Skip to content

feat(reference): add deployment profiles for environment-specific con… #1611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vadika wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(reference): add deployment profiles for environment-specific con… #1611

vadika wants to merge 1 commit into from

Conversation

@vadika
Copy link
Contributor

@vadika vadika commented Dec 3, 2025
edited
Loading

…figuration

Introduce a deployment profile system that separates deployment-specific
settings (logging endpoints, security policies, networking) from use-case
profiles.

This allows the same Ghaf build to be customized for different deployment
environments without modifying core profile definitions.

New files:

  • modules/reference/deployments/default.nix: Core options for logging,
    business-vm, networking, security, features, and branding
  • modules/reference/deployments/tii-internal.nix: TII internal deployment
  • modules/reference/deployments/demo.nix: Demo/conference deployment
  • modules/reference/deployments/flake-module.nix: Flake integration

Usage:
ghaf.reference.deployments.profiles.tii-internal.enable = true;

The mvp-user-trial profile now reads from deployment settings when available,
falling back to current defaults for backward compatibility.

WireGuard VPN:

  • wireguard.enable: Toggle WireGuard GUI (default: true for backward compat)
  • wireguard.enabledVms: List of VMs where WireGuard GUI is enabled
  • wireguard.preConfiguredPeers: Pre-configured WireGuard peers

Identity Provider (AD/LDAP):

  • identity.provider: Select auth backend (none/azure-ad/ldap/local)
  • identity.azure.*: Azure AD configuration (tenantId, clientId, domain)
  • identity.ldap.*: LDAP configuration (serverUri, baseDn, bindDn, etc.)

Update mvp-user-trial.nix to read wireguard-gui setting from deployment
profile, allowing per-deployment control over VPN availability.

Example usage:
ghaf.reference.deployments.profiles.tii-internal.enable = true;
# WireGuard enabled by default for tii-internal

ghaf.reference.deployments.profiles.demo.enable = true;
# WireGuard disabled for demo deployments"

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

Nothing should change.

@vadika vadika marked this pull request as draft December 3, 2025 09:55
@vadika vadika force-pushed the deployment-profile branch from 85d0197 to 1c491a6 Compare December 3, 2025 11:11
@vadika vadika force-pushed the deployment-profile branch from 1c491a6 to 6fa7ed7 Compare December 3, 2025 11:14
@vadika vadika force-pushed the deployment-profile branch from 6fa7ed7 to 835d707 Compare December 3, 2025 11:14
@vadika vadika marked this pull request as ready for review December 3, 2025 11:38
@vadika vadika force-pushed the deployment-profile branch from 835d707 to 30efd8e Compare December 3, 2025 13:48
@vadika vadika force-pushed the deployment-profile branch from 30efd8e to aef8140 Compare December 3, 2025 14:01
@vadika vadika force-pushed the deployment-profile branch from aef8140 to 127e602 Compare December 3, 2025 14:12
@vadika vadika force-pushed the deployment-profile branch from 127e602 to 0daff81 Compare December 3, 2025 16:34
@vadika vadika force-pushed the deployment-profile branch from 0daff81 to 4347a12 Compare December 3, 2025 16:49
@vadika vadika force-pushed the deployment-profile branch from 4347a12 to 038958e Compare December 3, 2025 18:01
@vadika vadika force-pushed the deployment-profile branch from 038958e to 2de1c86 Compare December 3, 2025 18:02
@vadika vadika force-pushed the deployment-profile branch from 2de1c86 to 3cea890 Compare December 3, 2025 18:04
@vadika vadika force-pushed the deployment-profile branch from 3cea890 to 4f7c29a Compare December 3, 2025 18:37
@vadika vadika force-pushed the deployment-profile branch from 4f7c29a to 626d912 Compare December 3, 2025 19:18
@vadika vadika force-pushed the deployment-profile branch from 626d912 to ee7a4d2 Compare December 5, 2025 08:29
@vadika vadika force-pushed the deployment-profile branch from ee7a4d2 to 4fc84e1 Compare December 5, 2025 10:23
@vadika
feat(reference): add deployment profiles for environment-specific con…
b6b987d 
…figuration

Introduce a deployment profile system that separates deployment-specific
settings (logging endpoints, security policies, networking) from use-case
profiles.

This allows the same Ghaf build to be customized for different deployment
environments without modifying core profile definitions.

New files:
- modules/reference/deployments/default.nix: Core options for logging,
  business-vm, networking, security, features, and branding
- modules/reference/deployments/tii-internal.nix: TII internal deployment
- modules/reference/deployments/demo.nix: Demo/conference deployment
- modules/reference/deployments/flake-module.nix: Flake integration

Usage:
  ghaf.reference.deployments.profiles.tii-internal.enable = true;

The mvp-user-trial profile now reads from deployment settings when available,
falling back to current defaults for backward compatibility.

WireGuard VPN:
  - wireguard.enable: Toggle WireGuard GUI (default: true for backward compat)
  - wireguard.enabledVms: List of VMs where WireGuard GUI is enabled
  - wireguard.preConfiguredPeers: Pre-configured WireGuard peers

  Identity Provider (AD/LDAP):
  - identity.provider: Select auth backend (none/azure-ad/ldap/local)
  - identity.azure.*: Azure AD configuration (tenantId, clientId, domain)
  - identity.ldap.*: LDAP configuration (serverUri, baseDn, bindDn, etc.)

  Update mvp-user-trial.nix to read wireguard-gui setting from deployment
  profile, allowing per-deployment control over VPN availability.

  Example usage:
    ghaf.reference.deployments.profiles.tii-internal.enable = true;
    # WireGuard enabled by default for tii-internal

    ghaf.reference.deployments.profiles.demo.enable = true;
    # WireGuard disabled for demo deployments"

  Extend deployment profiles with additional deployment-specific settings:

  Proxy/Allowlist Configuration:
  - proxy.enable: Toggle proxy server
  - proxy.bindPort: Proxy listen port (default: 3128)
  - proxy.microsoftEndpointsUrl: MS 365 endpoints API
  - proxy.allowlistRepoUrl: GitHub repo for allowed URLs
  - proxy.allowlistRefreshInterval: Allowlist refresh schedule

  GlobalProtect VPN:
  - globalProtect.enable: Toggle VPN client in business-vm
  - globalProtect.serverAddress: VPN server IP/hostname
  - globalProtect.portalAddress: Optional portal address

  Gala (Android-in-Cloud):
  - gala.enable: Toggle Gala application
  - gala.serverUrl: Gala instance URL

  Development/SSH Access:
  - development.authorizedSshKeys: Per-deployment SSH keys
  - development.enableSshAccess: Toggle SSH access
  - development.enableDebugTools: Include debug tools

  SSH Keys:
  - Move TII developer SSH keys from authorizedSshKeys.nix to tii-internal.nix
  - keys.nix now reads from deployments.development.authorizedSshKeys
  - authorizedSshKeys.nix provides backward compatibility by defaulting
    to the deployment profile value

  Admin Password:
  - Add users.adminPassword and users.adminHashedPassword to deployment options
  - accounts.nix now reads password from deployment profile
  - Default password remains 'ghaf' for backward compatibility
  - Production deployments can use hashed passwords

  This allows different deployments to have:
  - Different SSH key sets (TII internal vs customer vs demo)
  - Different admin passwords per deployment
  - Proper separation of credentials from code"

  Wire up existing modules to use deployment settings:
  - 3proxy-config.nix: Uses proxy.* settings for URLs and refresh interval
  - business.nix: Conditionally includes Gala/VPN based on deployment,
    uses deployment VPN server for firewall rules

  Deployment profile updates:
  - tii-internal: All features enabled with TII defaults
  - demo: VPN, Gala, SSH disabled for simpler demos"

Signed-off-by: vadik likholetov <vadikas@gmail.com>
@vadika vadika force-pushed the deployment-profile branch from 4fc84e1 to b6b987d Compare December 5, 2025 10:55
@milva-unikie
Copy link

milva-unikie commented Dec 5, 2025

Orin-AGX is failing in jenkins-pre-merge pipeline because net-vm is not sending any logs even though it is running. Orin-NX has the same issue, but on NX that case is skipped due to unrelated reasons.

[ghaf@ghaf-host:~]$ systemctl show microvm@net-vm.service
...
ActiveState=active
SubState=running
...

[ghaf@ghaf-host:~]$ journalctl -b -u microvm@net-vm.service
-- No entries --

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

@mbssrc mbssrc Awaiting requested review from mbssrc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vadika @milva-unikie