-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Proxy setup to allow/deny specific urls for BusinessVM
Signed-off-by: Enes Öztürk <[email protected]>
- Loading branch information
Showing
4 changed files
with
179 additions
and
254 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,272 +1,131 @@ | ||
# Copyright 2024 TII (SSRC) and the Ghaf contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# | ||
{ | ||
pkgs, | ||
config, | ||
lib, | ||
... | ||
}: | ||
{ pkgs, config, lib, ... }: | ||
let | ||
#TODO: Move this to a common place | ||
xdgPdfPort = 1200; | ||
name = "business"; | ||
in | ||
{ | ||
|
||
in { | ||
name = "${name}"; | ||
packages = | ||
let | ||
# PDF XDG handler is executed when the user opens a PDF file in the browser | ||
# The xdgopenpdf script sends a command to the guivm with the file path over TCP connection | ||
xdgPdfItem = pkgs.makeDesktopItem { | ||
name = "ghaf-pdf"; | ||
desktopName = "Ghaf PDF handler"; | ||
exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; | ||
mimeTypes = [ "application/pdf" ]; | ||
}; | ||
xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' | ||
filepath=$(/run/current-system/sw/bin/realpath "$1") | ||
echo "Opening $filepath" | systemd-cat -p info | ||
echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} | ||
''; | ||
in | ||
[ | ||
pkgs.chromium | ||
pkgs.xdg-utils | ||
xdgPdfItem | ||
xdgOpenPdf | ||
pkgs.globalprotect-openconnect | ||
pkgs.openconnect | ||
pkgs.nftables | ||
]; | ||
packages = let | ||
# PDF XDG handler is executed when the user opens a PDF file in the browser | ||
# The xdgopenpdf script sends a command to the guivm with the file path over TCP connection | ||
xdgPdfItem = pkgs.makeDesktopItem { | ||
name = "ghaf-pdf"; | ||
desktopName = "Ghaf PDF handler"; | ||
exec = "${xdgOpenPdf}/bin/xdgopenpdf %u"; | ||
mimeTypes = [ "application/pdf" ]; | ||
}; | ||
xdgOpenPdf = pkgs.writeShellScriptBin "xdgopenpdf" '' | ||
filepath=$(/run/current-system/sw/bin/realpath "$1") | ||
echo "Opening $filepath" | systemd-cat -p info | ||
echo $filepath | ${pkgs.netcat}/bin/nc -N gui-vm ${toString xdgPdfPort} | ||
''; | ||
in [ | ||
pkgs.chromium | ||
pkgs.pulseaudio | ||
pkgs.xdg-utils | ||
xdgPdfItem | ||
xdgOpenPdf | ||
pkgs.globalprotect-openconnect | ||
pkgs.openconnect | ||
pkgs.tcpdump | ||
]; | ||
# TODO create a repository of mac addresses to avoid conflicts | ||
macAddress = "02:00:00:03:10:01"; | ||
ramMb = 6144; | ||
cores = 4; | ||
extraModules = [ | ||
{ | ||
imports = [ ../programs/chromium.nix ]; | ||
time.timeZone = config.time.timeZone; | ||
|
||
microvm = { | ||
qemu.extraArgs = lib.optionals ( | ||
config.ghaf.hardware.usb.internal.enable | ||
&& (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs) | ||
) config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; | ||
devices = [ ]; | ||
}; | ||
|
||
ghaf.givc.appvm = { | ||
enable = true; | ||
name = lib.mkForce "business-vm"; | ||
applications = lib.mkForce '' | ||
{ | ||
"chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs}", | ||
"outlook": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs}", | ||
"office": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs}", | ||
"teams": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs}", | ||
"gpclient": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland" | ||
}''; | ||
}; | ||
|
||
ghaf.reference.programs.chromium.enable = true; | ||
|
||
# Set default PDF XDG handler | ||
xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; | ||
extraModules = [{ | ||
imports = [ ../programs/chromium.nix ]; | ||
# Enable pulseaudio for Chromium VM | ||
security.rtkit.enable = true; | ||
users.extraUsers.ghaf.extraGroups = [ "audio" "video" ]; | ||
|
||
hardware.pulseaudio = { | ||
enable = true; | ||
extraConfig = '' | ||
load-module module-tunnel-sink-new sink_name=business-speaker server=audio-vm:4713 reconnect_interval_ms=1000 | ||
load-module module-tunnel-source-new source_name=business-mic server=audio-vm:4713 reconnect_interval_ms=1000 | ||
''; | ||
package = pkgs.pulseaudio-ghaf; | ||
}; | ||
|
||
time.timeZone = config.time.timeZone; | ||
|
||
microvm = { | ||
qemu.extraArgs = lib.optionals (config.ghaf.hardware.usb.internal.enable | ||
&& (lib.hasAttr "cam0" config.ghaf.hardware.usb.internal.qemuExtraArgs)) | ||
config.ghaf.hardware.usb.internal.qemuExtraArgs.cam0; | ||
devices = [ ]; | ||
}; | ||
|
||
ghaf.givc.appvm = { | ||
enable = true; | ||
name = lib.mkForce "business-vm"; | ||
applications = lib.mkForce '' | ||
{ | ||
"chromium": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland", | ||
"outlook": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/", | ||
"office": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com", | ||
"teams": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com", | ||
"gpclient": "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/gpclient -platform wayland" | ||
}''; | ||
}; | ||
|
||
ghaf.reference.programs.chromium.enable = true; | ||
# Set default PDF XDG handler | ||
xdg.mime.defaultApplications."application/pdf" = "ghaf-pdf.desktop"; | ||
|
||
# TODO: Add a way to configure the gpclient | ||
# also check the openconnect cli options https://discourse.nixos.org/t/globalprotect-vpn/24014/5 | ||
services.globalprotect = { | ||
enable = true; | ||
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; | ||
}; | ||
|
||
#Firewall Settings | ||
networking = { | ||
firewall.enable = true; | ||
proxy = { | ||
httpProxy = "http://192.168.100.1:3128"; | ||
httpsProxy = "http://192.168.100.1:3128"; | ||
noProxy = "192.168.101.10,192.168.100.10"; | ||
|
||
# TODO: Add a way to configure the gpclient | ||
# also check the openconnect cli options https://discourse.nixos.org/t/globalprotect-vpn/24014/5 | ||
services.globalprotect = { | ||
enable = true; | ||
csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"; | ||
}; | ||
firewall.extraCommands = '' | ||
iptables -N logreject | ||
iptables -A logreject -j LOG | ||
iptables -A logreject -j REJECT | ||
# # Allow incoming connections to 3proxy on port 3128 from the client's IP | ||
# iptables -A INPUT -p tcp --sport 3128 -j ACCEPT | ||
# iptables -A INPUT -p udp --sport 3128 -j ACCEPT | ||
# # Allow established and related connections | ||
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
# # Allow DNS lookups for domain resolution | ||
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT | ||
# iptables -A INPUT -i lo -j ACCEPT | ||
# iptables -A OUTPUT -o lo -j ACCEPT | ||
# Block any other unwanted traffic (optional) | ||
iptables -P INPUT ACCEPT | ||
iptables -P FORWARD ACCEPT | ||
iptables -P OUTPUT ACCEPT | ||
# Block all other HTTP and HTTPS traffic | ||
iptables -A OUTPUT -p tcp --dport 80 -j logreject | ||
iptables -A OUTPUT -p tcp --dport 443 -j logreject | ||
iptables -A OUTPUT -p udp --dport 80 -j logreject | ||
iptables -A OUTPUT -p udp --dport 443 -j logreject | ||
#Firewall Settings | ||
networking = { | ||
firewall.enable = true; | ||
firewall.extraCommands = '' | ||
iptables -F | ||
add_rule() { | ||
local ip=$1 | ||
iptables -I OUTPUT -p tcp -d $ip --dport 80 -j ACCEPT | ||
iptables -I OUTPUT -p tcp -d $ip --dport 443 -j ACCEPT | ||
iptables -I INPUT -p tcp -s $ip --sport 80 -j ACCEPT | ||
iptables -I INPUT -p tcp -s $ip --sport 443 -j ACCEPT | ||
} | ||
# Urls can be found from Source: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges | ||
# Allow microsoft365.com | ||
add_rule 13.107.6.156 | ||
add_rule 13.107.9.156 | ||
# Exchange | ||
add_rule 13.107.6.152/31 | ||
add_rule 13.107.18.10/31 | ||
add_rule 13.107.128.0/22 | ||
add_rule 23.103.160.0/20 | ||
add_rule 40.96.0.0/13 | ||
add_rule 40.104.0.0/15 | ||
add_rule 52.96.0.0/14 | ||
add_rule 131.253.33.215/32 | ||
add_rule 132.245.0.0/16 | ||
add_rule 150.171.32.0/22 | ||
add_rule 204.79.197.215/32 | ||
# Exchange Online | ||
add_rule 40.92.0.0/15 | ||
add_rule 40.107.0.0/16 | ||
add_rule 52.100.0.0/14 | ||
add_rule 52.238.78.88/32 | ||
add_rule 104.47.0.0/17 | ||
# Sharepoint | ||
add_rule 13.107.136.0/22 | ||
add_rule 40.108.128.0/17 | ||
add_rule 52.104.0.0/14 | ||
add_rule 104.146.128.0/17 | ||
add_rule 150.171.40.0/22 | ||
# Common | ||
add_rule 13.107.6.171/32 | ||
add_rule 13.107.18.15/32 | ||
add_rule 13.107.140.6/32 | ||
add_rule 52.108.0.0/14 | ||
add_rule 52.244.37.168/32 | ||
add_rule 20.20.32.0/19 | ||
add_rule 20.190.128.0/18 | ||
add_rule 20.231.128.0/19 | ||
add_rule 40.126.0.0/18 | ||
add_rule 13.107.6.192/32 | ||
add_rule 13.107.9.192/32 | ||
add_rule 52.108.0.0/14 | ||
# Teams | ||
add_rule 13.107.64.0/18 | ||
add_rule 52.112.0.0/14 | ||
add_rule 52.122.0.0/15 | ||
add_rule 52.108.0.0/14 | ||
add_rule 52.238.119.141/32 | ||
add_rule 52.244.160.207/32 | ||
add_rule 2.16.234.57 | ||
add_rule 23.56.21.152 | ||
add_rule 23.33.233.129 | ||
add_rule 52.123.0.0/16 | ||
# Allow VPN access.tii.ae and iservice | ||
add_rule 151.253.154.18 | ||
add_rule 10.161.10.120 | ||
# To be checked | ||
# Allow res.cdn.office.net | ||
add_rule 152.199.21.175 | ||
add_rule 152.199.39.108 | ||
add_rule 2.21.231.0/24 | ||
add_rule 2.20.249.0/24 | ||
add_rule 152.199.0.0/16 | ||
# Allow js.monitor.azure.com | ||
add_rule 13.107.246.0/24 | ||
# Allow c.s-microsoft.com | ||
add_rule 23.207.193.242 | ||
add_rule 23.208.213.121 | ||
add_rule 23.208.173.122 | ||
add_rule 23.44.1.243 | ||
add_rule 104.65.229.0/24 | ||
add_rule 23.53.113.0/24 | ||
add_rule 2.19.105.47 | ||
# Allow microsoft.com | ||
add_rule 20.70.246.20 | ||
add_rule 20.236.44.162 | ||
add_rule 20.76.201.171 | ||
add_rule 20.231.239.246 | ||
add_rule 20.112.250.133 | ||
add_rule 184.25.221.172 | ||
# statics.teams.cdn.office.net | ||
add_rule 95.101.0.0/16 | ||
add_rule 184.87.193.0/24 | ||
add_rule 23.44.0.0/14 | ||
add_rule 96.16.53.0/24 | ||
add_rule 23.59.80.0/24 | ||
add_rule 23.202.33.0/24 | ||
add_rule 104.73.172.0/24 | ||
add_rule 184.27.123.0/24 | ||
add_rule 2.16.56.0/24 | ||
add_rule 23.219.73.130 | ||
add_rule 104.93.18.174 | ||
add_rule 2.21.225.158 | ||
add_rule 23.45.137.145 | ||
add_rule 23.48.121.167 | ||
add_rule 23.46.197.94 | ||
add_rule 104.80.21.47 | ||
add_rule 23.195.154.8 | ||
add_rule 193.229.113.0/24 | ||
# edge.skype.com for teams | ||
add_rule 13.107.254.0/24 | ||
add_rule 13.107.3.0/24 | ||
# api.flightproxy.skype.com for teams | ||
add_rule 98.66.0.0/16 | ||
add_rule 4.208.0.0/16 | ||
add_rule 4.225.208.0/24 | ||
add_rule 4.210.0.0/16 | ||
add_rule 108.141.240.0/24 | ||
add_rule 74.241.0.0/16 | ||
add_rule 20.216.0.0/16 | ||
add_rule 172.211.0.0/16 | ||
add_rule 20.50.217.0/24 | ||
add_rule 68.219.14.0/24 | ||
add_rule 20.107.136.0/24 | ||
add_rule 4.175.191.0/24 | ||
add_rule 98.64.0.0/16 | ||
# Allow tiiuae.sharepoint.com | ||
add_rule 52.104.7.53 | ||
add_rule 52.105.255.39 | ||
add_rule 13.107.138.10 | ||
add_rule 13.107.136.10 | ||
add_rule 118.215.84.0/24 | ||
add_rule 104.69.171.0/24 | ||
add_rule 13.107.136.10 | ||
add_rule 23.15.111.0/24 | ||
# Allow shell.cdn.office.net | ||
add_rule 23.50.92.176 | ||
add_rule 23.15.30.57 | ||
add_rule 23.50.187.58 | ||
add_rule 104.73.234.244 | ||
add_rule 104.83.143.131 | ||
# Allow res-1.cdn.office.net | ||
add_rule 23.52.40.0/24 | ||
add_rule 23.64.122.0/24 | ||
add_rule 2.16.106.0/24 | ||
# Allow publiccdn.sharepointonline.com | ||
add_rule 23.50.86.117 | ||
add_rule 104.69.168.125 | ||
add_rule 2.16.43.238 | ||
add_rule 23.34.79.0/24 | ||
add_rule 23.39.68.0/24 | ||
# r4.res.office365.com | ||
add_rule 2.19.97.32 | ||
add_rule 2.22.61.139 | ||
# Block all other HTTP and HTTPS traffic | ||
iptables -A OUTPUT -p tcp --dport 80 -j REJECT | ||
iptables -A OUTPUT -p tcp --dport 443 -j REJECT | ||
''; | ||
}; | ||
} | ||
]; | ||
''; | ||
}; | ||
}]; | ||
borderColor = "#00FF00"; | ||
ghafAudio.enable = true; | ||
vtpm.enable = true; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.