dtcc-onboarding/flake.nix

{
  description = "A flake providing a NixOS Qemu VM for DTCC onboarding.";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
  };

  outputs = { self, nixpkgs }: let
    # (note): Keep this up to date
    constants = {
      citrixDownloadPageUrl = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-250810.html";
      citrixTarballHash = "sha256-bd3ClxBRJgvjJW+waKBE31k9ePam+n2pHeSjlkvkDRo=";

      dtccVdiUrl = "https://myvdi.dtcc.com";

      icaDisclaimer = ''
        WARNING: ICA files are only good to be used ONCE. If you've logged into the DTCC virtual
        desktop using it before, you will get a connection error from Citrix upon trying to log in
        with it again. To get a fresh ICA file, you need to _refresh_ your myvdi.dtcc.com page and
        download it via 'Open' again.
        
        The ICA files listed below are ordered from newest to oldest for your convenience,
        so '1' is usually the correct choice. This file will get copied into the VM.

        You are free to remove old/stale ICA files from your system.
      '';
    };

    pkgs = import nixpkgs {
      system = "x86_64-linux";
      config = {
        allowUnfree = true;
        allowBroken = true;
        permittedInsecurePackages = [
          "libsoup-2.74.3"
        ];
      };
      overlays = [
        (self: super: {
          citrix_workspace = super.citrix_workspace.overrideAttrs (_: {
            src = scripts.citrixTarballScraper;
          });
          ungoogled-chromium = super.ungoogled-chromium.override {
            # Disables the prompt to create a default keyring on initial startup.
            commandLineArgs = "--password-store=basic";
          };
        })
      ];
    };

    scripts.citrixTarballScraper = pkgs.stdenvNoCC.mkDerivation {
      name = "citrix-workspace-src.tar.gz";
      
      outputHashMode = "flat";
      outputHashAlgo = "sha256";
      outputHash = constants.citrixTarballHash;

      nativeBuildInputs = [ pkgs.curl pkgs.cacert ];

      # (credit): Based on the scraper used in the AUR PKGBUILD for `icaclient-beta`
      buildCommand = ''
        _body="$(curl -sL "${constants.citrixDownloadPageUrl}")"
        _dl_urls="$(grep -F ".tar.gz?__gda__" <<< "$_body")"
        _tarball_url=https:"$(sed -En 's|^.*rel="(//.*/linuxx64-[^"]*)".*$|\1|p' <<< "$_dl_urls")"
        
        curl -L "$_tarball_url" -o "$out"
      '';
    };

    scripts.launchVm = pkgs.writeShellScriptBin "launch-vm" ''
      # Vibecoded w/ Claude
      select_ica_file() {
        local download_dir="''${XDG_DOWNLOAD_DIR:-$HOME/Downloads}"
        local -a files

        mapfile -t files < <(
          {
            find "$download_dir" -maxdepth 1 -name "*.ica" -type f -printf "%T@\t%p\n" 2>/dev/null
            find "$PWD" -maxdepth 1 -name "*.ica" -type f -printf "%T@\t%p\n" 2>/dev/null
          } \
            | sort -u -t$'\t' -k2 \
            | sort -rn -t$'\t' -k1 \
            | cut -f2-
        )

        if [[ ''${#files[@]} -eq 0 ]]; then
          echo "No .ica files found in $download_dir or $PWD." >&2
          return 0
        fi

        echo "${constants.icaDisclaimer}" >&2

        echo "Available .ica files:" >&2
        for i in "''${!files[@]}"; do
          echo "  $((i+1))) ''${files[$i]}" >&2
        done

        local selection
        while true; do
          read -rp "Select file [1-''${#files[@]}] (leave blank to start interactive session): " \
            selection >&2
          if [[ -z "$selection" ]] || \
             ([[ "$selection" =~ ^[0-9]+$ ]] && \
             (( selection >= 1 && selection <= ''${#files[@]} ))); then
            break
          fi
          echo "Invalid selection, please enter a number between 1 and ''${#files[@]}." >&2
          echo "Or leave blank to start an interactive session."
        done

        if [[ -n "$selection" ]]; then
          echo "''${files[$((selection-1))]}"
        fi
      }

      ica_file=$(select_ica_file)
      mkdir -p /tmp/dtcc-onboarding
      if [[ -n "''${ica_file}" ]]; then
        cp "$ica_file" /tmp/dtcc-onboarding/dtcc-ica.ica
      else
        echo "Launching interactive session..." >&2
      fi

      ${self.nixosConfigurations.dtcc-onboarding.config.system.build.vm}/bin/run-nixos-vm
    '';

    scripts.autolaunch = pkgs.writeShellScriptBin "autolaunch" ''
      if [[ -f /mnt/ica/dtcc-ica.ica ]]; then
        ${pkgs.citrix_workspace}/bin/wfica /mnt/ica/dtcc-ica.ica
      else
        ${pkgs.ungoogled-chromium}/bin/chromium ${constants.dtccVdiUrl}
      fi
    '';
  in {
    nixosConfigurations.dtcc-onboarding = nixpkgs.lib.nixosSystem {
      inherit pkgs;
      system = "x86_64-linux";
      modules = [
        "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
        ({ pkgs, ... }: {
          environment.systemPackages = with pkgs; [
            citrix_workspace
            ungoogled-chromium
            gnomeExtensions.no-overview
          ];

          services = {
            displayManager.gdm = {
              enable = true;
              wayland = true;
            };
            displayManager.autoLogin = {
              enable = true;
              user = "nixos";
            };
            desktopManager.gnome.enable = true;
          };

          programs.dconf = {
            enable = true;
            profiles.user.databases = [{
              settings = {
                "org/gnome/shell" = {
                  enabled-extensions = [ "no-overview@fthx" ];
                  welcome-dialog-last-shown-version = "99.0";
                };
              };
            }];
          };

          users.users.nixos = {
            isNormalUser = true;
            extraGroups = [ "wheel" ];
            password = "";
          };

          security.sudo.wheelNeedsPassword = false;

          xdg.mime.enable = true;

          environment.etc."share/applications/mimeapps.list".text = ''
            [Default Applications]
            application/x-ica=wfica.desktop
          '';

          environment.etc."share/applications/wfica.desktop".text = ''
            [Desktop Entry]
            Type=Application
            Name=Citrix Workspace
            Exec=wfica %f
            MimeType=application/x-ica;
            NoDisplay=true
          '';

          environment.etc."chromium/policies/managed/default-browser.json".text = builtins.toJSON {
            DefaultBrowserSettingEnabled = false;
          };

          environment.etc."chromium/policies/managed/downloads.json".text = builtins.toJSON {
            PromptForDownloadLocation = false;
            AutoOpenFileTypes = [ "ica" ];
          };

          # Launches Citrix or Chromium depending on whether the user specified a file on init.
          systemd.user.services.autolaunch = {
            description = "Launch Citrix ICA session";
            wantedBy = [ "graphical-session.target" ];
            after = [ "graphical-session.target" ];
            environment.PATH = pkgs.lib.mkForce "/run/current-system/sw/bin:/run/wrappers/bin";
            serviceConfig = {
              ExecStart = "${scripts.autolaunch}/bin/autolaunch";
              Restart = "no";
              Type = "oneshot";
            };
          };

          system.stateVersion = "25.11";

          virtualisation = {
            cores = 8;
            memorySize = 10 * 1024;
            msize = 128 * 1024;
            diskSize = 12 * 1024; 
            qemu.options = [
              "-vga none"
              "-device virtio-vga"
            ];
            sharedDirectories = {
              default = {
                source = "/tmp/dtcc-onboarding";
                target = "/mnt/ica";
              };
            };
          };
        })
      ];
    };
    packages.x86_64-linux = {
      inherit (scripts) citrixTarballScraper;
    };
    apps.x86_64-linux = {
      default = {
        type = "app";
        program = "${scripts.launchVm}/bin/launch-vm";
      };
    };
  };
}