Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

General Url fetcher script for ms and ghaf #891

Merged
merged 1 commit into from
Nov 29, 2024
Merged

General Url fetcher script for ms and ghaf #891

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 139 additions & 13 deletions modules/reference/appvms/business.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,14 @@ let
inherit (lib) mkIf optionalString;
#TODO: Move this to a common place
name = "business";
proxyUserName = "proxy-user";
proxyGroupName = "proxy-admin";
tiiVpnAddr = "151.253.154.18";
vpnOnlyAddr = "${tiiVpnAddr},jira.tii.ae,access.tii.ae,confluence.tii.ae,i-service.tii.ae,catalyst.atrc.ae";
pacFileName = "ghaf.pac";
pacServerAddr = "127.0.0.1:8000";
pacFileUrl = "http://${pacServerAddr}/${pacFileName}";
netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries;
netvmAddress = lib.head (builtins.map (x: x.ip) netvmEntry);
adminvmEntry = builtins.filter (x: x.name == "admin-vm") config.ghaf.networking.hosts.entries;
adminvmAddress = lib.head (builtins.map (x: x.ip) adminvmEntry);
# Remove rounded corners from the text editor window
gnomeTextEditor = pkgs.gnome-text-editor.overrideAttrs (oldAttrs: {
postPatch =
Expand All @@ -25,6 +27,75 @@ let
echo -e '\nwindow { border-radius: 0px; }' >> src/style.css
'';
});

_ghafPacFileFetcher =
let
pacFileDownloadUrl = "https://raw.githubusercontent.com/tiiuae/ghaf-rt-config/refs/heads/main/network/proxy/ghaf.pac";
proxyServerUrl = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
logTag = "ghaf-pac-fetcher";
in
pkgs.writeShellApplication {
name = "ghafPacFileFetcher";
runtimeInputs = [
pkgs.coreutils # Provides 'mv', 'rm', etc.
pkgs.curl # For downloading PAC files
pkgs.inetutils # Provides 'logger'
];
text = ''
# Variables
TEMP_PAC_PATH=$(mktemp)
LOCAL_PAC_PATH="/etc/proxy/${pacFileName}"

# Logging function with timestamp
log() {
logger -t "${logTag}" "$1"
}

log "Starting the pac file fetch process..."

# Fetch the pac file using curl with a proxy
log "Fetching pac file from ${pacFileDownloadUrl} using proxy ${proxyServerUrl}..."
http_status=$(curl --proxy "${proxyServerUrl}" -s -o "$TEMP_PAC_PATH" -w "%{http_code}" "${pacFileDownloadUrl}")

log "HTTP status code: $http_status"

# Check if the fetch was successful
if [[ "$http_status" -ne 200 ]]; then
log "Error: Failed to download pac file from ${pacFileDownloadUrl}. HTTP status code: $http_status"
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 2
fi

# Verify the downloaded file is not empty
if [[ ! -s "$TEMP_PAC_PATH" ]]; then
log "Error: The downloaded pac file is empty."
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 3
fi

# Log the download success
log "Pac file downloaded successfully. Proceeding with update..."

# Copy the content from the temporary pac file to the target file
log "Copying the content from temporary file to the target pac file at $LOCAL_PAC_PATH..."

# Check if the copy was successful
if cat "$TEMP_PAC_PATH" > "$LOCAL_PAC_PATH"; then
log "Pac file successfully updated at $LOCAL_PAC_PATH."
else
log "Error: Failed to update the pac file at $LOCAL_PAC_PATH."
rm -f "$TEMP_PAC_PATH" # Clean up temporary file
exit 4
fi

# Clean up temporary file
rm -f "$TEMP_PAC_PATH"

log "Pac file fetch and update process completed successfully."
exit 0
'';
};

in
{
name = "${name}";
Expand All @@ -36,7 +107,7 @@ in
pkgs.openconnect
gnomeTextEditor
pkgs.xarchiver

pkgs.busybox
]
++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]
++ lib.optionals config.ghaf.givc.enable [ pkgs.open-normal-extension ];
Expand Down Expand Up @@ -71,20 +142,20 @@ in
applications = [
{
name = "google-chrome";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
args = [ "url" ];
}
{
name = "outlook";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "office";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "teams";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
}
{
name = "gpclient";
Expand All @@ -107,7 +178,6 @@ in

reference = {
programs.google-chrome.enable = true;

services.globalprotect = {
enable = true;
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
Expand Down Expand Up @@ -149,13 +219,66 @@ in
# Enable dconf and icon pack for gnome text editor
programs.dconf.enable = true;
environment.systemPackages = [ pkgs.adwaita-icon-theme ];
# Define a new group for proxy management
users.groups.${proxyGroupName} = { }; # Create a group named proxy-admin

# Define a new user with a specific username
users.users.${proxyUserName} = {
isSystemUser = true;
description = "Proxy User for managing allowlist and services";
# extraGroups = [ "${proxyGroupName}" ]; # Adding to 'proxy-admin' for specific access
group = "${proxyGroupName}";
};

environment.etc."proxy/${pacFileName}" = {
text = '''';
user = "${proxyUserName}"; # Owner is proxy-user
group = "${proxyGroupName}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};

systemd.services.pacServer = {
description = "Http server to make PAC file accessible for web browsers";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.busybox}/bin/busybox httpd -f -p ${pacServerAddr} -h /etc/proxy";
# Ensure ghafFetchUrl starts after the network is up
Type = "simple";
# Restart policy on failure
Restart = "always"; # Restart the service if it fails
RestartSec = "15s"; # Wait 15 seconds before restarting
User = "${proxyUserName}";
};
};

systemd.services.ghafPacFileFetcher = {
description = "Fetch ghaf pac file periodically with retries if internet is available";

serviceConfig = {
ExecStart = "${_ghafPacFileFetcher}/bin/ghafPacFileFetcher";
# Ensure ghafFetchUrl starts after the network is up
Type = "simple";
# Restart policy on failure
Restart = "on-failure"; # Restart the service if it fails
RestartSec = "15s"; # Wait 15 seconds before restarting
User = "${proxyUserName}";
};
};

systemd.timers.ghafPacFileFetcher = {
description = "Run ghafPacFileFetcher periodically";
wantedBy = [ "timers.target" ];
timerConfig = {
User = "${proxyUserName}";
Persistent = true; # Ensures the timer runs after a system reboot
OnCalendar = "daily"; # Set to your desired schedule
OnBootSec = "90s";
};
};

#Firewall Settings
networking = {
proxy = {
default = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
noProxy = "192.168.101.10,${adminvmAddress},127.0.0.1,localhost,${vpnOnlyAddr}";
};
firewall = {
enable = true;
extraCommands = ''
Expand All @@ -170,6 +293,9 @@ in
# Default policy
iptables -P INPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Block any other unwanted traffic (optional)
iptables -N logreject
iptables -A logreject -j LOG
Expand Down
29 changes: 23 additions & 6 deletions modules/reference/programs/google-chrome.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ in
PromptForDownloadLocation = true;
AlwaysOpenPdfExternally = true;
DefaultBrowserSettingEnabled = true;
StartupBrowserWindowLaunchSuppressed = true;
DeviceMetricsReportingEnabled = false;
MetricsReportingEnabled = false;
};
example = lib.literalExpression ''
Expand All @@ -30,6 +28,7 @@ in
}
'';
};

extraOpts = lib.mkOption {
type = lib.types.attrs;
description = ''
Expand All @@ -38,9 +37,9 @@ in
<https://cloud.google.com/docs/chrome-enterprise/policies/>
Make sure the selected policy is supported on Linux and your browser version.
'';
default = {

};
default =
{
};
example = lib.literalExpression ''
{
"BrowserSignin" = 0;
Expand All @@ -54,15 +53,33 @@ in
}
'';
};

policyOwner = lib.mkOption {
type = lib.types.str;
default = "root";
description = "Policy files owner";
};

policyOwnerGroup = lib.mkOption {
type = lib.types.str;
default = "root";
description = "Policy files group";
};
};
config = lib.mkIf cfg.enable {

environment.etc = {
"opt/chrome/policies/managed/default.json" = lib.mkIf (cfg.defaultPolicy != { }) {
text = builtins.toJSON cfg.defaultPolicy;
user = "${cfg.policyOwner}"; # Owner is proxy-user
group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};
"opt/chrome/policies/managed/extra.json" = lib.mkIf (cfg.extraOpts != { }) {
"opt/chrome/policies/managed/extra.json" = {
text = builtins.toJSON cfg.extraOpts;
user = "${cfg.policyOwner}"; # Owner is proxy-user
group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
};

};
Expand Down
Loading