User docker for guacamole

2024-06-13 16:53:06 +02:00 · 2024-06-13 16:53:06 +02:00 · 8e17bf5efc
parent db04a34731
commit 8e17bf5efc
4 changed files with 18 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -113,10 +113,12 @@ Most services are served over [tailscale](https://tailscale.com/), using certifi
 - [Commafeed](https://github.com/Athou/commafeed) — rss reader
 - [Forgejo](https://forgejo.org/) — git forge
 - [Grafana](https://github.com/grafana/grafana) — pretty dashboards
+- [Guacamole](https://guacamole.apache.org/) — remote desktop access
 - [Homer](https://github.com/bastienwirtz/homer) — server homepage
 - [Intray](https://github.com/NorfairKing/intray) — GTD capture tool.
 - [Invidious](https://invidious.io/) — alternate youtube client
 - [Jellyfin](https://jellyfin.org/) — media server
+- [Jupyterhub](https://jupyter.org/hub) — notebook collaboration suite
 - [Microbin](https://microbin.eu/) - code & file sharing service
 - [Pounce](https://git.causal.agency/pounce/about/) & [calico](https://git.causal.agency/pounce/about/calico.1) — irc bouncer
 - [Prometheus](https://github.com/prometheus/prometheus) — metric collector
--- a/hosts/nixos/common/global/ports.nix
+++ b/hosts/nixos/common/global/ports.nix
@ -22,5 +22,6 @@
    microbin = 8418;
    forgejo = 8419;
    jupyterhub = 8420;
+    guacamole = 8421;
  };
 }
--- a/hosts/nixos/lapetus/secrets.yaml
+++ b/hosts/nixos/lapetus/secrets.yaml
@ -8,7 +8,7 @@ microbin_env: ENC[AES256_GCM,data:nxiE9GIvEb0xgqomDdMyy2UtG25pt7h+6JUZkAgIejZbJf
 forgejo_mail_password: ENC[AES256_GCM,data:linrpmA8b+8e1+tWNl0=,iv:Mk7suPq0Jt960Zl9s2jj3SSAKt4t8Lv4eKdIo0o8JbE=,tag:TZ0qGJIVSFSUt/0cqamvdw==,type:str]
 javi_password: ENC[AES256_GCM,data:5Ifh/DclUz0/AL69Th/GckolrjerLOnDW77SOf+/L3v39T+EOYgK2GDNKtWGGWYX5sdxZ9JwLS3ZVsIOnN4zjFhgV+GChJWkkzjdpJEtpHlmmBKlyS31Fw7SixVkL3y3VJhw72aVv3bMKQ==,iv:FzAmvIlrhna5InsQCRrWVdrKZGmHMb0njWdvgBurdYs=,tag:/Iguu2FbdV/4RSGTnFdyYA==,type:str]
 vpn_env: ENC[AES256_GCM,data:+61Ft1xj1WnaGH6SdUj3sQunDeTWTQ/G2GVQr1KxXVmLehAdO3W2qwqPRsq0qaad3E6eXd7kMU78w1/9fXM34mJXArmXNPW1X+0549+NX4t3QVP83cIRw6B5vwlWMIA8ixEk46a+t7/C6A10hqpyhqHmeyQEOwJvG+Pou61lBmhSkMQy5gjH4ZNsHHZV0/6ZxSk0yAPQq76cPz4dFvyDzdonLnb+2s1KhHC3D7P6SfuWnfJ1EglrDT8R+A==,iv:mw26zTyFnq9CjN06eRmBTWNjh6SRDY7WOCyhBCmyglg=,tag:cPJvzgtruQNLSg7B+br6xQ==,type:str]
-guacamole_users: ENC[AES256_GCM,data:owqflMMpGLUWPcab8JDlQ12zOuCrfkohxims8we9gKuFX28hrjN1wCmgFDGgX5VqWp07SOKdQVI05xMMO2e9pYgUpeKx5FIa/S/4Q/RNelwWPLmhxqGyEt59L5IBgTfgW5qQMvsl1Q7Xgf8X5bFFUSRmzAx0RFamMPqr71vwPphT7XNnPT8QWQo/2bEUqH0Tb5ITkb1FRSMQzIempuKe4K+awISIDAMwLf87esnoHx+dzQQQObSkKGNDpZ39+IUmeyvTIgN7uWQ349jIzkjNTVMzMUWdpDM6Mn9NwQA8m9BXns9vAe03Ama5cQ0ei64eZSb5uYki0BIV2pYccmIBn4Y/QgfMi5F/L9khr94iiVfH6EWtrDIpVwFt9TNZA/gHbOkQVPyHUMGOpCn2tK5ifFDK0URH5E7WM66BiL3yKd7B9SvQuEN8bnFn64QgiYxSp5NxxGx1ZLE7pzSCEtXkWkCYDHe0xDpOUd+zEfOIeQo7Cdn7y5QaXFyrcwryprYb5Hx/5TtTkCm/+r9nl7BbMKnPLblJvsA77/7pws8xcLgNSAR0ROWqB88vauI1uvwdWN5U5VxsEJmoNQXQKOLOtiQ2mFfIY3DYdHtw1L26ISIYOU6XR7jI/MwOBPO94izEW/j1SwGNgMN5Aydu0RRUhyK9RojjR5CEYjyuqclcD0asJ4faYQn8GvnXJPKF/+U7C6O1g6/ejl3fjwyWRb4kreIATdRfZH+m3nVHgSMvPNk8aPlIs51+SIYMtzf32lKp/AVn2hFKF5g+r2rhWH13Lt9poUg2l//l3jPDY1hpc6dm/5H9ZIGKIqcBlYxqnQngUu51lGO0r6z7u/EsIbInnd5TLK5JrTfnuLuwbyo1yetT2J0MNumy9FcrTsDK4+7DEdAJUxPBRrzllgi+hrnDlVLgLH+7y/gc8lB0cE53GBBXp1N7SfJ1,iv:RFuPux63nSefW3+F08jb94q/NwIKE9g/DGjN++oMdXc=,tag:tCCUIttbK5wfbNpjzY0Bgw==,type:str]
+guacamole_users: ENC[AES256_GCM,data:0oJdvTX/9SXV5fBdY0qr9BmSO1HMXX/7+R/f7UxeC/eQcFC9uptkdmLUYfghPvNFlmDNE8yllDylqqTk76qdFFYez78IhBmwj3MbY3C5C81PLI8yNroU0odaW1vgBvg9f8TdoQikMunnl8usNk71t8zxtZAtEbs3nogAbxFMouVy75TSnV+fx+Tb+SdSOQef3XgGrCK8BxaGnR+5LitXiFAIQwwiLV8NIf8alhklHrs3anQ1my83mSfeDYbyNd+ycTtlDa/9HVSGd/UErFP+guM4PNSuzVpNc91/3nm2gFYshMbVb36Z3zmG08fr1o3aoIs0X82XQLQuPmTDaH13RRNlTKPzoUjmXcBziryqqd3OBFRMM9BKlj7An1gZCbTzp2oNYjW2ReNQl6PyDhTZChf+Fgzx3wVXFYcGTueYQ3a1cuBWNvLrzNDFwTiYDfIP6scbEL2A07O2lhQArAGRFlvifNnhEayvzFR3Pzj10UoRhhyMSIWu2CThVKWVfRKCdvwLpTMCY4Yfn89krQu3UBYN2tFpJ9xiqRBmGCyjLNU2X6a5YxCMJkd56ptvnoc+TBF63c9W3sK91R4uLH673xf+LW+izLNFU4eQ66jtMGVx0MkX9uPAbP5+Pp+/J/OiQgsm6dL8r75lEGhKP0sMABc5I5oUNnAy6y52NY5BLOnJp5M/ulGvC4+cSdyaO0Ey2Zj+iPotxmyS60iY+mn0TMT5RnGF/Dx7q5YKzZKV2Gd5Trdum+pFta1k/ljwdLE0EwYZ0Y5bKVjV/tHYabZctrmrqmjmBHjraeYww6yqJka7HeyceBqFCt/fSAIi5WyhPlqYG4QSxM41fR50C6Y4BWeFlVmISoqx2fyq4HOZKbmG9qxvt/AofFi/X+YoBJ5w78MpOVBWRG/bRjqN2AfBFZIEpkUFXT3P1KHIqKXk6ueaMl50ftCZt0wZ770V6TNsssChsA==,iv:L5jR23mTV5oMNGM4s41Qe0fubj2PNZpjhNpNJakgUvM=,tag:IBELh0mxyHdGlAtRuQo9Uw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -33,8 +33,8 @@ sops:
            RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U
            lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T13:36:09Z"
-    mac: ENC[AES256_GCM,data:3YUMJJaAeU6S7BwB5FzUuke3SKMZ0naRtRQoAnSRMMj39dQmg20rQy8F5cWsPvQAbDhOnY/1t3IxGbc8LGQkapcJJhbLiWuQmnPylZuMIgXhsnEzSyZ195FJcTGP5JTfmUb0GZ29MSBAlqRcZb0IDZjbOpVigp5BbD+s64HpdFE=,iv:p1pg4A1JEX3YlvoG6ncaavbJvURPlkAQM/jKbE+9sgE=,tag:WvULhegnyz/HXRfCEP6DiQ==,type:str]
+    lastmodified: "2024-06-13T14:52:30Z"
+    mac: ENC[AES256_GCM,data:EXVbpc8P8SzTSYw0TWwJBEWYZRpGOAXm4wFS0JbzeiNaWEybZk6Y07Vr5tyaEWucpu52VxLrVwoZn8YSdF9JPAHtTQYYY35MccBkB01+GVXpVDQfxCG9UNYO24qExNboQIs5QRWmtaX7zTbut+ETcOFKHlkqR9g95PZQhsNZx4c=,iv:1Bu9g4/V2ixRvJJBijlkdNO9pdoR+qwDGTeUgr24dsg=,tag:gyF34lCSbF0It4KPmtQYJA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/nixos/lapetus/services/guacamole/default.nix
+++ b/hosts/nixos/lapetus/services/guacamole/default.nix
@ -1,15 +1,20 @@
 { config, ... }:
 {
  sops.secrets.guacamole_users.sopsFile = ../../secrets.yaml;
-  satellite.nginx.at.guacamole.port = 8443; # default tomcat port
+  satellite.nginx.at.guacamole.port = config.satellite.ports.guacamole;

-  services.guacamole-server = {
-    enable = true;
-    userMappingXml = config.sops.secrets.guacamole_users.path;
-  };
+  virtualisation.oci-containers.containers.commafeed = {
+    image = "";
+    ports = [ "${toString config.satellite.nginx.at.guacamole.port}:8080" ];
+    volumes = [
+      "/etc/localtime:/etc/localtime"
+      # "${config.sops.secrets.guacamole_users.path}:/etc/guacamole/user-mapping.xml"
+      "/var/lib/guacamole:/config"
+    ];

-  services.guacamole-client = {
-    enable = true;
+    environment = {
+      TZ = config.time.timeZone;
+    };
  };

  # Allow ssh-ing using the provided key