Fetcher scripts for MS and Ghaf URLs

* A single script to fetch additional MS and Ghaf URLs in net-vm.
* Handling of PAC file by the fetcher script in business-vm.

Signed-off-by: Enes Öztürk <enes.ozturk@unikie.com>

Author: enesoztrk

modules/reference/appvms/business.nix

@@ -11,12 +11,14 @@ let
   inherit (lib) mkIf optionalString;
   #TODO: Move this to a common place
   name = "business";
+  proxyUserName = "proxy-user";
+  proxyGroupName = "proxy-admin";
   tiiVpnAddr = "151.253.154.18";
-  vpnOnlyAddr = "${tiiVpnAddr},jira.tii.ae,access.tii.ae,confluence.tii.ae,i-service.tii.ae,catalyst.atrc.ae";
+  pacFileName = "ghaf.pac";
+  pacServerAddr = "127.0.0.1:8000";
+  pacFileUrl = "http://${pacServerAddr}/${pacFileName}";
   netvmEntry = builtins.filter (x: x.name == "net-vm") config.ghaf.networking.hosts.entries;
   netvmAddress = lib.head (builtins.map (x: x.ip) netvmEntry);
-  adminvmEntry = builtins.filter (x: x.name == "admin-vm") config.ghaf.networking.hosts.entries;
-  adminvmAddress = lib.head (builtins.map (x: x.ip) adminvmEntry);
   # Remove rounded corners from the text editor window
   gnomeTextEditor = pkgs.gnome-text-editor.overrideAttrs (oldAttrs: {
     postPatch =
@@ -25,6 +27,75 @@ let
         echo -e '\nwindow { border-radius: 0px; }' >> src/style.css
       '';
   });
+
+  _ghafPacFileFetcher =
+    let
+      pacFileDownloadUrl = "https://raw.githubusercontent.com/tiiuae/ghaf-rt-config/refs/heads/main/network/proxy/ghaf.pac";
+      proxyServerUrl = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
+      logTag = "ghaf-pac-fetcher";
+    in
+    pkgs.writeShellApplication {
+      name = "ghafPacFileFetcher";
+      runtimeInputs = [
+        pkgs.coreutils # Provides 'mv', 'rm', etc.
+        pkgs.curl # For downloading PAC files
+        pkgs.inetutils # Provides 'logger'
+      ];
+      text = ''
+          # Variables
+          TEMP_PAC_PATH=$(mktemp)       
+          LOCAL_PAC_PATH="/etc/proxy/${pacFileName}"  
+
+          # Logging function with timestamp
+          log() {
+              logger -t "${logTag}" "$1"
+          }
+
+          log "Starting the pac file fetch process..."
+
+          # Fetch the pac file using curl with a proxy
+          log "Fetching pac file from ${pacFileDownloadUrl} using proxy ${proxyServerUrl}..."
+          http_status=$(curl --proxy "${proxyServerUrl}" -s -o "$TEMP_PAC_PATH" -w "%{http_code}" "${pacFileDownloadUrl}")
+
+          log "HTTP status code: $http_status"
+
+          # Check if the fetch was successful
+          if [[ "$http_status" -ne 200 ]]; then
+              log "Error: Failed to download pac file from ${pacFileDownloadUrl}. HTTP status code: $http_status"
+              rm -f "$TEMP_PAC_PATH"  # Clean up temporary file
+              exit 2
+          fi
+
+          # Verify the downloaded file is not empty
+          if [[ ! -s "$TEMP_PAC_PATH" ]]; then
+              log "Error: The downloaded pac file is empty."
+              rm -f "$TEMP_PAC_PATH"  # Clean up temporary file
+              exit 3
+          fi
+
+          # Log the download success
+          log "Pac file downloaded successfully. Proceeding with update..."
+
+          # Copy the content from the temporary pac file to the target file
+          log "Copying the content from temporary file to the target pac file at $LOCAL_PAC_PATH..."
+
+          # Check if the copy was successful
+        if cat "$TEMP_PAC_PATH" > "$LOCAL_PAC_PATH"; then
+              log "Pac file successfully updated at $LOCAL_PAC_PATH."
+          else
+              log "Error: Failed to update the pac file at $LOCAL_PAC_PATH."
+              rm -f "$TEMP_PAC_PATH"  # Clean up temporary file
+              exit 4
+          fi
+
+          # Clean up temporary file
+          rm -f "$TEMP_PAC_PATH"
+
+          log "Pac file fetch and update process completed successfully."
+          exit 0
+      '';
+    };
+
 in
 {
   name = "${name}";
@@ -36,7 +107,7 @@ in
       pkgs.openconnect
       gnomeTextEditor
       pkgs.xarchiver
-
+      pkgs.busybox
     ]
     ++ lib.optionals config.ghaf.profiles.debug.enable [ pkgs.tcpdump ]
     ++ lib.optionals config.ghaf.givc.enable [ pkgs.open-normal-extension ];
@@ -71,20 +142,20 @@ in
             applications = [
               {
                 name = "google-chrome";
-                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
+                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
                 args = [ "url" ];
               }
               {
                 name = "outlook";
-                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
+                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://outlook.office.com/mail/ ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
               }
               {
                 name = "office";
-                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
+                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://microsoft365.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
               }
               {
                 name = "teams";
-                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
+                command = "${config.ghaf.givc.appPrefix}/run-waypipe ${config.ghaf.givc.appPrefix}/google-chrome-stable --proxy-pac-url=${pacFileUrl} --enable-features=UseOzonePlatform --ozone-platform=wayland --app=https://teams.microsoft.com ${config.ghaf.givc.idsExtraArgs} --load-extension=${pkgs.open-normal-extension}";
               }
               {
                 name = "gpclient";
@@ -107,7 +178,6 @@ in
 
           reference = {
             programs.google-chrome.enable = true;
-
             services.globalprotect = {
               enable = true;
               csdWrapper = "${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
@@ -149,13 +219,66 @@ in
         # Enable dconf and icon pack for gnome text editor
         programs.dconf.enable = true;
         environment.systemPackages = [ pkgs.adwaita-icon-theme ];
+        # Define a new group for proxy management
+        users.groups.${proxyGroupName} = { }; # Create a group named proxy-admin
+
+        # Define a new user with a specific username
+        users.users.${proxyUserName} = {
+          isSystemUser = true;
+          description = "Proxy User for managing allowlist and services";
+          # extraGroups = [ "${proxyGroupName}" ]; # Adding to 'proxy-admin' for specific access     
+          group = "${proxyGroupName}";
+        };
+
+        environment.etc."proxy/${pacFileName}" = {
+          text = '''';
+          user = "${proxyUserName}"; # Owner is proxy-user
+          group = "${proxyGroupName}"; # Group is proxy-admin
+          mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
+        };
+
+        systemd.services.pacServer = {
+          description = "Http server to make PAC file accessible for web browsers";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            ExecStart = "${pkgs.busybox}/bin/busybox httpd -f -p ${pacServerAddr} -h /etc/proxy";
+            # Ensure ghafFetchUrl starts after the network is up
+            Type = "simple";
+            # Restart policy on failure
+            Restart = "always"; # Restart the service if it fails
+            RestartSec = "15s"; # Wait 15 seconds before restarting
+            User = "${proxyUserName}";
+          };
+        };
+
+        systemd.services.ghafPacFileFetcher = {
+          description = "Fetch ghaf pac file periodically with retries if internet is available";
+
+          serviceConfig = {
+            ExecStart = "${_ghafPacFileFetcher}/bin/ghafPacFileFetcher";
+            # Ensure ghafFetchUrl starts after the network is up
+            Type = "simple";
+            # Restart policy on failure
+            Restart = "on-failure"; # Restart the service if it fails
+            RestartSec = "15s"; # Wait 15 seconds before restarting
+            User = "${proxyUserName}";
+          };
+        };
+
+        systemd.timers.ghafPacFileFetcher = {
+          description = "Run ghafPacFileFetcher periodically";
+          wantedBy = [ "timers.target" ];
+          timerConfig = {
+            User = "${proxyUserName}";
+            Persistent = true; # Ensures the timer runs after a system reboot
+            OnCalendar = "daily"; # Set to your desired schedule
+            OnBootSec = "90s";
+          };
+        };
 
         #Firewall Settings
         networking = {
-          proxy = {
-            default = "http://${netvmAddress}:${toString config.ghaf.reference.services.proxy-server.bindPort}";
-            noProxy = "192.168.101.10,${adminvmAddress},127.0.0.1,localhost,${vpnOnlyAddr}";
-          };
           firewall = {
             enable = true;
             extraCommands = ''
@@ -170,6 +293,9 @@ in
               # Default policy
               iptables -P INPUT DROP
 
+              iptables -A INPUT -i lo -j ACCEPT
+              iptables -A OUTPUT -o lo -j ACCEPT
+
               # Block any other unwanted traffic (optional)
               iptables -N logreject
               iptables -A logreject -j LOG

modules/reference/programs/google-chrome.nix

@@ -20,8 +20,6 @@ in
         PromptForDownloadLocation = true;
         AlwaysOpenPdfExternally = true;
         DefaultBrowserSettingEnabled = true;
-        StartupBrowserWindowLaunchSuppressed = true;
-        DeviceMetricsReportingEnabled = false;
         MetricsReportingEnabled = false;
       };
       example = lib.literalExpression ''
@@ -30,6 +28,7 @@ in
         }
       '';
     };
+
     extraOpts = lib.mkOption {
       type = lib.types.attrs;
       description = ''
@@ -38,9 +37,9 @@ in
         <https://cloud.google.com/docs/chrome-enterprise/policies/>
         Make sure the selected policy is supported on Linux and your browser version.
       '';
-      default = {
-
-      };
+      default =
+        {
+        };
       example = lib.literalExpression ''
         {
           "BrowserSignin" = 0;
@@ -54,15 +53,33 @@ in
         }
       '';
     };
+
+    policyOwner = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = "Policy files owner";
+    };
+
+    policyOwnerGroup = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = "Policy files group";
+    };
   };
   config = lib.mkIf cfg.enable {
 
     environment.etc = {
       "opt/chrome/policies/managed/default.json" = lib.mkIf (cfg.defaultPolicy != { }) {
         text = builtins.toJSON cfg.defaultPolicy;
+        user = "${cfg.policyOwner}"; # Owner is proxy-user
+        group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
+        mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
       };
-      "opt/chrome/policies/managed/extra.json" = lib.mkIf (cfg.extraOpts != { }) {
+      "opt/chrome/policies/managed/extra.json" = {
         text = builtins.toJSON cfg.extraOpts;
+        user = "${cfg.policyOwner}"; # Owner is proxy-user
+        group = "${cfg.policyOwnerGroup}"; # Group is proxy-admin
+        mode = "0664"; # Permissions: read/write for owner/group, no permissions for others
       };
 
     };