enable policy management through ghaf-givc

- Enable policyAdmin defaults in adminvm
- Ensure /etc/policies is persisted/available across sysvms (admin/audio/gui/net) and in adminvm storage config
- Manage pac configuration through policy
- Add business appvm policyAgent config and persist /etc/policies + /etc/proxy with appuser perms
- Refactor PAC service options: nest fetcher settings under pacFileFetcher and gate tmpfiles/service behind enable

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>

Author: gngram

flake.lock

@@ -106,7 +106,7 @@
 
     # Ghaf Inter VM communication and control library
     givc = {
-      url = "github:tiiuae/ghaf-givc";
+      url = "github:gngram/ghaf-givc/policy-management-meta";
       inputs = {
         nixpkgs.follows = "nixpkgs";
         flake-parts.follows = "flake-parts";

flake.nix

@@ -1,6 +1,6 @@
 # SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.ghaf.givc.adminvm;
   inherit (lib) mkEnableOption mkIf;
@@ -23,6 +23,15 @@ in
       inherit (config.ghaf.givc.adminConfig) addresses;
       services = map (host: "givc-${host}.service") systemHosts;
       tls.enable = config.ghaf.givc.enableTls;
+      policyAdmin = {
+        enable = true;
+        url = "https://github.com/gngram/policy-store.git";
+        rev = "77f54de54ef8640abb079bf60e5468d9694d850d";
+        sha256 = "sha256-uStBhfEPwKXClqEeILzECqLrpCG/M/OG+RejZ5U+yvQ=";
+        opa.enable = true;
+        monitor.enable = true;
+        monitor.ref = "deploy";
+      };
     };
     ghaf.security.audit.extraRules = [
       "-w /etc/givc/ -p wa -k givc-${name}"

modules/givc/adminvm.nix

@@ -91,18 +91,19 @@ let
                 storagevm = {
                   enable = true;
                   name = vmName;
-                  directories =
-                    lib.optionals (!lib.hasAttr "${config.ghaf.users.appUser.name}" config.ghaf.storagevm.users)
+                  directories = lib.optionals
+                      (!lib.hasAttr config.ghaf.users.appUser.name config.ghaf.storagevm.users)
                       [
-                        # By default, persist appusers entire home directory unless overwritten by defining
+                        # By default, persist appuser's entire home directory unless overwritten by defining
                         # either storagevm.users.<user>.directories and/or .files explicitly in an appvm.
                         {
                           directory = "/home/${config.ghaf.users.appUser.name}";
-                          user = "${config.ghaf.users.appUser.name}";
-                          group = "${config.ghaf.users.appUser.name}";
+                          user = config.ghaf.users.appUser.name;
+                          group = config.ghaf.users.appUser.name;
                           mode = "0700";
                         }
                       ];
+
                   shared-folders.enable = sharedVmDirectory.enable && builtins.elem vmName sharedVmDirectory.vms;
                   encryption.enable = configHost.ghaf.virtualization.storagevm-encryption.enable;
                 };

modules/microvm/appvm.nix

@@ -58,9 +58,16 @@ let
                 "/etc/locale-givc.conf"
                 "/etc/timezone.conf"
               ];
-              directories = lib.mkIf configHost.ghaf.virtualization.storagevm-encryption.enable [
+              directories = [
+                {
+                  directory = "/etc/policies";
+                  mode = "0755";
+                }
+              ]
+              ++ lib.optionals configHost.ghaf.virtualization.storagevm-encryption.enable [
                 "/var/lib/swtpm"
               ];
+
               encryption.enable = configHost.ghaf.virtualization.storagevm-encryption.enable;
             };
             # Networking

modules/microvm/sysvms/adminvm.nix

@@ -60,6 +60,12 @@ let
               enable = true;
               name = vmName;
               encryption.enable = configHost.ghaf.virtualization.storagevm-encryption.enable;
+              directories = [
+                {
+                  directory = "/etc/policies";
+                  mode = "0755";
+                }
+              ];
             };
             # Networking
             virtualization.microvm.vm-networking = {

modules/microvm/sysvms/audiovm.nix

@@ -98,6 +98,12 @@ let
                 isGuiVm = true;
               };
               encryption.enable = configHost.ghaf.virtualization.storagevm-encryption.enable;
+              directories = [
+                {
+                  directory = "/etc/policies";
+                  mode = "0755";
+                }
+              ];
             };
 
             # Networking

modules/microvm/sysvms/guivm.nix

@@ -64,6 +64,12 @@ let
               enable = true;
               name = vmName;
               encryption.enable = configHost.ghaf.virtualization.storagevm-encryption.enable;
+              directories = [
+                {
+                  directory = "/etc/policies";
+                  mode = "0755";
+                }
+              ];
             };
 
             # Networking

modules/microvm/sysvms/netvm.nix

@@ -260,12 +260,41 @@ in
               "! -o tun0 -p udp -m multiport --dports 80,443 -j nixos-fw-log-refuse"
             ];
           };
+
+        givc.appvm.policyAgent = {
+          enable = true;
+          policyConfig = {
+            "ghaf.pac" = {
+              action = "${pkgs.rsync}/bin/rsync -a {target} /etc/proxy/";
+            };
+          };
+        };
+
+        ghaf.storagevm = {
+          directories = [
+              {
+                directory = "/etc/policies";
+                user = config.ghaf.users.appUser.name;
+                group = config.ghaf.users.appUser.name;
+                mode = "0774";
+              }
+              {
+                directory = "/etc/proxy";
+                user = config.ghaf.users.appUser.name;
+                group = config.ghaf.users.appUser.name;
+                mode = "0774";
+              }
+            ];
+        };
         # Enable Proxy Auto-Configuration service for the browser
         ghaf.reference.services = {
           pac = {
             enable = true;
-            proxyAddress = config.ghaf.reference.services.proxy-server.internalAddress;
-            proxyPort = config.ghaf.reference.services.proxy-server.bindPort;
+            pacFileFetcher = {
+              enable = false;
+              proxyAddress = config.ghaf.reference.services.proxy-server.internalAddress;
+              proxyPort = config.ghaf.reference.services.proxy-server.bindPort;
+            };
           };
 
           # Enable WireGuard GUI

modules/reference/appvms/business.nix

@@ -14,8 +14,8 @@ let
   pacServerAddr = "127.0.0.1:8000";
   _ghafPacFileFetcher =
     let
-      pacFileDownloadUrl = cfg.pacUrl;
-      proxyServerUrl = "http://${cfg.proxyAddress}:${toString cfg.proxyPort}";
+      pacFileDownloadUrl = cfg.pacFileFetcher.pacUrl;
+      proxyServerUrl = "http://${cfg.pacFileFetcher.proxyAddress}:${toString cfg.pacFileFetcher.proxyPort}";
       logTag = "ghaf-pac-fetcher";
     in
     pkgs.writeShellApplication {
@@ -72,29 +72,32 @@ in
 {
   options.ghaf.reference.services.pac = {
     enable = lib.mkEnableOption "Proxy Auto-Configuration (PAC)";
-
-    proxyAddress = lib.mkOption {
-      type = lib.types.str;
-      description = "Proxy address";
-    };
-
-    proxyPort = lib.mkOption {
-      type = lib.types.int;
-      description = "Proxy port";
-    };
-
-    pacUrl = lib.mkOption {
-      type = lib.types.str;
-      description = "URL of the Proxy Auto-Configuration (PAC) file";
-      default = "https://raw.githubusercontent.com/tiiuae/ghaf-rt-config/refs/heads/main/network/proxy/ghaf.pac";
-    };
-
     proxyPacUrl = lib.mkOption {
       type = lib.types.str;
       description = "Local PAC URL that can be passed to the browser";
       default = "http://${pacServerAddr}/${pacFileName}";
       readOnly = true;
     };
+
+    pacFileFetcher = {
+      enable = lib.mkEnableOption "PAC file fetcher";
+
+      proxyAddress = lib.mkOption {
+        type = lib.types.str;
+        description = "Proxy address";
+      };
+
+      proxyPort = lib.mkOption {
+        type = lib.types.int;
+        description = "Proxy port";
+      };
+
+      pacUrl = lib.mkOption {
+        type = lib.types.str;
+        description = "URL of the Proxy Auto-Configuration (PAC) file";
+        default = "https://raw.githubusercontent.com/tiiuae/ghaf-rt-config/refs/heads/main/network/proxy/ghaf.pac";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -109,9 +112,11 @@ in
     };
 
     systemd = {
-      tmpfiles.rules = [
-        "f /etc/proxy/${pacFileName} 0664 ${proxyUserName} ${proxyGroupName} - -"
-      ];
+      tmpfiles = lib.mkIf cfg.pacFileFetcher.enable {
+        rules = [
+          "f /etc/proxy/${pacFileName} 0664 ${proxyUserName} ${proxyGroupName} - -"
+        ];
+      };
 
       services = {
         pacServer = {
@@ -131,7 +136,7 @@ in
           };
         };
 
-        ghafPacFileFetcher = {
+        ghafPacFileFetcher = lib.mkIf cfg.pacFileFetcher.enable {
           description = "Fetch ghaf pac file periodically with retries if internet is available";
           serviceConfig = {
             ExecStart = "${_ghafPacFileFetcher}/bin/ghafPacFileFetcher";