public/malta-workshop
2
0
Fork 0
Code Pull Requests Activity

fix certificates issues and reformat code

Browse Source
This commit is contained in:
Michael Czechowski
2025-09-15 13:09:49 +02:00
parent f38fca65c0
commit 88089b7fb6
2 changed files with 813 additions and 708 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
common.nix
View File

@@ -1,4 +1,10 @@
{ pkgs, lib ? pkgs.lib, cloudServerNames, isLiveIso ? false, ... }:
{
pkgs,
lib ? pkgs.lib,
cloudServerNames,
isLiveIso ? false,
...
}:
let
# Only include isoImage config when building ISO
@@ -206,7 +212,8 @@ let
];
in
isoConfig // {
isoConfig
// {
system.stateVersion = "25.05";
# SSH Configuration
@@ -228,7 +235,10 @@ isoConfig // {
dns = "none"; # We use dnsmasq
};
hostName = if isLiveIso then "workshop-live" else "workshop-vm";
hosts."127.0.0.1" = [ "workshop.local" "localhost" ];
hosts."127.0.0.1" = [
"workshop.local"
"localhost"
];
nameservers = lib.mkForce [ "127.0.0.1" ];
firewall.enable = false; # Workshop environment
};
@@ -238,7 +248,10 @@ isoConfig // {
enable = true;
settings = {
address = "/.workshop.local/127.0.0.1";
server = [ "8.8.8.8" "1.1.1.1" ];
server = [
"8.8.8.8"
"1.1.1.1"
];
listen-address = [ "127.0.0.1" ];
bind-interfaces = true;
cache-size = 1000;
@@ -260,7 +273,11 @@ isoConfig // {
users.workshop = {
isNormalUser = true;
shell = pkgs.bash;
extraGroups = [ "networkmanager" "wheel" "docker" ];
extraGroups = [
"networkmanager"
"wheel"
"docker"
];
password = "workshop";
};
};
@@ -270,7 +287,11 @@ isoConfig // {
description = "Generate SSH key for workshop user for passwordless localhost access";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = with pkgs; [ openssh coreutils gnugrep ];
path = with pkgs; [
openssh
coreutils
gnugrep
];
script = ''
USER_HOME=/home/workshop
SSH_DIR=$USER_HOME/.ssh
@@ -322,15 +343,28 @@ isoConfig // {
dig
gnutar
openssl # Add this for certificate generation
chromium # Add Chromium browser
];
# System Setup Service (Root Tasks)
systemd.services.workshop-system-setup = {
description = "System-level checks for network, DNS, and Docker";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "docker.service" "dnsmasq.service" ];
after = [
"network-online.target"
"docker.service"
"dnsmasq.service"
];
wants = [ "network-online.target" ];
path = with pkgs; [ bash curl dnsutils docker gnugrep shadow coreutils ];
path = with pkgs; [
bash
curl
dnsutils
docker
gnugrep
shadow
coreutils
];
script = ''
# Wait for network and services
echo "Waiting for services to start..."
@@ -403,7 +437,18 @@ isoConfig // {
wantedBy = [ "multi-user.target" ];
after = [ "workshop-system-setup.service" ];
wants = [ "workshop-system-setup.service" ];
path = with pkgs; [ bash wget curl coreutils gnutar ncurses gzip file gnugrep docker ];
path = with pkgs; [
bash
wget
curl
coreutils
gnutar
ncurses
gzip
file
gnugrep
docker
];
script = ''
# Set proper environment
@@ -729,16 +774,14 @@ isoConfig // {
}
fi
# Generate certificate with detailed output
echo " Generating RSA key and certificate..."
if openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout "$KEY_FILE" \
-out "$CERT_FILE" \
-subj "/CN=*.workshop.local" \
-config <(printf "[req]\ndistinguished_name=req\n[v3_req]\nsubjectAltName=DNS:*.workshop.local,DNS:workshop.local,DNS:localhost\n") \
-extensions v3_req; then
# Generate certificate following abra guidelines
echo " Generating RSA key and certificate (abra-compatible)..."
if openssl req -x509 -out "$CERT_FILE" -keyout "$KEY_FILE" \
-newkey rsa:2048 -nodes -sha256 -days 365 \
-subj "/CN=*.workshop.local" -extensions EXT -config <( \
printf "[dn]\nCN=*.workshop.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:*.workshop.local,DNS:workshop.local,DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth"); then
echo " Certificate generation completed successfully"
echo " Certificate generation completed successfully (abra-compatible)"
else
echo " Certificate generation failed"
echo " OpenSSL exit code: $?"
@@ -777,8 +820,20 @@ isoConfig // {
echo " Verifying certificate content..."
if openssl x509 -in "$CERT_FILE" -text -noout >/dev/null 2>&1; then
echo " Certificate is valid X.509 format"
# Show certificate subject
# Show certificate details
echo " Certificate subject:"
openssl x509 -in "$CERT_FILE" -subject -noout 2>/dev/null || echo " Could not read certificate subject"
echo " Certificate issuer:"
openssl x509 -in "$CERT_FILE" -issuer -noout 2>/dev/null || echo " Could not read certificate issuer"
echo " Certificate validity:"
openssl x509 -in "$CERT_FILE" -dates -noout 2>/dev/null || echo " Could not read certificate dates"
echo " Certificate extensions:"
openssl x509 -in "$CERT_FILE" -text -noout 2>/dev/null | grep -A 5 "Subject Alternative Name" || echo " No SAN extension found"
else
echo " Certificate file is not valid"
return 1
@@ -792,6 +847,14 @@ isoConfig // {
return 1
fi
# Verify certificate matches key
if openssl x509 -in "$CERT_FILE" -noout -modulus 2>/dev/null | openssl md5 >/dev/null 2>&1 && \
openssl rsa -in "$KEY_FILE" -noout -modulus 2>/dev/null | openssl md5 >/dev/null 2>&1; then
echo " Certificate and key match"
else
echo " Could not verify certificate/key match (non-critical)"
fi
echo "🎉 Certificate generation and verification complete!"
}
@@ -841,17 +904,17 @@ isoConfig // {
echo " Writing offline configuration..."
if sudo tee -a "$TRAEFIK_ENV" >/dev/null <<EOF
# OFFLINE/LOCAL DEVELOPMENT CONFIGURATION
LETS_ENCRYPT_ENV=staging
WILDCARDS_ENABLED=1
SECRET_WILDCARD_CERT_VERSION=v1
SECRET_WILDCARD_KEY_VERSION=v1
COMPOSE_FILE="\$COMPOSE_FILE:compose.wildcard.yml"
# OFFLINE/LOCAL DEVELOPMENT CONFIGURATION
LETS_ENCRYPT_ENV=staging
WILDCARDS_ENABLED=1
SECRET_WILDCARD_CERT_VERSION=v1
SECRET_WILDCARD_KEY_VERSION=v1
COMPOSE_FILE="\$COMPOSE_FILE:compose.wildcard.yml"
# Disable Let's Encrypt for local development
TRAEFIK_ACME_CASERVER=
TRAEFIK_ACME_EMAIL=
EOF
# Disable Let's Encrypt for local development
TRAEFIK_ACME_CASERVER=
TRAEFIK_ACME_EMAIL=
EOF
then
echo " Traefik configuration written successfully"
echo " Config file contents:"
@@ -887,7 +950,7 @@ EOF
echo " 🔐 Inserting SSL certificate secret..."
echo " Command: sudo abra app secret insert traefik.workshop.local ssl_cert v1"
if sudo abra app secret insert traefik.workshop.local ssl_cert v1 -f < "$CERT_DIR/workshop.crt"; then
if sudo abra app secret insert traefik.workshop.local ssl_cert v1 -f "$CERT_DIR/workshop.crt"; then
echo " SSL certificate secret inserted successfully"
else
echo " Failed to insert SSL certificate secret"
@@ -903,7 +966,7 @@ EOF
echo " 🔑 Inserting SSL key secret..."
echo " Command: sudo abra app secret insert traefik.workshop.local ssl_key v1"
if sudo abra app secret insert traefik.workshop.local ssl_key v1 -f < "$CERT_DIR/workshop.key"; then
if sudo abra app secret insert traefik.workshop.local ssl_key v1 -f "$CERT_DIR/workshop.key"; then
echo " SSL key secret inserted successfully"
else
echo " Failed to insert SSL key secret"
@@ -1033,16 +1096,34 @@ EOF
browser() {
local target_url="about:blank"
local browser_cmd="firefox"
# Check if first argument is a browser choice
if [[ "$1" == "firefox" || "$1" == "chromium" ]]; then
browser_cmd="$1"
shift
fi
if [[ -n "$1" ]]; then
target_url="http://$1.workshop.local"
echo "🌐 Opening $1 at $target_url"
echo "🌐 Opening $1 at $target_url (using $browser_cmd)"
else
echo "🌐 Opening Firefox browser"
echo "🌐 Opening $browser_cmd browser"
fi
if [[ -n "$DISPLAY" ]]; then
case "$browser_cmd" in
firefox)
firefox "$target_url" &
;;
chromium)
chromium --no-sandbox "$target_url" &
;;
*)
echo " Unknown browser: $browser_cmd"
return 1
;;
esac
else
echo " No GUI session. Run 'desktop' first"
echo "🌐 Target was: $target_url"
@@ -1059,7 +1140,7 @@ EOF
echo ""
echo "🚀 Usage:"
echo " deploy <recipe> - Deploy locally"
echo " browser <recipe> - Open in browser"
echo " browser [firefox|chromium] [recipe] - Open in browser"
echo " 📖 Full catalog: https://recipes.coopcloud.tech"
echo ""
echo "💡 Tab completion: deploy <TAB> or browser <TAB>"
@@ -1088,7 +1169,7 @@ EOF
echo " setup - Setup local proxy (REQUIRED FIRST!)"
echo " recipes - Show all available apps"
echo " deploy <recipe> - Deploy app locally"
echo " browser [recipe] - Launch Firefox [to app]"
echo " browser [firefox|chromium] [recipe] - Launch browser [to app]"
echo " desktop - Start GUI session"
echo " sudo abra - Run abra CLI directly as root"
echo ""
@@ -1117,6 +1198,11 @@ EOF
};
};
programs.chromium = {
enable = true;
extensions = [ ];
};
# GUI Configuration
services.xserver = {
enable = true;

29
flake.nix
View File

@@ -9,7 +9,12 @@
};
};
outputs = { self, nixpkgs, nixos-generators }:
outputs =
{
self,
nixpkgs,
nixos-generators,
}:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
@@ -34,7 +39,10 @@
];
# Common configuration
commonConfig = { isLiveIso ? false }:
commonConfig =
{
isLiveIso ? false,
}:
import ./common.nix {
inherit pkgs cloudServerNames isLiveIso;
};
@@ -67,7 +75,14 @@
(commonConfig { isLiveIso = false; })
({ config, pkgs, lib, ... }: {
(
{
config,
pkgs,
lib,
...
}:
{
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
@@ -77,7 +92,10 @@
networking.firewall.enable = false;
# Hybrid console configuration - serial primary, GUI available
boot.kernelParams = [ "console=ttyS0,115200" "console=tty1" ];
boot.kernelParams = [
"console=ttyS0,115200"
"console=tty1"
];
# VM specific settings
virtualisation.memorySize = 4096;
@@ -104,7 +122,8 @@
services.xserver.displayManager.sessionCommands = ''
${pkgs.xfce.xfce4-terminal}/bin/xfce4-terminal --fullscreen --maximize --hide-toolbar --hide-borders --hide-menubar --hide-toolbar --title="Workshop Terminal" &
'';
})
}
)
];
};
};