google.com/docs/chrome-enterprise/policies/>
Make sure the selected policy is supported on Linux and your browser version.
'';
default = {

};
default =
{
};
example = lib.literalExpression ''
{
"BrowserSignin" = 0;
Expand All @@ -54,15 +53,33 @@ in
}
'';
};

policyOwner = lib.mkOption {
type = lib.types.str;
default = "root";
description = "Policy files owner";
};

policyOwnerGroup = lib.mkOption {
type = lib.types.str;
default = "root";
description = "Policy files group";
};
};
config = lib.mkIf cfg.enable {

environment.etc = {
"opt/chrome/policies/managed/default.json" = lib.mkIf (cfg.defaultPolicy != { }) {
text = builtins.toJSON cfg.defaultPolicy;
user = "${cfg.policyOwner}"; # Owner is proxy-user
group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};
"opt/chrome/policies/managed/extra.json" = lib.mkIf (cfg.extraOpts != { }) {
"opt/chrome/policies/managed/extra.json" = {
text = builtins.toJSON cfg.extraOpts;
user = "${cfg.policyOwner}"; # Owner is proxy-user
group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};

};
Expand Down
Loading

0 comments on commit da685e3

Please sign in to comment.