Enable TLS

- add tls module for certificate generation, which can be enabled where needed
- add TLS certificate generation script, allowing multiple IP entries
- add key copy service to allow user access in /run/givc, by default
  keys and certificates are stored in /etc/givc with root access only
- remove TLS data name dependencies

Signed-off-by: Manuel Bluhm <[email protected]>

.github/pull_request_template.md

@@ -21,7 +21,7 @@ Please check, [X], to all that applies. Leave [ ] if an item does not apply but
 - [ ] Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
 - [ ] [Contribution guidelines](https://github.com/tiiuae/ghaf/blob/main/CONTRIBUTING.md) followed
 - [ ] Test procedure added to nixos/tests
-- [ ] Author has run `nix flake check --accept-flake-config` and it passes
+- [ ] Author has run `nix flake check` and it passes
 - [ ] All automatic Github Action checks pass - see [actions](https://github.com/tiiuae/ghaf-givc/actions)
 - [ ] Author has added reviewers and removed PR draft status
 

flake.nix

@@ -84,6 +84,7 @@
           sysvm = import ./nixos/modules/sysvm.nix { inherit self; };
           appvm = import ./nixos/modules/appvm.nix { inherit self; };
           dbus = import ./nixos/modules/dbus.nix { inherit self; };
+          tls = import ./nixos/modules/tls.nix { inherit self; };
         };
 
         # Overlays

internal/pkgs/localelistener/transport.go

@@ -57,7 +57,7 @@ func (s *LocaleServer) TimezoneSet(ctx context.Context, req *locale_api.Timezone
 
 	err := s.Controller.SetTimezone(context.Background(), req.Timezone)
 	if err != nil {
-		log.Infof("[SetLocale] Error setting timezone: %v\n", err)
+		log.Infof("[SetTimezone] Error setting timezone: %v\n", err)
 		return nil, fmt.Errorf("Cannot set timezone")
 	}
 

internal/pkgs/types/types.go

@@ -85,12 +85,6 @@ const (
 	UNIT_TYPE_APPVM_APP
 )
 
-const (
-	PROXY_NULL             uint32 = 0
-	PROXY_SERVER_CONNECTED uint32 = 1
-	PROXY_CLIENT_CONNECTED uint32 = 2
-)
-
 const (
 	APP_ARG_FLAG = "flag"
 	APP_ARG_URL  = "url"

nixos/modules/appvm.nix

@@ -116,6 +116,25 @@ in
       '';
     };
 
+    # Copy givc keys and certificates for user access
+    systemd.services.givc-user-key-setup = {
+      description = "Prepare givc keys and certificates for user access";
+      enable = true;
+      wantedBy = [ "local-fs.target" ];
+      after = [ "local-fs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.rsync}/bin/rsync -r --chown=root:users --chmod=g+rx /etc/givc /run";
+        Restart = "no";
+      };
+    };
+    givc.appvm.tls = {
+      caCertPath = "/run/givc/ca-cert.pem";
+      certPath = "/run/givc/cert.pem";
+      keyPath = "/run/givc/key.pem";
+    };
+
+    # User agent
     systemd.user.services."givc-${cfg.agent.name}" = {
       description = "GIVC remote service manager for application VMs";
       enable = true;

nixos/modules/definitions.nix

@@ -8,7 +8,7 @@ let
   transportSubmodule = types.submodule {
     options = {
       name = mkOption {
-        description = "Network host and TLS name";
+        description = "Identifier for network, host, and/or TLS name";
         type = types.str;
         default = "localhost";
       };
@@ -89,17 +89,17 @@ in
       caCertPath = mkOption {
         description = "Path to the CA certificate file.";
         type = types.str;
-        default = "";
+        default = "/etc/givc/ca-cert.pem";
       };
       certPath = mkOption {
         description = "Path to the service certificate file.";
         type = types.str;
-        default = "";
+        default = "/etc/givc/cert.pem";
       };
       keyPath = mkOption {
         description = "Path to the service key file.";
         type = types.str;
-        default = "";
+        default = "/etc/givc/key.pem";
       };
     };
   };

nixos/modules/host.nix

@@ -77,26 +77,28 @@ in
       }
     ];
 
-    systemd.services."givc-${cfg.agent.name}" = {
-      description = "GIVC remote service manager for the host.";
-      enable = true;
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "exec";
-        ExecStart = "${givc-agent}/bin/givc-agent";
-        Restart = "always";
-        RestartSec = 1;
-      };
-      environment = {
-        "AGENT" = "${toJSON cfg.agent}";
-        "DEBUG" = "${trivial.boolToString cfg.debug}";
-        "TYPE" = "0";
-        "SUBTYPE" = "1";
-        "SERVICES" = "${concatStringsSep " " cfg.services}";
-        "ADMIN_SERVER" = "${toJSON cfg.admin}";
-        "TLS_CONFIG" = "${toJSON cfg.tls}";
+    systemd.services = {
+      "givc-${cfg.agent.name}" = {
+        description = "GIVC remote service manager for the host.";
+        enable = true;
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "exec";
+          ExecStart = "${givc-agent}/bin/givc-agent";
+          Restart = "always";
+          RestartSec = 1;
+        };
+        environment = {
+          "AGENT" = "${toJSON cfg.agent}";
+          "DEBUG" = "${trivial.boolToString cfg.debug}";
+          "TYPE" = "0";
+          "SUBTYPE" = "1";
+          "SERVICES" = "${concatStringsSep " " cfg.services}";
+          "ADMIN_SERVER" = "${toJSON cfg.admin}";
+          "TLS_CONFIG" = "${toJSON cfg.tls}";
+        };
       };
     };
     networking.firewall.allowedTCPPorts =

nixos/modules/sysvm.nix

@@ -21,6 +21,7 @@ let
     concatStringsSep
     optionalString
     optionals
+    optionalAttrs
     ;
   inherit (builtins) toJSON;
   inherit (import ./definitions.nix { inherit config lib; })
@@ -32,6 +33,7 @@ in
 {
   options.givc.sysvm = {
     enable = mkEnableOption "Enable givc-sysvm module.";
+    enableUserTlsAccess = mkEnableOption "Enable users to access TLS keys to run client.";
 
     agent = mkOption {
       description = ''
@@ -134,6 +136,18 @@ in
       wantedBy = [ "network-online.target" ];
     };
 
+    systemd.services.givc-user-key-setup = optionalAttrs cfg.enableUserTlsAccess {
+      description = "Prepare givc keys and certificates for user access";
+      enable = true;
+      wantedBy = [ "local-fs.target" ];
+      after = [ "local-fs.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.rsync}/bin/rsync -r --chown=root:users --chmod=g+rx /etc/givc /run";
+        Restart = "no";
+      };
+    };
+
     systemd.services."givc-${cfg.agent.name}" = {
       description = "GIVC remote service manager for system VMs";
       enable = true;

nixos/modules/tls.nix

@@ -0,0 +1,109 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ self }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.givc.tls;
+  inherit (lib)
+    mkOption
+    mkEnableOption
+    mkIf
+    types
+    ;
+  inherit (import ./definitions.nix { inherit config lib; })
+    transportSubmodule
+    ;
+in
+{
+  options.givc.tls = {
+    enable = mkEnableOption "Enable givc-tls module. This module generates keys and certificates for givc's mTLS in /etc/givc.";
+
+    agents = mkOption {
+      description = "List of agents to generate TLS certificates for. Requires a list of 'transportSubmodule'.";
+      type = types.listOf transportSubmodule;
+    };
+
+    adminTlsName = mkOption {
+      description = "TLS host name of admin server.";
+      type = types.str;
+    };
+
+    adminAddresses = mkOption {
+      description = "List of addresses for the admin service to listen on. Requires a list of 'transportSubmodule'.";
+      type = types.listOf transportSubmodule;
+    };
+
+    generatorHostName = mkOption {
+      description = "Host name of the certificate generator. This will prevent to write the TLS data into the storage path.";
+      type = types.str;
+    };
+
+    storagePath = mkOption {
+      description = "Storage path for generated keys and certificates. Will use subdirectories for each agent by name.";
+      type = types.str;
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.agents != [ ];
+        message = "The TLS module requires a list of agents to generate keys and certificates for.";
+      }
+      {
+        assertion = cfg.adminTlsName != "";
+        message = "The TLS module requires a TLS host name for the admin server.";
+      }
+      {
+        assertion = cfg.adminAddresses != [ ];
+        message = "The TLS module requires a list of addresses for the admin service to listen on.";
+      }
+      {
+        assertion = cfg.generatorHostName != "";
+        message = "The TLS module requires a host name for the certificate generator.";
+      }
+      {
+        assertion = cfg.storagePath != "";
+        message = "The TLS module requires a storage path for generated keys and certificates.";
+      }
+    ];
+
+    systemd.services = {
+      givc-key-setup =
+        let
+          givcCertGenerator = pkgs.callPackage ../packages/givc-gen-certs.nix {
+            inherit lib pkgs;
+            inherit (cfg)
+              agents
+              adminTlsName
+              adminAddresses
+              generatorHostName
+              ;
+          };
+        in
+        {
+          enable = true;
+          description = "Generate keys and certificates for givc";
+          path = [ givcCertGenerator ];
+          wantedBy = [ "local-fs.target" ];
+          after = [ "local-fs.target" ];
+          unitConfig.ConditionPathExists = "!/etc/givc/tls.lock";
+          serviceConfig = {
+            Type = "notify";
+            NotifyAccess = "all";
+            Restart = "no";
+            StandardOutput = "journal";
+            StandardError = "journal";
+            ExecStart = "${givcCertGenerator}/bin/givc-gen-certs ${cfg.storagePath}";
+            ExecStartPost = "${pkgs.coreutils}/bin/install -m 000 /dev/null /etc/givc/tls.lock";
+          };
+        };
+    };
+  };
+}