feat(network+givc):

Updates: - update flake inputs: givc, ctrl-panel Changes to networking: - auto-generate IP and MAC addresses - remove 'debug' network from ghaf. Next step we can remove the host from network and facilitate communication over mem share or vsock in release Changes to givc: - enable tls - enable multiple admin service interfaces - centralize givc-cli arguments across ghaf Signed-off-by: Manuel Bluhm <[email protected]>
tiiuae · Jan 23, 2025 · 39b4699 · 39b4699
1 parent 0f29278
commit 39b4699
Show file tree

Hide file tree

Showing 44 changed files with 594 additions and 512 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -143,7 +143,7 @@
     };
 
     givc = {
-      url = "github:tiiuae/ghaf-givc/966559e0597e5584e3b740c8b3447129021f6446";
+      url = "github:tiiuae/ghaf-givc/58e0f39724dbf8b01d06497a0a00ef683d44c556";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";
@@ -155,7 +155,7 @@
     };
 
     ctrl-panel = {
-      url = "github:tiiuae/ghaf-ctrl-panel/5ca381ba51c05cf370299056f6e377cd6003283f";
+      url = "github:tiiuae/ghaf-ctrl-panel/ef4b843c975030a8156390e3aa6f5536da0ad5c9";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-utils.follows = "flake-utils";

diff --git a/modules/common/common.nix b/modules/common/common.nix
@@ -3,7 +3,21 @@
 #
 # TODO: Refactor even more.
 #       This is the old "host/default.nix" file.
-{ lib, ... }:
+#
+# ghaf.common: Interface to share ghaf configs from host to VMs
+#
+{ config, lib, ... }:
+let
+  inherit (builtins) attrNames;
+  inherit (lib)
+    mkOption
+    types
+    optionalAttrs
+    optionalString
+    attrsets
+    hasAttrByPath
+    ;
+in
 {
   imports = [
     # TODO remove this when the minimal config is defined
@@ -14,7 +28,59 @@
     #(modulesPath + "/profiles/minimal.nix")
   ];
 
+  options.ghaf = {
+    common = {
+      vms = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "List of VMs currently enabled.";
+      };
+      systemHosts = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "List of system hosts currently enabled.";
+      };
+      appHosts = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = "List of app hosts currently enabled.";
+      };
+    };
+    type = mkOption {
+      description = "Type of the ghaf component. One of 'host', 'system-vm', or 'app-vm'.";
+      type = types.enum [
+        "host"
+        "system-vm"
+        "app-vm"
+      ];
+    };
+  };
+
   config = {
+
+    # Populate the shared namespace
+    ghaf =
+      optionalAttrs
+        (hasAttrByPath [
+          "microvm"
+          "vms"
+        ] config)
+        {
+          common = {
+            vms = attrNames config.microvm.vms;
+            systemHosts = lib.lists.remove "" (
+              lib.attrsets.mapAttrsToList (
+                n: v: lib.optionalString (v.config.config.ghaf.type == "system-vm") n
+              ) config.microvm.vms
+            );
+            appHosts = lib.lists.remove "" (
+              lib.attrsets.mapAttrsToList (
+                n: v: lib.optionalString (v.config.config.ghaf.type == "app-vm") n
+              ) config.microvm.vms
+            );
+          };
+        };
+
     system.stateVersion = lib.trivial.release;
 
     ####

diff --git a/modules/common/networking/default.nix b/modules/common/networking/default.nix
@@ -1,3 +1,7 @@
 # Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{ imports = [ ./hosts.nix ]; }
+{
+  imports = [
+    ./hosts.nix
+  ];
+}
diff --git a/modules/common/networking/hosts.nix b/modules/common/networking/hosts.nix
@@ -2,126 +2,107 @@
 # SPDX-License-Identifier: Apache-2.0
 { config, lib, ... }:
 let
-  cfg = config.ghaf.networking.hosts;
   inherit (lib)
     foldr
-    mkIf
     mkOption
-    optionals
     recursiveUpdate
+    optionalString
     types
+    trivial
+    listToAttrs
+    nameValuePair
     ;
 
-  hostsEntrySubmodule = types.submodule {
+  # Internal network host entry
+  # TODO Add sockets
+  hostEntrySubmodule = types.submodule {
     options = {
       name = mkOption {
         type = types.str;
         description = ''
           Host name as string.
         '';
       };
-      ip = mkOption {
+      mac = mkOption {
         type = types.str;
         description = ''
-          Host IPv4 address as string.
+          MAC address as string.
+        '';
+      };
+      ipv4 = mkOption {
+        type = types.str;
+        description = ''
+          IPv4 address as string.
+        '';
+      };
+      ipv6 = mkOption {
+        type = types.str;
+        description = ''
+          IPv6 address as string.
         '';
       };
     };
   };
 
-  # please note that .100. network is not
-  # reachable from ghaf-host. It's only reachable
-  # guest-to-guest.
-  # Use to .101. (debug) to access guests from host.
-  # debug network hosts are post-fixed: <hostname>-debug
-  ipBase = "192.168.100";
-  debugBase = "192.168.101";
-  hostsEntries = [
-    {
-      ip = 1;
-      name = "net-vm";
-    }
-    {
-      ip = 2;
-      name = "ghaf-host";
-    }
-    {
-      ip = 3;
-      name = "gui-vm";
-    }
-    {
-      ip = 4;
-      name = "ids-vm";
-    }
-    {
-      ip = 5;
-      name = "audio-vm";
-    }
-    {
-      ip = 10;
-      name = "admin-vm";
-    }
-    {
-      ip = 100;
-      name = "chrome-vm";
-    }
-    {
-      ip = 101;
-      name = "gala-vm";
-    }
-    {
-      ip = 102;
-      name = "zathura-vm";
-    }
-    {
-      ip = 103;
-      name = "comms-vm";
-    }
-    {
-      ip = 104;
-      name = "business-vm";
-    }
-  ];
+  # Re-order hosts to ensure net-vm is always first in list to reserve .1
+  hostList = [
+    "net-vm"
+    "ghaf-host"
+  ] ++ lib.lists.remove "net-vm" config.ghaf.common.systemHosts;
 
-  mkHostEntry =
-    { ip, name }:
-    {
-      name = "${name}";
-      ip = "${ipBase}.${toString ip}";
-    };
-  mkHostEntryDebug =
-    { ip, name }:
-    {
-      name = "${name}-debug";
-      ip = "${debugBase}.${toString ip}";
-    };
-  entries =
-    (map mkHostEntry hostsEntries)
-    ++ optionals config.ghaf.profiles.debug.enable (map mkHostEntryDebug hostsEntries);
+  # Address bases
+  macBaseAddress = "02:AD:00:00:00:";
+  ipv4BaseAddress = "192.168.100.";
+  ipv6BaseAddress = "fd00::100:";
+
+  # Generate host entries
+  # TODO Add sockets
+  hosts =
+    lib.lists.imap1 (idx: name: {
+      inherit name;
+      mac = "${macBaseAddress}${optionalString (idx < 16) "0"}${trivial.toHexString idx}";
+      ipv4 = "${ipv4BaseAddress}${toString idx}";
+      ipv6 = "${ipv6BaseAddress}${toString idx}";
+    }) hostList
+    ++ lib.lists.imap1 (
+      index: name:
+      let
+        idx = index + 100;
+      in
+      {
+        inherit name;
+        mac = "${macBaseAddress}${optionalString (idx < 16) "0"}${trivial.toHexString idx}";
+        ipv4 = "${ipv4BaseAddress}${toString idx}";
+        ipv6 = "${ipv6BaseAddress}${toString idx}";
+      }
+    ) config.ghaf.common.appHosts;
 in
 {
-  options.ghaf.networking.hosts = {
-    enable = (lib.mkEnableOption "Ghaf hosts entries") // {
-      default = true;
-    };
-    entries = mkOption {
-      type = types.listOf hostsEntrySubmodule;
+  options.ghaf.networking = {
+    hosts = mkOption {
+      type = types.attrsOf hostEntrySubmodule;
       description = ''
         List of hosts entries.
       '';
       default = null;
     };
   };
 
-  config = mkIf cfg.enable {
-    ghaf.networking.hosts = {
-      inherit entries;
-    };
+  config = {
+
+    assertions = [
+      {
+        assertion = lib.length config.ghaf.common.vms < 255;
+        message = "Too many VMs defined - maximum is 254";
+      }
+    ];
+
+    ghaf.networking.hosts = listToAttrs (map (host: nameValuePair "${host.name}" host) hosts);
 
     networking.hosts = foldr recursiveUpdate { } (
       map (vm: {
-        "${vm.ip}" = [ "${vm.name}" ];
-      }) config.ghaf.networking.hosts.entries
+        "${vm.ipv4}" = [ "${vm.name}" ];
+      }) hosts
     );
   };
 }
diff --git a/modules/common/security/apparmor/profiles/google-chrome.nix b/modules/common/security/apparmor/profiles/google-chrome.nix
@@ -169,6 +169,7 @@
         @{ETC}/profiles/**                                              r,
         @{NIX}/var                                                      r,
         @{NIX}/var/**                                                   r,
+        @{RUN}/givc/**                                                  rix,
 
         owner @{run}/user/[0-9]*/                                       rw,
         owner @{run}/user/[0-9]*/**                                     rw,

diff --git a/modules/common/services/default.nix b/modules/common/services/default.nix
@@ -8,7 +8,6 @@
     ./firmware.nix
     ./xdgopener.nix
     ./xdghandlers.nix
-    ./namespaces.nix
     ./yubikey.nix
     ./bluetooth.nix
     ./disks.nix

diff --git a/modules/common/services/namespaces.nix b/modules/common/services/namespaces.nix
diff --git a/modules/common/systemd/hardened-configs/common/alloy.nix b/modules/common/systemd/hardened-configs/common/alloy.nix
@@ -5,7 +5,6 @@
   IPAccounting = true;
   IPAddressAllow = [
     "192.168.100.0/24"
-    "192.168.101.0/24"
   ];
   RestrictAddressFamilies = [ "~AF_INET6" ];