diff --git a/hardware/fmo-os-rugged-laptop-7330.nix b/hardware/fmo-os-rugged-laptop-7330.nix index 118cf92..55adc52 100644 --- a/hardware/fmo-os-rugged-laptop-7330.nix +++ b/hardware/fmo-os-rugged-laptop-7330.nix @@ -16,6 +16,7 @@ "vim" "tcpdump" "gpsd" + "natscli" ]; # systemPackages launchers = [ @@ -53,6 +54,19 @@ fmo-config = { enable = true; }; # fmo-config + fmo-certs-distribution-service-host = { + enable = true; + ca-name = "NATS CA"; + ca-path = "/run/certs/nats/ca"; + server-ips = ["192.168.101.111" "127.0.0.1"]; + server-name = "NATS-server"; + server-path = "/run/certs/nats/server"; + clients-paths = [ + "/run/certs/nats/clients/host" + "/run/certs/nats/clients/netvm" + "/run/certs/nats/clients/dockervm" + ]; + }; registration-agent-laptop = { enable = true; }; # services.registration-agent-laptop @@ -76,6 +90,7 @@ systemPackages = [ "vim" "tcpdump" + "natscli" ]; # systemPackages extraModules = [ { @@ -243,6 +258,20 @@ proto = "virtiofs"; socket = "netconf.sock"; } + { + source = "/run/certs/nats/clients/netvm"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_netvm_certs"; + proto = "virtiofs"; + socket = "nats_netvm_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_netvm_ca_certs"; + proto = "virtiofs"; + socket = "nats_netvm_ca_certs.sock"; + } { tag = "ssh-public-key"; source = "/run/ssh-public-key"; @@ -267,6 +296,7 @@ "vim" "tcpdump" "gpsd" + "natscli" ]; # systemPackages extraModules = [ { @@ -320,6 +350,20 @@ proto = "virtiofs"; socket = "fogdata.sock"; } + { + source = "/run/certs/nats/clients/dockervm"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_dockervm_certs"; + proto = "virtiofs"; + socket = "nats_dockervm_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_dockervm_ca_certs"; + proto = "virtiofs"; + socket = "nats_dockervm_ca_certs.sock"; + } { tag = "ssh-public-key"; source = "/run/ssh-public-key"; @@ -374,6 +418,121 @@ networking.firewall.enable = false; }]; # extraModules }; # dockervm + msgvm = { + enable = true; + name = "msgvm"; + macaddr = "02:00:00:01:01:03"; + ipaddr = "192.168.101.111"; + defaultgw = "192.168.101.1"; + systemPackages = [ + "vim" + "tcpdump" + "natscli" + "nats-top" + "nats-server" + ]; # systemPackages + extraModules = [ + { + users.users."ghaf".extraGroups = ["docker"]; + microvm = { + mem = 2028; + vcpu = 1; + volumes = [ + { + image = "/var/tmp/msgvm_internal.img"; + mountPoint = "/var/lib/internal"; + size = 10240; + autoCreate = true; + fsType = "ext4"; + } + { + image = "/var/tmp/msgvm_var.img"; + mountPoint = "/var"; + size = 10240; + autoCreate = true; + fsType = "ext4"; + } + ];# microvm.volumes + shares = [ + { + source = "/var/vms_shares/common"; + mountPoint = "/var/vms_share/common"; + tag = "common_share_msgvm"; + proto = "virtiofs"; + socket = "common_share_msgvm.sock"; + } + { + source = "/var/vms_shares/msgvm"; + mountPoint = "/var/vms_share/host"; + tag = "msgvm_share"; + proto = "virtiofs"; + socket = "msgvm_share.sock"; + } + { + source = "/run/certs/nats/server"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_certs"; + proto = "virtiofs"; + socket = "nats_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_ca"; + proto = "virtiofs"; + socket = "nats_ca.sock"; + } + { + tag = "ssh-public-key"; + source = "/run/ssh-public-key"; + mountPoint = "/run/ssh-public-key"; + } + ]; # microvm.shares + };# microvm + fileSystems."/run/ssh-public-key".options = ["ro"]; + services = { + avahi = { + enable = true; + nssmdns = true; + ipv4 = true; + ipv6 = false; + publish.enable = true; + publish.domain = true; + publish.addresses = true; + publish.workstation = true; + domainName = "msgvm"; + }; # services.avahi + fmo-psk-distribution-service-vm = { + enable = true; + }; # fmo-psk-distribution-service-vm + nats = { + enable = true; + port = 4222; + + settings = { + # Monitoring endpoints + http = 8222; + tls = { + # Path to the server certificate and private key + cert_file = "/var/lib/nats/certs/server.crt"; + key_file = "/var/lib/nats/certs/server.key"; + + # Path to the CA certificate + ca_file = "/var/lib/nats/ca/ca.crt"; + + # Require client certificate verification + verify_and_map = true; + }; + + # Logs config + log_file = "/var/lib/nats/nats-server.log"; + logtime = true; + }; + }; # services.nats-server + }; # services + networking.firewall.enable = false; + }]; # extraModules + }; # msgvm }; # vms }; # system } diff --git a/hardware/fmo-os-rugged-tablet-7230.nix b/hardware/fmo-os-rugged-tablet-7230.nix index 14aa643..4b441a7 100644 --- a/hardware/fmo-os-rugged-tablet-7230.nix +++ b/hardware/fmo-os-rugged-tablet-7230.nix @@ -16,6 +16,7 @@ "vim" "tcpdump" "gpsd" + "natscli" ]; # systemPackages launchers = [ @@ -53,6 +54,19 @@ fmo-config = { enable = true; }; # fmo-config + fmo-certs-distribution-service-host = { + enable = true; + ca-name = "NATS CA"; + ca-path = "/run/certs/nats/ca"; + server-ips = ["192.168.101.111" "127.0.0.1"]; + server-name = "NATS-server"; + server-path = "/run/certs/nats/server"; + clients-paths = [ + "/run/certs/nats/clients/host" + "/run/certs/nats/clients/netvm" + "/run/certs/nats/clients/dockervm" + ]; + }; registration-agent-laptop = { enable = true; }; # services.registration-agent-laptop @@ -76,6 +90,7 @@ systemPackages = [ "vim" "tcpdump" + "natscli" ]; # systemPackages extraModules = [ { @@ -223,6 +238,20 @@ proto = "virtiofs"; socket = "netconf.sock"; } + { + source = "/run/certs/nats/clients/netvm"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_netvm_certs"; + proto = "virtiofs"; + socket = "nats_netvm_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_netvm_ca_certs"; + proto = "virtiofs"; + socket = "nats_netvm_ca_certs.sock"; + } { tag = "ssh-public-key"; source = "/run/ssh-public-key"; @@ -247,6 +276,7 @@ "vim" "tcpdump" "gpsd" + "natscli" ]; # systemPackages extraModules = [ { @@ -300,6 +330,20 @@ proto = "virtiofs"; socket = "fogdata.sock"; } + { + source = "/run/certs/nats/clients/dockervm"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_dockervm_certs"; + proto = "virtiofs"; + socket = "nats_dockervm_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_dockervm_ca_certs"; + proto = "virtiofs"; + socket = "nats_dockervm_ca_certs.sock"; + } { tag = "ssh-public-key"; source = "/run/ssh-public-key"; @@ -354,6 +398,122 @@ networking.firewall.enable = false; }]; # extraModules }; # dockervm + msgvm = { + enable = true; + name = "msgvm"; + macaddr = "02:00:00:01:01:03"; + ipaddr = "192.168.101.111"; + defaultgw = "192.168.101.1"; + systemPackages = [ + "vim" + "tcpdump" + "natscli" + "nats-top" + "nats-server" + ]; # systemPackages + extraModules = [ + { + users.users."ghaf".extraGroups = ["docker"]; + microvm = { + mem = 2028; + vcpu = 1; + volumes = [ + { + image = "/var/tmp/msgvm_internal.img"; + mountPoint = "/var/lib/internal"; + size = 10240; + autoCreate = true; + fsType = "ext4"; + } + { + image = "/var/tmp/msgvm_var.img"; + mountPoint = "/var"; + size = 10240; + autoCreate = true; + fsType = "ext4"; + } + ];# microvm.volumes + shares = [ + { + source = "/var/vms_shares/common"; + mountPoint = "/var/vms_share/common"; + tag = "common_share_msgvm"; + proto = "virtiofs"; + socket = "common_share_msgvm.sock"; + } + { + source = "/var/vms_shares/msgvm"; + mountPoint = "/var/vms_share/host"; + tag = "msgvm_share"; + proto = "virtiofs"; + socket = "msgvm_share.sock"; + } + { + source = "/run/certs/nats/server"; + mountPoint = "/var/lib/nats/certs"; + tag = "nats_certs"; + proto = "virtiofs"; + socket = "nats_certs.sock"; + } + { + source = "/run/certs/nats/ca"; + mountPoint = "/var/lib/nats/ca"; + tag = "nats_ca"; + proto = "virtiofs"; + socket = "nats_ca.sock"; + } + { + tag = "ssh-public-key"; + source = "/run/ssh-public-key"; + mountPoint = "/run/ssh-public-key"; + } + ]; # microvm.shares + };# microvm + fileSystems."/run/ssh-public-key".options = ["ro"]; + services = { + avahi = { + enable = true; + nssmdns = true; + ipv4 = true; + ipv6 = false; + publish.enable = true; + publish.domain = true; + publish.addresses = true; + publish.workstation = true; + domainName = "msgvm"; + }; # services.avahi + fmo-psk-distribution-service-vm = { + enable = true; + }; # fmo-psk-distribution-service-vm + nats = { + enable = true; + port = 4222; + + settings = { + # Monitoring endpoints + http = 8222; + + tls = { + # Path to the server certificate and private key + cert_file = "/var/lib/nats/certs/server.crt"; + key_file = "/var/lib/nats/certs/server.key"; + + # Path to the CA certificate + ca_file = "/var/lib/nats/ca/ca.crt"; + + # Require client certificate verification + verify_and_map = true; + }; + + # Logs config + log_file = "/var/lib/nats/nats-server.log"; + logtime = true; + }; + }; # services.nats-server + }; # services + networking.firewall.enable = false; + }]; # extraModules + }; # msgvm }; # vms }; # system } diff --git a/modules/fmo-certs-distribution-host/default.nix b/modules/fmo-certs-distribution-host/default.nix new file mode 100644 index 0000000..e62d0bd --- /dev/null +++ b/modules/fmo-certs-distribution-host/default.nix @@ -0,0 +1,122 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.fmo-certs-distribution-service-host; + + mkClintCert = client-path: n: '' + echo "Generate private key for the client-${n}" + ${pkgs.openssl}/bin/openssl genpkey -algorithm RSA -out ${client-path}/client.key + echo "Create a certificate signing request (CSR) for the client-${n}" + ${pkgs.openssl}/bin/openssl req -new -key ${client-path}/client.key -out ${client-path}/client.csr -subj "/CN=client-${n}" + echo "Sign the client CSR with the CA certificate-${n}" + ${pkgs.openssl}/bin/openssl x509 -req -in ${client-path}/client.csr -CA ${cfg.ca-path}/ca.crt -CAkey ${cfg.ca-path}/ca.key \ + -CAcreateserial -out ${client-path}/client.crt -days 365 -sha256 + ''; + + addIP = ip: "IP: ${ip}"; + + + numOfClients = genList (i: toString i) (length cfg.clients-paths); + +in { + options.services.fmo-certs-distribution-service-host = { + enable = mkEnableOption "fmo-certs-distribution-service-host"; + + ca-name = mkOption { + type = types.str; + description = "CA name"; + default = ""; + }; + + ca-path = mkOption { + type = types.str; + description = "Path to generate CA cert"; + default = ""; + }; + + server-name = mkOption { + type = types.str; + description = "Server name"; + default = ["127.0.0.1"]; + }; + + server-path = mkOption { + type = types.str; + description = "Path to generate server cert"; + default = ""; + }; + + server-ips = mkOption { + type = types.listOf types.str; + description = "Server allowed IPs"; + default = ""; + }; + + clients-paths = mkOption { + type = types.listOf types.str; + description = "Paths to generate clients certs"; + default = ""; + }; + }; + + config = mkIf cfg.enable { + systemd.services."openssl-certs-gen" = let + keygenScript = pkgs.writeShellScriptBin "openssl-certs-gen" '' + set -xeuo pipefail + + EXT_CONF="basicConstraints=CA:FALSE + keyUsage=digitalSignature,keyEncipherment + extendedKeyUsage=serverAuth + subjectAltName=${ concatStringsSep ", " (map addIP cfg.server-ips) }" + + echo "Create CA dir" + mkdir -pv ${cfg.ca-path} + # chown -v microvm ${cfg.ca-path} + + echo "Create Server cert dir" + mkdir -pv ${cfg.server-path} + # chown -v microvm ${cfg.server-path} + + echo "Create Clients certs dirs" + for path in ${ concatStringsSep " " cfg.clients-paths }; do + mkdir -pv $path + # chown -v microvm $path + done + + echo "Generate private key for CA" + ${pkgs.openssl}/bin/openssl genpkey -algorithm RSA -out ${cfg.ca-path}/ca.key + echo "Generate self-signed CA certificate" + ${pkgs.openssl}/bin/openssl req -x509 -new -nodes -key ${cfg.ca-path}/ca.key -sha256 -days 365 -out ${cfg.ca-path}/ca.crt \ + -subj "/CN=${cfg.ca-name}" + + echo "Generate private key for the server" + ${pkgs.openssl}/bin/openssl genpkey -algorithm RSA -out ${cfg.server-path}/server.key + echo "Create a certificate signing request (CSR) for the server" + ${pkgs.openssl}/bin/openssl req -new -key ${cfg.server-path}/server.key -out ${cfg.server-path}/server.csr \ + -subj "/CN=${cfg.server-name}" \ + -addext "subjectAltName=IP:192.168.101.111,IP:127.0.0.1" + echo "Sign the server CSR with the CA certificate" + ${pkgs.openssl}/bin/openssl x509 -req -in ${cfg.server-path}/server.csr -CA ${cfg.ca-path}/ca.crt -CAkey ${cfg.ca-path}/ca.key \ + -CAcreateserial -out ${cfg.server-path}/server.crt -days 365 -sha256 \ + -extfile <(printf "$EXT_CONF") + + echo "Generate certs for clients" + ${ concatStringsSep "\n" (zipListsWith mkClintCert cfg.clients-paths numOfClients) } + ''; + in { + enable = true; + description = "Generate encryption certs"; + path = [keygenScript]; + wantedBy = ["microvms.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${keygenScript}/bin/openssl-certs-gen"; + }; + }; + }; +} diff --git a/modules/fmo-module-list.nix b/modules/fmo-module-list.nix index e779eda..647dd2a 100644 --- a/modules/fmo-module-list.nix +++ b/modules/fmo-module-list.nix @@ -23,4 +23,5 @@ ./dynamic-portforwarding-service-host ./dynamic-device-passthrough-services ./dynamic-device-passthrough-services-host + ./fmo-certs-distribution-host ] diff --git a/modules/google-chrome/overlay.nix b/modules/google-chrome/overlay.nix index b6c573c..aaa627f 100644 --- a/modules/google-chrome/overlay.nix +++ b/modules/google-chrome/overlay.nix @@ -3,7 +3,7 @@ self: super: google-chrome = super.google-chrome.overrideAttrs (oldAttrs: rec { src = super.fetchurl { url = "https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb"; - sha256 = "sha256-5NITOnDEVd5PeyWT9rPVgFv5W5bP2h+bLM30hjmpgzs="; + sha256 = "sha256-Cn0fg6WI1kFdk8s0LCksMCMLSDkPImXBDNK+hNMlMpQ="; }; installPhase = '' runHook preInstall