fleet: add FleetDM client with dynamic hostname support

Add Fleet MDM client (Orbit) integration for device management:

- Add fleet module with Orbit and Fleet Desktop packages (v1.46.0)
- Patch orbit to support --hostname-file flag for dynamic hostname
  identification from external file instead of system hostname
- Add NixOS-specific patches for script execution and path handling
- Enable Orbit service in guivm with dynamic hostname from
  /etc/common/ghaf/hostname (shared via virtiofs from host)
- Add systemd ConditionPathExists to wait for hostname file

This allows Fleet server to identify devices using the hardware-derived
dynamic hostname generated by ghaf-dynamic-hostname service on the host.

Signed-off-by: vadik likholetov <vadikas@gmail.com>

Author: vadika

docs/astro.config.mjs

@@ -93,6 +93,7 @@ export default defineConfig({
                         "ghaf/dev/ref/idsvm-development",
                         "ghaf/dev/ref/systemd-service-config",
                         "ghaf/dev/ref/dynamic-hostname",
+                        "ghaf/dev/ref/fleet",
                         "ghaf/dev/ref/memory-wipe",
                         "ghaf/dev/ref/kill_switch",
                         "ghaf/dev/ref/wireguard-gui",

docs/src/content/docs/ghaf/dev/ref/dynamic-hostname.mdx

@@ -222,7 +222,7 @@ ghaf.identity.dynamicHostName.digits = 6;  # 1 million possibilities
 - **User Visibility**: Users can identify their specific hardware instance across host and VMs
 - **Network Troubleshooting**: Consistent hostname helps with debugging network issues and tracking device behavior
 - **Reproducible Testing**: Deterministic identities allow consistent testing environments across rebuilds
-- **Fleet Management**: Same hardware always produces same identities for reliable device tracking
+- **Fleet Management**: Same hardware always produces same identities for reliable device tracking (see [Fleet Device Management](/ghaf/dev/ref/fleet))
 
 ## Technical Details
 

docs/src/content/docs/ghaf/dev/ref/fleet.mdx

@@ -0,0 +1,166 @@
+---
+title: Fleet Device Management
+sidebar:
+  label: Fleet MDM
+---
+
+Fleet is an open-source device management platform that uses osquery to provide visibility and control over your device fleet. In Ghaf, Fleet Orbit is integrated to enable centralized device management, monitoring, and remote script execution.
+
+## Overview
+
+The Fleet integration in Ghaf provides:
+
+- **Device Visibility**: Query device state, installed software, and system configuration
+- **Remote Management**: Execute scripts and commands on managed devices
+- **Policy Enforcement**: Define and monitor compliance policies
+- **Fleet Desktop**: User-facing tray application for device status
+
+Fleet Orbit runs in the GUI VM and reports to a central Fleet server using a dynamic hostname derived from the device hardware, ensuring consistent identification across reboots.
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                        Host VM                               │
+│  ┌─────────────────────────────────────────────────────┐    │
+│  │  ghaf-dynamic-hostname service                       │    │
+│  │  └─► /persist/common/ghaf/hostname                   │    │
+│  └─────────────────────────────────────────────────────┘    │
+│                           │ (virtiofs)                       │
+└───────────────────────────┼─────────────────────────────────┘
+                            │
+┌───────────────────────────┼─────────────────────────────────┐
+│                        GUI VM                                │
+│                           ▼                                  │
+│  ┌─────────────────────────────────────────────────────┐    │
+│  │  /etc/common/ghaf/hostname                           │    │
+│  └──────────────────────┬──────────────────────────────┘    │
+│                         │                                    │
+│  ┌──────────────────────▼──────────────────────────────┐    │
+│  │  orbit.service                                       │    │
+│  │  └─► ORBIT_HOSTNAME_FILE=/etc/common/ghaf/hostname   │    │
+│  │  └─► Reports to Fleet Server                         │    │
+│  └─────────────────────────────────────────────────────┘    │
+│                                                              │
+│  ┌─────────────────────────────────────────────────────┐    │
+│  │  fleet-desktop.service (user)                        │    │
+│  │  └─► Tray icon for device status                     │    │
+│  └─────────────────────────────────────────────────────┘    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Configuration
+
+Fleet is configured in the GUI VM via `services.orbit`. The following example shows the default configuration:
+
+```nix
+services.orbit = {
+  enable = true;
+  fleetUrl = "https://your-fleet.example.com";
+  enrollSecret = "your-enroll-secret";       # Use enrollSecretPath for production
+  hostnameFile = "/etc/common/ghaf/hostname"; # Dynamic hostname from host
+  enableScripts = true;                       # Allow remote script execution
+};
+```
+
+### Configuration Options
+
+| Option | Environment Variable | Description |
+|--------|---------------------|-------------|
+| `enable` | — | Enable Fleet Orbit systemd service |
+| `fleetUrl` | `ORBIT_FLEET_URL` | Base URL of the Fleet server |
+| `enrollSecret` | `ORBIT_ENROLL_SECRET` | Enroll secret for Fleet server |
+| `enrollSecretPath` | `ORBIT_ENROLL_SECRET_PATH` | Path to enroll secret file (recommended for production) |
+| `fleetCertificate` | `ORBIT_FLEET_CERTIFICATE` | Path to Fleet server certificate chain |
+| `hostnameFile` | `ORBIT_HOSTNAME_FILE` | Path to file containing hostname (Ghaf-specific) |
+| `hostIdentifier` | `ORBIT_HOST_IDENTIFIER` | Host identifier mode: `uuid` or `instance` |
+| `enableScripts` | `ORBIT_ENABLE_SCRIPTS` | Enable remote script execution |
+| `debug` | `ORBIT_DEBUG` | Enable debug logging |
+| `insecure` | `ORBIT_INSECURE` | Disable TLS certificate verification |
+
+### Secret Management
+
+For production deployments, use `enrollSecretPath` with a secrets management solution like sops-nix:
+
+```nix
+services.orbit = {
+  enable = true;
+  fleetUrl = "https://fleet.example.com";
+  enrollSecretPath = config.sops.secrets.fleet-enroll-secret.path;
+  hostnameFile = "/etc/common/ghaf/hostname";
+};
+
+sops.secrets.fleet-enroll-secret = {
+  sopsFile = ./secrets.yaml;
+};
+```
+
+## Dynamic Hostname
+
+Ghaf uses hardware-derived hostnames for device identification. The `ghaf-dynamic-hostname` service on the host generates a unique hostname based on hardware identifiers (DMI serial, disk UUID, or MAC address) and writes it to `/persist/common/ghaf/hostname`.
+
+This file is shared with VMs via virtiofs and mounted at `/etc/common/ghaf/hostname`. The Fleet module is patched to read the hostname from this file via the `hostnameFile` option, ensuring devices are consistently identified on the Fleet server.
+
+The orbit service includes a `ConditionPathExists` directive to wait for the hostname file before starting.
+
+## Systemd Services
+
+Two systemd services are created:
+
+- **`orbit.service`** (system): Runs the Orbit agent, connecting to the Fleet server
+- **`fleet-desktop.service`** (user): Runs Fleet Desktop tray application in graphical sessions
+
+## Logs
+
+Orbit logs are written to:
+- `/var/log/orbit/orbit.log` — Main Orbit log
+- `/var/log/orbit/osquery/` — osquery result and status logs
+- `journalctl -u orbit` — Systemd journal
+
+## NixOS-Specific Considerations
+
+The Ghaf Fleet integration includes patches for NixOS compatibility:
+
+- **Disabled auto-updates**: NixOS manages packages declaratively; Orbit's auto-update is disabled
+- **Disabled keystore**: Secrets are not stored in OS-specific keystores
+- **Fixed paths**: osqueryd binary path is set from Nix store
+- **Shebang patching**: Remote scripts have shebangs patched to use NixOS paths
+
+## Troubleshooting
+
+### Orbit not starting
+
+Check if the hostname file exists:
+```bash
+ls -la /etc/common/ghaf/hostname
+```
+
+Check service status:
+```bash
+systemctl status orbit
+journalctl -u orbit -f
+```
+
+### Connection issues
+
+Enable debug logging:
+```nix
+services.orbit = {
+  debug = true;
+  # For testing only:
+  # insecure = true;
+};
+```
+
+### Script execution failures
+
+Verify scripts are enabled and check logs:
+```bash
+cat /var/log/orbit/orbit.log | grep -i script
+```
+
+## References
+
+- [Fleet Documentation](https://fleetdm.com/docs)
+- [osquery Documentation](https://osquery.readthedocs.io/)
+- [Dynamic Hostname Generation](/ghaf/dev/ref/dynamic-hostname) — Ghaf hardware-derived hostname system

modules/common/identity/dynamic-hostname.nix

@@ -146,6 +146,20 @@ let
       # Generate device-id from our hardware-derived ID (for backward compatibility)
       # Use the same ID but format as hex string with dashes like: 00-01-23-45-67
       printf "%010x" "$((10#$id))" | fold -w2 | paste -sd'-' | tr -d '\n' > "$shareDir/../device-id"
+
+      # Generate a stable UUID from the hardware key and export it for VMs.
+      uuid_hash=$(echo -n "$key" | sha256sum | cut -d' ' -f1)
+      uuid="''${uuid_hash:0:8}-''${uuid_hash:8:4}-5''${uuid_hash:13:3}-a''${uuid_hash:17:3}-''${uuid_hash:20:12}"
+      printf "%s" "$uuid" > "$shareDir/uuid"
+
+      # Generate unique machine-ids for all VMs based on hardware ID
+      # Each VM gets a deterministic ID derived from hardware + VM name
+      ${lib.concatMapStringsSep "\n" (vm: ''
+        mkdir -p /persist/storagevm/${vm}/etc
+        vm_key="$key-${vm}"
+        vm_hash=$(echo -n "$vm_key" | sha256sum | cut -d' ' -f1)
+        echo -n "$vm_hash" > /persist/storagevm/${vm}/etc/machine-id
+      '') activeMicrovms}
     '';
   };
 in

modules/common/security/default.nix

@@ -9,5 +9,6 @@
     ./pwquality.nix
     ./fail2ban.nix
     ./ssh-tarpit
+    ./fleet
   ];
 }