feat: add oneleet

hosts/framework-work/default.nix

@@ -4,6 +4,7 @@
   imports = [
     ../../configuration.nix
     ./hardware-configuration.nix
+    ./oneleet-agent.nix
   ];
 
   networking.hostName = "framework-work";

hosts/framework-work/oneleet-agent.nix

@@ -0,0 +1,156 @@
+{ lib, pkgs, ... }:
+
+let
+  runtimeDeps = with pkgs; [
+    coreutils
+    cryptsetup
+    dbus
+    getent
+    glibc.bin
+    gnugrep
+    gnused
+    iproute2
+    pciutils
+    procps
+    shadow
+    systemd
+    util-linux
+    xdg-utils
+    zfs
+  ];
+
+  oneleetAgent = pkgs.stdenv.mkDerivation rec {
+    pname = "oneleet-agent";
+    version = "2.2.8";
+
+    src = pkgs.fetchurl {
+      url = "https://downloads.oneleet.com/agent/linux/agent_${version}_amd64.deb";
+      hash = "sha256-daB5mwlBNGx0vTxD4N12WmS/R80seQWt6UKKYy4xyHs=";
+    };
+
+    nativeBuildInputs = with pkgs; [
+      autoPatchelfHook
+      dpkg
+      makeWrapper
+    ];
+
+    buildInputs = with pkgs; [
+      alsa-lib
+      at-spi2-atk
+      at-spi2-core
+      atk
+      cairo
+      cups
+      dbus
+      expat
+      gdk-pixbuf
+      glib
+      gtk3
+      libappindicator-gtk3
+      libdrm
+      libnotify
+      libsecret
+      libuuid
+      libxkbcommon
+      mesa
+      nspr
+      nss
+      pango
+      stdenv.cc.cc
+      udev
+      libx11
+      libxscrnsaver
+      libxcomposite
+      libxdamage
+      libxext
+      libxfixes
+      libxrandr
+      libxtst
+      libxcb
+    ];
+
+    dontConfigure = true;
+    dontBuild = true;
+
+    unpackPhase = ''
+      runHook preUnpack
+      dpkg-deb -x "$src" .
+      runHook postUnpack
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p "$out/bin" "$out/opt" "$out/share"
+      cp -a opt/Oneleet "$out/opt/"
+      cp -a usr/share/. "$out/share/"
+
+      makeWrapper "$out/opt/Oneleet/oneleet-agent" "$out/bin/oneleet-agent" \
+        --prefix PATH : ${lib.makeBinPath runtimeDeps}
+      makeWrapper "$out/opt/Oneleet/oneleet-daemon" "$out/bin/oneleet-cli" \
+        --prefix PATH : ${lib.makeBinPath runtimeDeps}
+
+      substituteInPlace "$out/share/applications/oneleet-agent.desktop" \
+        --replace-fail "/opt/Oneleet/oneleet-agent" "$out/bin/oneleet-agent"
+
+      runHook postInstall
+    '';
+
+    preFixup = ''
+      addAutoPatchelfSearchPath "$out/opt/Oneleet"
+    '';
+
+    meta = {
+      description = "Oneleet endpoint agent";
+      homepage = "https://www.oneleet.com";
+      license = lib.licenses.unfree;
+      platforms = [ "x86_64-linux" ];
+    };
+  };
+in
+
+{
+  environment.systemPackages = [ oneleetAgent ];
+
+  systemd.tmpfiles.rules = [
+    "d /opt 0755 root root -"
+    "L+ /opt/Oneleet - - - - ${oneleetAgent}/opt/Oneleet"
+    "d /etc/oneleet 0755 root root -"
+    "d /var/log/oneleet 0755 root root -"
+    "d /var/opt/Oneleet 0755 root root -"
+
+    # Oneleet hardcodes these FHS paths for user/remediation tasks.
+    "d /usr/sbin 0755 root root -"
+    "d /sbin 0755 root root -"
+    "L+ /usr/bin/chage - - - - ${pkgs.shadow}/bin/chage"
+    "L+ /usr/bin/getent - - - - ${pkgs.getent}/bin/getent"
+    "L+ /usr/sbin/chpasswd - - - - ${pkgs.shadow}/bin/chpasswd"
+    "L+ /usr/sbin/useradd - - - - ${pkgs.shadow}/bin/useradd"
+    "L+ /usr/sbin/usermod - - - - ${pkgs.shadow}/bin/usermod"
+    "L+ /usr/sbin/userdel - - - - ${pkgs.shadow}/bin/userdel"
+    "L+ /sbin/shutdown - - - - ${pkgs.systemd}/bin/shutdown"
+  ];
+
+  systemd.services.oneleet-daemon = {
+    description = "Oneleet Agent Daemon";
+    wantedBy = [ "multi-user.target" ];
+    wants = [
+      "dbus.service"
+      "network-online.target"
+    ];
+    after = [
+      "dbus.service"
+      "network-online.target"
+    ];
+    path = runtimeDeps;
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${oneleetAgent}/bin/oneleet-cli";
+      Restart = "always";
+      RestartSec = 5;
+      WorkingDirectory = "/opt/Oneleet";
+      LogsDirectory = "oneleet";
+    };
+  };
+}