tiiuae · vadika · Mar 18, 2026
diff --git a/flake.lock b/flake.lock
diff --git a/lib/builders/mkGhafConfiguration.nix b/lib/builders/mkGhafConfiguration.nix
@@ -109,17 +109,15 @@ let
       # 1. ghaf.profiles.{debug,release}.enable for host-side module activation
       # 2. ghaf.global-config to the corresponding profile for VM-side config propagation
       #
-      # Note: global-config uses mkDefault so that platform-specific profiles (like orin.nix)
-      # can override specific values. For example, orin.nix sets ghaf.givc.enable = false
-      # and this should propagate to VMs via ghaf.global-config.givc.enable.
+      # Note: global-config uses mkDefault so target modules can still override specific
+      # values when needed.
+
       variantModule = {
         ghaf.profiles = {
           debug.enable = variant == "debug";
           release.enable = variant == "release";
         };
         # Set global-config to match the variant's profile using mkDefault
-        # This allows profile modules to override specific global-config values
-        # Example: orin.nix can set ghaf.global-config.givc.enable = false
         ghaf.global-config = lib.mapAttrsRecursive (_: v: lib.mkDefault v) (
           lib.ghaf.profiles.${variant} or lib.ghaf.profiles.minimal
         );

diff --git a/lib/global-config.nix b/lib/global-config.nix
@@ -52,6 +52,12 @@ rec {
             description = "Logging listener address";
           };
 
+          serverName = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = "Optional TLS server name for validating the admin-vm logging listener certificate";
+          };
+
           port = mkOption {
             type = types.port;
             default = 9999;

diff --git a/modules/common/global-config.nix b/modules/common/global-config.nix
@@ -47,6 +47,10 @@
       logging.listener.address = lib.mkIf (
         config.ghaf.global-config.logging.enable && config.ghaf.common.adminHost != null
       ) (lib.mkDefault config.ghaf.networking.hosts.admin-vm.ipv4);
+      # Auto-populate logging TLS server_name for producer-side certificate validation.
+      logging.listener.serverName = lib.mkIf (
+        config.ghaf.global-config.logging.enable && config.ghaf.common.adminHost != null
+      ) (lib.mkDefault "admin-vm");
     };
   };
 }
diff --git a/modules/common/logging/client.nix b/modules/common/logging/client.nix
@@ -11,6 +11,7 @@ let
     mkEnableOption
     mkOption
     types
+    hasPrefix
     optionalString
     ;
   cfg = config.ghaf.logging.client;
@@ -58,6 +59,11 @@ in
         default = "TLS12";
         description = "Minimum TLS version for the outbound connection.";
       };
+      serverName = mkOption {
+        type = types.nullOr types.str;
+        default = if listener.serverName != null then listener.serverName else "admin-vm";
+        description = "Expected TLS server_name (SNI) for validating the admin-vm listener certificate.";
+      };
     };
   };
 
@@ -121,6 +127,7 @@ in
               cert_file   = sys.env("CREDENTIALS_DIRECTORY") + "/client_cert"
               key_file    = sys.env("CREDENTIALS_DIRECTORY") + "/client_key"
               min_version = "${cfg.tls.minVersion}"
+              ${optionalString (cfg.tls.serverName != null) ''server_name = "${cfg.tls.serverName}"''}
             }
           }
         }
@@ -131,6 +138,18 @@ in
 
     services.alloy.enable = true;
 
+    systemd.services.alloy.unitConfig.RequiresMountsFor = lib.unique (
+      lib.optionals (cfg.tls.certFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.certFile)) [
+        (dirOf (toString cfg.tls.certFile))
+      ]
+      ++ lib.optionals (cfg.tls.keyFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.keyFile)) [
+        (dirOf (toString cfg.tls.keyFile))
+      ]
+      ++ lib.optionals (cfg.tls.caFile != null && hasPrefix "/etc/givc/" (toString cfg.tls.caFile)) [
+        (dirOf (toString cfg.tls.caFile))
+      ]
+    );
+
     systemd.services.alloy.serviceConfig = {
       after = [
         "systemd-journald.service"

diff --git a/modules/common/logging/common.nix b/modules/common/logging/common.nix
@@ -102,6 +102,15 @@ in
       default = 9999;
     };
 
+    listener.serverName = mkOption {
+      description = ''
+        Optional TLS server name used by log producers when
+        verifying the admin-vm listener certificate.
+      '';
+      type = types.nullOr types.str;
+      default = null;
+    };
+
     journalRetention = {
       enable = mkOption {
         description = ''

diff --git a/modules/common/logging/fss.nix b/modules/common/logging/fss.nix
@@ -453,6 +453,14 @@ in
         after = [ "systemd-journald.service" ];
         wants = [ "systemd-journald.service" ];
 
+        unitConfig = {
+          RequiresMountsFor = [
+            cfg.keyPath
+            "/var/log/journal"
+            "/run/log/journal"
+          ];
+        };
+
         serviceConfig = {
           Type = "oneshot";
           RemainAfterExit = true;
@@ -477,6 +485,11 @@ in
         unitConfig = {
           # Only run if FSS setup has completed successfully
           ConditionPathExists = "${cfg.keyPath}/initialized";
+          RequiresMountsFor = [
+            cfg.keyPath
+            "/var/log/journal"
+            "/run/log/journal"
+          ];
         };
 
         serviceConfig = {

diff --git a/modules/common/security/audit/default.nix b/modules/common/security/audit/default.nix
@@ -114,6 +114,11 @@ in
 
         # Let systemd use default ordering for audit-rules instead of early-boot
         unitConfig.DefaultDependencies = lib.mkForce true;
+        unitConfig.RequiresMountsFor = [
+          "/etc/givc"
+          "/etc/common/journal-fss"
+          "/var/log/journal"
+        ];
         before = lib.mkForce [ ];
       };
 

diff --git a/modules/givc/host.nix b/modules/givc/host.nix
@@ -15,6 +15,7 @@ let
     optionalString
     optionals
     ;
+  tlsStoragePath = "/persist/storagevm/givc";
 in
 {
   _file = ./host.nix;
@@ -80,7 +81,7 @@ in
         addr = v.ipv4;
       }) config.ghaf.networking.hosts;
       generatorHostName = config.networking.hostName;
-      storagePath = "/persist/storagevm/givc";
+      storagePath = tlsStoragePath;
     };
 
     ghaf.security.audit.extraRules = [

diff --git a/modules/profiles/orin.nix b/modules/profiles/orin.nix
@@ -209,13 +209,6 @@ in
         nvidia-docker.daemon.enable = true;
       };
 
-      # Disable givc on Orin - GIVC requires TLS certificate infrastructure
-      # that isn't set up for Orin devices. This must be set in both:
-      # 1. ghaf.givc.enable (host-level option)
-      # 2. ghaf.global-config.givc.enable (propagates to VMs via specialArgs)
-      givc.enable = false;
-      global-config.givc.enable = false;
-
       host.networking = {
         enable = true;
       };

diff --git a/modules/reference/hardware/jetpack/nvidia-jetson-orin/jetson-orin.nix b/modules/reference/hardware/jetpack/nvidia-jetson-orin/jetson-orin.nix
@@ -304,6 +304,13 @@ in
     hardware.nvidia-jetpack.kernel.version = "${cfg.kernelVersion}";
     nixpkgs.hostPlatform.system = "aarch64-linux";
 
+    ghaf.givc.enable = true;
+    ghaf.givc.debug = false;
+    ghaf.logging.enable = true;
+    ghaf.logging.listener.address = config.ghaf.networking.hosts.admin-vm.ipv4;
+
+    ghaf.global-config.givc.enable = true;
+    ghaf.global-config.logging.enable = true;
     ghaf.hardware = {
       aarch64.systemd-boot-dtb.enable = true;
       passthrough = {

diff --git a/targets/nvidia-jetson-orin/flake-module.nix b/targets/nvidia-jetson-orin/flake-module.nix
@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
 # SPDX-License-Identifier: Apache-2.0
 #
-# Configuration for NVIDIA Jetson Orin AGX/NX
+#  Configuration for NVIDIA Jetson Orin AGX/NX
 #
 {
   lib,