diff --git a/modules/desktop/graphics/labwc.config.nix b/modules/desktop/graphics/labwc.config.nix index 1b2c71a9e..bd442c541 100644 --- a/modules/desktop/graphics/labwc.config.nix +++ b/modules/desktop/graphics/labwc.config.nix @@ -225,64 +225,66 @@ in }; }; - systemd.user.services.ghaf-launcher = { - enable = true; - description = "Ghaf launcher daemon"; - serviceConfig = { - Type = "simple"; - ExecStart = "${ghaf-launcher}/bin/ghaf-launcher"; - Restart = "always"; - RestartSec = "1"; + systemd.user.services = { + ghaf-launcher = { + enable = true; + description = "Ghaf launcher daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${ghaf-launcher}/bin/ghaf-launcher"; + Restart = "always"; + RestartSec = "1"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - partOf = [ "ghaf-session.target" ]; - wantedBy = [ "ghaf-session.target" ]; - }; - systemd.user.services.swaybg = { - enable = true; - description = "Wallpaper daemon"; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.swaybg}/bin/swaybg -m fill -i ${cfg.wallpaper}"; + swaybg = { + enable = true; + description = "Wallpaper daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.swaybg}/bin/swaybg -m fill -i ${cfg.wallpaper}"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - partOf = [ "ghaf-session.target" ]; - wantedBy = [ "ghaf-session.target" ]; - }; - systemd.user.services.mako = { - enable = true; - description = "Notification daemon"; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.mako}/bin/mako -c /etc/mako/config"; + mako = { + enable = true; + description = "Notification daemon"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.mako}/bin/mako -c /etc/mako/config"; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - partOf = [ "ghaf-session.target" ]; - wantedBy = [ "ghaf-session.target" ]; - }; - systemd.user.services.lock-event = { - enable = true; - description = "Lock Event Handler"; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.swayidle}/bin/swayidle lock \"${lockCmd}\""; + lock-event = { + enable = true; + description = "Lock Event Handler"; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.swayidle}/bin/swayidle lock \"${lockCmd}\""; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - partOf = [ "ghaf-session.target" ]; - wantedBy = [ "ghaf-session.target" ]; - }; - systemd.user.services.autolock = lib.mkIf cfg.autolock.enable { - enable = true; - description = "System autolock"; - serviceConfig = { - Type = "simple"; - ExecStart = '' - ${pkgs.swayidle}/bin/swayidle -w timeout ${builtins.toString cfg.autolock.duration} \ - '${pkgs.chayang}/bin/chayang && ${lockCmd}' - ''; + autolock = lib.mkIf cfg.autolock.enable { + enable = true; + description = "System autolock"; + serviceConfig = { + Type = "simple"; + ExecStart = '' + ${pkgs.swayidle}/bin/swayidle -w timeout ${builtins.toString cfg.autolock.duration} \ + '${pkgs.chayang}/bin/chayang && ${lockCmd}' + ''; + }; + partOf = [ "ghaf-session.target" ]; + wantedBy = [ "ghaf-session.target" ]; }; - partOf = [ "ghaf-session.target" ]; - wantedBy = [ "ghaf-session.target" ]; }; ghaf.graphics.launchers = [ diff --git a/modules/desktop/graphics/login-manager.nix b/modules/desktop/graphics/login-manager.nix index 81bcdff70..6ea01799b 100644 --- a/modules/desktop/graphics/login-manager.nix +++ b/modules/desktop/graphics/login-manager.nix @@ -36,39 +36,41 @@ in }; config = lib.mkIf cfg.enable { - services.greetd = { - enable = true; - settings = { - default_session = - let - greeter-autostart = pkgs.writeShellApplication { - name = "greeter-autostart"; - runtimeInputs = [ - pkgs.greetd.gtkgreet - pkgs.wayland-logout - ]; - text = '' - gtkgreet -l -s ${gtkgreetStyle} - wayland-logout - ''; + services = { + greetd = { + enable = true; + settings = { + default_session = + let + greeter-autostart = pkgs.writeShellApplication { + name = "greeter-autostart"; + runtimeInputs = [ + pkgs.greetd.gtkgreet + pkgs.wayland-logout + ]; + text = '' + gtkgreet -l -s ${gtkgreetStyle} + wayland-logout + ''; + }; + in + { + command = "${pkgs.labwc}/bin/labwc -C /etc/labwc -s ${greeter-autostart}/bin/greeter-autostart"; }; - in - { - command = "${pkgs.labwc}/bin/labwc -C /etc/labwc -s ${greeter-autostart}/bin/greeter-autostart"; - }; + }; + }; + + seatd = { + enable = true; + group = "video"; }; - }; - services.seatd = { - enable = true; - group = "video"; + #Allow video group to change brightness + udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod a+w $sys$devpath/brightness" + ''; }; users.users.greeter.extraGroups = [ "video" ]; - - #Allow video group to change brightness - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod a+w $sys$devpath/brightness" - ''; }; } diff --git a/modules/microvm/virtualization/microvm/adminvm.nix b/modules/microvm/virtualization/microvm/adminvm.nix index 0395c1d04..32672ae2c 100644 --- a/modules/microvm/virtualization/microvm/adminvm.nix +++ b/modules/microvm/virtualization/microvm/adminvm.nix @@ -51,23 +51,18 @@ let givc.adminvm.enable = true; # Log aggregation configuration - logging.client.enable = isLoggingEnabled; - logging.listener.address = configHost.ghaf.logging.listener.address; - logging.listener.port = configHost.ghaf.logging.listener.port; - logging.identifierFilePath = "/var/lib/private/alloy/MACAddress"; - logging.server.endpoint = "https://loki.ghaflogs.vedenemo.dev/loki/api/v1/push"; + logging = { + client.enable = isLoggingEnabled; + listener = { + inherit (configHost.ghaf.logging.listener) address port; + }; + identifierFilePath = "/var/lib/private/alloy/MACAddress"; + server.endpoint = "https://loki.ghaflogs.vedenemo.dev/loki/api/v1/push"; + }; }; system.stateVersion = lib.trivial.release; - nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; - nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; - - networking = { - firewall.allowedTCPPorts = lib.mkIf isLoggingEnabled [ config.ghaf.logging.listener.port ]; - firewall.allowedUDPPorts = [ ]; - }; - systemd.network = { enable = true; networks."10-ethint0" = { @@ -76,6 +71,16 @@ let }; }; + nixpkgs = { + buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + }; + + networking.firewall = { + allowedTCPPorts = lib.mkIf isLoggingEnabled [ config.ghaf.logging.listener.port ]; + allowedUDPPorts = [ ]; + }; + microvm = { optimize.enable = true; #TODO: Add back support cloud-hypervisor diff --git a/modules/reference/appvms/business.nix b/modules/reference/appvms/business.nix index e6d8ce0a0..490871e1a 100644 --- a/modules/reference/appvms/business.nix +++ b/modules/reference/appvms/business.nix @@ -68,99 +68,106 @@ in devices = [ ]; }; - ghaf.givc.appvm = { - enable = true; - name = lib.mkForce "business-vm"; - applications = [ - { - name = "chromium"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}"; - args = [ "url" ]; - } - { - name = "outlook"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs}"; - } - { - name = "office"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs}"; - } - { - name = "teams"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs}"; - } - { - name = "gpclient"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland"; - } - { - name = "gnome-text-editor"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gnome-text-editor"; - } - { - name = "losslesscut"; - command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/losslesscut --enable-features=UseOzonePlatform --ozone-platform=wayland"; - } - ]; + ghaf = { + givc.appvm = { + enable = true; + name = lib.mkForce "business-vm"; + applications = [ + { + name = "chromium"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}"; + args = [ "url" ]; + } + { + name = "outlook"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs}"; + } + { + name = "office"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs}"; + } + { + name = "teams"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs}"; + } + { + name = "gpclient"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland"; + } + { + name = "gnome-text-editor"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gnome-text-editor"; + } + { + name = "losslesscut"; + command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/losslesscut --enable-features=UseOzonePlatform --ozone-platform=wayland"; + } + ]; + }; + + reference = { + programs.chromium.enable = true; + + services.globalprotect = { + enable = true; + csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; + }; + }; }; - ghaf.reference.programs.chromium.enable = true; # Set default PDF XDG handler xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; - ghaf.reference.services.globalprotect = { - enable = true; - csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; - }; - # Enable dconf and icon pack for gnome text editor programs.dconf.enable = true; environment.systemPackages = [ pkgs.adwaita-icon-theme ]; #Firewall Settings networking = { - firewall.enable = true; proxy = { default = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}"; noProxy = "192.168.101.10,${adminvmAddress},127.0.0.1,localhost,${vpnOnlyAddr}"; }; - firewall.extraCommands = '' + firewall = { + enable = true; + extraCommands = '' - add_rule() { - local ip=$1 - iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT - iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT - iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT - iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT - } - # Default policy - iptables -P INPUT DROP + add_rule() { + local ip=$1 + iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT + iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT + iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT + iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT + } + # Default policy + iptables -P INPUT DROP - # Block any other unwanted traffic (optional) - iptables -N logreject - iptables -A logreject -j LOG - iptables -A logreject -j REJECT + # Block any other unwanted traffic (optional) + iptables -N logreject + iptables -A logreject -j LOG + iptables -A logreject -j REJECT - # allow everything for local VPN traffic - iptables -A INPUT -i tun0 -j ACCEPT - iptables -A FORWARD -i tun0 -j ACCEPT - iptables -A FORWARD -o tun0 -j ACCEPT - iptables -A OUTPUT -o tun0 -j ACCEPT + # allow everything for local VPN traffic + iptables -A INPUT -i tun0 -j ACCEPT + iptables -A FORWARD -i tun0 -j ACCEPT + iptables -A FORWARD -o tun0 -j ACCEPT + iptables -A OUTPUT -o tun0 -j ACCEPT - # WARN: if all the traffic including VPN flowing through proxy is intended, - # remove "add_rule 151.253.154.18" rule and pass "--proxy-server=http://192.168.100.1:3128" to openconnect(VPN) app. - # also remove "151.253.154.18,tii.ae,.tii.ae,sapsf.com,.sapsf.com" addresses from noProxy option and add - # them to allow acl list in modules/reference/appvms/3proxy-config.nix file. - # Allow VPN access.tii.ae - add_rule ${tiiVpnAddr} + # WARN: if all the traffic including VPN flowing through proxy is intended, + # remove "add_rule 151.253.154.18" rule and pass "--proxy-server=http://192.168.100.1:3128" to openconnect(VPN) app. + # also remove "151.253.154.18,tii.ae,.tii.ae,sapsf.com,.sapsf.com" addresses from noProxy option and add + # them to allow acl list in modules/reference/appvms/3proxy-config.nix file. + # Allow VPN access.tii.ae + add_rule ${tiiVpnAddr} - # Block all other HTTP and HTTPS traffic - iptables -A OUTPUT -p tcp --dport 80 -j logreject - iptables -A OUTPUT -p tcp --dport 443 -j logreject - iptables -A OUTPUT -p udp --dport 80 -j logreject - iptables -A OUTPUT -p udp --dport 443 -j logreject + # Block all other HTTP and HTTPS traffic + iptables -A OUTPUT -p tcp --dport 80 -j logreject + iptables -A OUTPUT -p tcp --dport 443 -j logreject + iptables -A OUTPUT -p udp --dport 80 -j logreject + iptables -A OUTPUT -p udp --dport 443 -j logreject - ''; + ''; + }; }; } ]; diff --git a/modules/reference/profiles/laptop-x86.nix b/modules/reference/profiles/laptop-x86.nix index 48d4b4c60..2e53a25e7 100644 --- a/modules/reference/profiles/laptop-x86.nix +++ b/modules/reference/profiles/laptop-x86.nix @@ -53,9 +53,11 @@ in hardware = { x86_64.common.enable = true; tpm2.enable = true; - usb.internal.enable = true; - usb.external.enable = true; - usb.vhotplug.enable = true; + usb = { + internal.enable = true; + external.enable = true; + vhotplug.enable = true; + }; }; # Virtualization options @@ -121,11 +123,16 @@ in }; # Logging configuration - logging.client.enable = true; - logging.client.endpoint = "http://${listenerAddress}:${listenerPort}/loki/api/v1/push"; - logging.listener.address = - "admin-vm" + lib.optionalString config.ghaf.profiles.debug.enable "-debug"; - logging.listener.port = 9999; + logging = { + client = { + enable = true; + endpoint = "http://${listenerAddress}:${listenerPort}/loki/api/v1/push"; + }; + listener = { + address = "admin-vm" + lib.optionalString config.ghaf.profiles.debug.enable "-debug"; + port = 9999; + }; + }; }; }; }