public/malta-workshop
2
0
Fork 0
Code Pull Requests Activity

fix certificates issues and reformat code

Browse Source
This commit is contained in:
Michael Czechowski
2025-09-15 13:09:49 +02:00
parent f38fca65c0
commit 88089b7fb6
2 changed files with 813 additions and 708 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
common.nix
View File

@@ -1,4 +1,10 @@
{ pkgs, lib ? pkgs.lib, cloudServerNames, isLiveIso ? false, ... }: {
pkgs,
lib ? pkgs.lib,
cloudServerNames,
isLiveIso ? false,
...
}:
let let
# Only include isoImage config when building ISO # Only include isoImage config when building ISO
@@ -206,7 +212,8 @@ let
]; ];
in in
isoConfig // { isoConfig
// {
system.stateVersion = "25.05"; system.stateVersion = "25.05";
# SSH Configuration # SSH Configuration
@@ -228,7 +235,10 @@ isoConfig // {
dns = "none"; # We use dnsmasq dns = "none"; # We use dnsmasq
}; };
hostName = if isLiveIso then "workshop-live" else "workshop-vm"; hostName = if isLiveIso then "workshop-live" else "workshop-vm";
hosts."127.0.0.1" = [ "workshop.local" "localhost" ]; hosts."127.0.0.1" = [
"workshop.local"
"localhost"
];
nameservers = lib.mkForce [ "127.0.0.1" ]; nameservers = lib.mkForce [ "127.0.0.1" ];
firewall.enable = false; # Workshop environment firewall.enable = false; # Workshop environment
}; };
@@ -238,7 +248,10 @@ isoConfig // {
enable = true; enable = true;
settings = { settings = {
address = "/.workshop.local/127.0.0.1"; address = "/.workshop.local/127.0.0.1";
server = [ "8.8.8.8" "1.1.1.1" ]; server = [
"8.8.8.8"
"1.1.1.1"
];
listen-address = [ "127.0.0.1" ]; listen-address = [ "127.0.0.1" ];
bind-interfaces = true; bind-interfaces = true;
cache-size = 1000; cache-size = 1000;
@@ -260,7 +273,11 @@ isoConfig // {
users.workshop = { users.workshop = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.bash; shell = pkgs.bash;
extraGroups = [ "networkmanager" "wheel" "docker" ]; extraGroups = [
"networkmanager"
"wheel"
"docker"
];
password = "workshop"; password = "workshop";
}; };
}; };
@@ -270,7 +287,11 @@ isoConfig // {
description = "Generate SSH key for workshop user for passwordless localhost access"; description = "Generate SSH key for workshop user for passwordless localhost access";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
path = with pkgs; [ openssh coreutils gnugrep ]; path = with pkgs; [
openssh
coreutils
gnugrep
];
script = '' script = ''
USER_HOME=/home/workshop USER_HOME=/home/workshop
SSH_DIR=$USER_HOME/.ssh SSH_DIR=$USER_HOME/.ssh
@@ -322,15 +343,28 @@ isoConfig // {
dig dig
gnutar gnutar
openssl # Add this for certificate generation openssl # Add this for certificate generation
chromium # Add Chromium browser
]; ];
# System Setup Service (Root Tasks) # System Setup Service (Root Tasks)
systemd.services.workshop-system-setup = { systemd.services.workshop-system-setup = {
description = "System-level checks for network, DNS, and Docker"; description = "System-level checks for network, DNS, and Docker";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "docker.service" "dnsmasq.service" ]; after = [
"network-online.target"
"docker.service"
"dnsmasq.service"
];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
path = with pkgs; [ bash curl dnsutils docker gnugrep shadow coreutils ]; path = with pkgs; [
bash
curl
dnsutils
docker
gnugrep
shadow
coreutils
];
script = '' script = ''
# Wait for network and services # Wait for network and services
echo "Waiting for services to start..." echo "Waiting for services to start..."
@@ -403,7 +437,18 @@ isoConfig // {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "workshop-system-setup.service" ]; after = [ "workshop-system-setup.service" ];
wants = [ "workshop-system-setup.service" ]; wants = [ "workshop-system-setup.service" ];
path = with pkgs; [ bash wget curl coreutils gnutar ncurses gzip file gnugrep docker ]; path = with pkgs; [
bash
wget
curl
coreutils
gnutar
ncurses
gzip
file
gnugrep
docker
];
script = '' script = ''
# Set proper environment # Set proper environment
@@ -729,16 +774,14 @@ isoConfig // {
} }
fi fi
# Generate certificate with detailed output # Generate certificate following abra guidelines
echo " Generating RSA key and certificate..." echo " Generating RSA key and certificate (abra-compatible)..."
if openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ if openssl req -x509 -out "$CERT_FILE" -keyout "$KEY_FILE" \
-keyout "$KEY_FILE" \ -newkey rsa:2048 -nodes -sha256 -days 365 \
-out "$CERT_FILE" \ -subj "/CN=*.workshop.local" -extensions EXT -config <( \
-subj "/CN=*.workshop.local" \ printf "[dn]\nCN=*.workshop.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:*.workshop.local,DNS:workshop.local,DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth"); then
-config <(printf "[req]\ndistinguished_name=req\n[v3_req]\nsubjectAltName=DNS:*.workshop.local,DNS:workshop.local,DNS:localhost\n") \
-extensions v3_req; then
echo " Certificate generation completed successfully" echo " Certificate generation completed successfully (abra-compatible)"
else else
echo " Certificate generation failed" echo " Certificate generation failed"
echo " OpenSSL exit code: $?" echo " OpenSSL exit code: $?"
@@ -777,8 +820,20 @@ isoConfig // {
echo " Verifying certificate content..." echo " Verifying certificate content..."
if openssl x509 -in "$CERT_FILE" -text -noout >/dev/null 2>&1; then if openssl x509 -in "$CERT_FILE" -text -noout >/dev/null 2>&1; then
echo " Certificate is valid X.509 format" echo " Certificate is valid X.509 format"
# Show certificate subject
# Show certificate details
echo " Certificate subject:"
openssl x509 -in "$CERT_FILE" -subject -noout 2>/dev/null || echo " Could not read certificate subject" openssl x509 -in "$CERT_FILE" -subject -noout 2>/dev/null || echo " Could not read certificate subject"
echo " Certificate issuer:"
openssl x509 -in "$CERT_FILE" -issuer -noout 2>/dev/null || echo " Could not read certificate issuer"
echo " Certificate validity:"
openssl x509 -in "$CERT_FILE" -dates -noout 2>/dev/null || echo " Could not read certificate dates"
echo " Certificate extensions:"
openssl x509 -in "$CERT_FILE" -text -noout 2>/dev/null | grep -A 5 "Subject Alternative Name" || echo " No SAN extension found"
else else
echo " Certificate file is not valid" echo " Certificate file is not valid"
return 1 return 1
@@ -792,6 +847,14 @@ isoConfig // {
return 1 return 1
fi fi
# Verify certificate matches key
if openssl x509 -in "$CERT_FILE" -noout -modulus 2>/dev/null | openssl md5 >/dev/null 2>&1 && \
openssl rsa -in "$KEY_FILE" -noout -modulus 2>/dev/null | openssl md5 >/dev/null 2>&1; then
echo " Certificate and key match"
else
echo " Could not verify certificate/key match (non-critical)"
fi
echo "🎉 Certificate generation and verification complete!" echo "🎉 Certificate generation and verification complete!"
} }
@@ -841,17 +904,17 @@ isoConfig // {
echo " Writing offline configuration..." echo " Writing offline configuration..."
if sudo tee -a "$TRAEFIK_ENV" >/dev/null <<EOF if sudo tee -a "$TRAEFIK_ENV" >/dev/null <<EOF
# OFFLINE/LOCAL DEVELOPMENT CONFIGURATION # OFFLINE/LOCAL DEVELOPMENT CONFIGURATION
LETS_ENCRYPT_ENV=staging LETS_ENCRYPT_ENV=staging
WILDCARDS_ENABLED=1 WILDCARDS_ENABLED=1
SECRET_WILDCARD_CERT_VERSION=v1 SECRET_WILDCARD_CERT_VERSION=v1
SECRET_WILDCARD_KEY_VERSION=v1 SECRET_WILDCARD_KEY_VERSION=v1
COMPOSE_FILE="\$COMPOSE_FILE:compose.wildcard.yml" COMPOSE_FILE="\$COMPOSE_FILE:compose.wildcard.yml"
# Disable Let's Encrypt for local development # Disable Let's Encrypt for local development
TRAEFIK_ACME_CASERVER= TRAEFIK_ACME_CASERVER=
TRAEFIK_ACME_EMAIL= TRAEFIK_ACME_EMAIL=
EOF EOF
then then
echo " Traefik configuration written successfully" echo " Traefik configuration written successfully"
echo " Config file contents:" echo " Config file contents:"
@@ -887,7 +950,7 @@ EOF
echo " 🔐 Inserting SSL certificate secret..." echo " 🔐 Inserting SSL certificate secret..."
echo " Command: sudo abra app secret insert traefik.workshop.local ssl_cert v1" echo " Command: sudo abra app secret insert traefik.workshop.local ssl_cert v1"
if sudo abra app secret insert traefik.workshop.local ssl_cert v1 -f < "$CERT_DIR/workshop.crt"; then if sudo abra app secret insert traefik.workshop.local ssl_cert v1 -f "$CERT_DIR/workshop.crt"; then
echo " SSL certificate secret inserted successfully" echo " SSL certificate secret inserted successfully"
else else
echo " Failed to insert SSL certificate secret" echo " Failed to insert SSL certificate secret"
@@ -903,7 +966,7 @@ EOF
echo " 🔑 Inserting SSL key secret..." echo " 🔑 Inserting SSL key secret..."
echo " Command: sudo abra app secret insert traefik.workshop.local ssl_key v1" echo " Command: sudo abra app secret insert traefik.workshop.local ssl_key v1"
if sudo abra app secret insert traefik.workshop.local ssl_key v1 -f < "$CERT_DIR/workshop.key"; then if sudo abra app secret insert traefik.workshop.local ssl_key v1 -f "$CERT_DIR/workshop.key"; then
echo " SSL key secret inserted successfully" echo " SSL key secret inserted successfully"
else else
echo " Failed to insert SSL key secret" echo " Failed to insert SSL key secret"
@@ -1033,16 +1096,34 @@ EOF
browser() { browser() {
local target_url="about:blank" local target_url="about:blank"
local browser_cmd="firefox"
# Check if first argument is a browser choice
if [[ "$1" == "firefox" || "$1" == "chromium" ]]; then
browser_cmd="$1"
shift
fi
if [[ -n "$1" ]]; then if [[ -n "$1" ]]; then
target_url="http://$1.workshop.local" target_url="http://$1.workshop.local"
echo "🌐 Opening $1 at $target_url" echo "🌐 Opening $1 at $target_url (using $browser_cmd)"
else else
echo "🌐 Opening Firefox browser" echo "🌐 Opening $browser_cmd browser"
fi fi
if [[ -n "$DISPLAY" ]]; then if [[ -n "$DISPLAY" ]]; then
case "$browser_cmd" in
firefox)
firefox "$target_url" & firefox "$target_url" &
;;
chromium)
chromium --no-sandbox "$target_url" &
;;
*)
echo " Unknown browser: $browser_cmd"
return 1
;;
esac
else else
echo " No GUI session. Run 'desktop' first" echo " No GUI session. Run 'desktop' first"
echo "🌐 Target was: $target_url" echo "🌐 Target was: $target_url"
@@ -1059,7 +1140,7 @@ EOF
echo "" echo ""
echo "🚀 Usage:" echo "🚀 Usage:"
echo " deploy <recipe> - Deploy locally" echo " deploy <recipe> - Deploy locally"
echo " browser <recipe> - Open in browser" echo " browser [firefox|chromium] [recipe] - Open in browser"
echo " 📖 Full catalog: https://recipes.coopcloud.tech" echo " 📖 Full catalog: https://recipes.coopcloud.tech"
echo "" echo ""
echo "💡 Tab completion: deploy <TAB> or browser <TAB>" echo "💡 Tab completion: deploy <TAB> or browser <TAB>"
@@ -1088,7 +1169,7 @@ EOF
echo " setup - Setup local proxy (REQUIRED FIRST!)" echo " setup - Setup local proxy (REQUIRED FIRST!)"
echo " recipes - Show all available apps" echo " recipes - Show all available apps"
echo " deploy <recipe> - Deploy app locally" echo " deploy <recipe> - Deploy app locally"
echo " browser [recipe] - Launch Firefox [to app]" echo " browser [firefox|chromium] [recipe] - Launch browser [to app]"
echo " desktop - Start GUI session" echo " desktop - Start GUI session"
echo " sudo abra - Run abra CLI directly as root" echo " sudo abra - Run abra CLI directly as root"
echo "" echo ""
@@ -1117,6 +1198,11 @@ EOF
}; };
}; };
programs.chromium = {
enable = true;
extensions = [ ];
};
# GUI Configuration # GUI Configuration
services.xserver = { services.xserver = {
enable = true; enable = true;

29
flake.nix
View File

@@ -9,7 +9,12 @@
}; };
}; };
outputs = { self, nixpkgs, nixos-generators }: outputs =
{
self,
nixpkgs,
nixos-generators,
}:
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
@@ -34,7 +39,10 @@
]; ];
# Common configuration # Common configuration
commonConfig = { isLiveIso ? false }: commonConfig =
{
isLiveIso ? false,
}:
import ./common.nix { import ./common.nix {
inherit pkgs cloudServerNames isLiveIso; inherit pkgs cloudServerNames isLiveIso;
}; };
@@ -67,7 +75,14 @@
(commonConfig { isLiveIso = false; }) (commonConfig { isLiveIso = false; })
({ config, pkgs, lib, ... }: { (
{
config,
pkgs,
lib,
...
}:
{
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true; boot.loader.generic-extlinux-compatible.enable = true;
@@ -77,7 +92,10 @@
networking.firewall.enable = false; networking.firewall.enable = false;
# Hybrid console configuration - serial primary, GUI available # Hybrid console configuration - serial primary, GUI available
boot.kernelParams = [ "console=ttyS0,115200" "console=tty1" ]; boot.kernelParams = [
"console=ttyS0,115200"
"console=tty1"
];
# VM specific settings # VM specific settings
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
@@ -104,7 +122,8 @@
services.xserver.displayManager.sessionCommands = '' services.xserver.displayManager.sessionCommands = ''
${pkgs.xfce.xfce4-terminal}/bin/xfce4-terminal --fullscreen --maximize --hide-toolbar --hide-borders --hide-menubar --hide-toolbar --title="Workshop Terminal" & ${pkgs.xfce.xfce4-terminal}/bin/xfce4-terminal --fullscreen --maximize --hide-toolbar --hide-borders --hide-menubar --hide-toolbar --title="Workshop Terminal" &
''; '';
}) }
)
]; ];
}; };
}; };