system/nixos/shared/tor-browser.nix

{ pkgs, ... }:

let
  data = import ../../data.nix;

  torBrowser = pkgs.tor-browser-bundle-bin.override {
    mediaSupport = true;
    pulseaudioSupport = true;
  };

  hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
    set -x
    ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
    ${pkgs.xorg.xhost}/bin/xhost +
    ssh -X browser@192.168.7.11 run-tor-browser
  '';

  clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
    set -x
    PULSE_SERVER=tcp:192.168.7.10:4713 \
    XAUTHORITY="/home/browser/.Xauthority" \
    DBUS_SESSION_BUS_ADDRESS="" \
    DISPLAY=192.168.7.10:0.0 \
    ${pkgs.apulse}/bin/apulse tor-browser $@
  '';
in
{
  environment.systemPackages = [ hostRunTorBrowser ];

  hardware.pulseaudio = {
    enable = true;
    systemWide = true;
    support32Bit = true;
    tcp = {
      enable = true;
      anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
    };
  };

  networking = {
    firewall.allowedTCPPorts = [ 4713 6000 ];
    nat = {
      enable = true;
      internalInterfaces = [ "ve-browser" ];
      externalInterface = "wg0";
    };
  };

  containers.browser = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.7.10";
    localAddress = "192.168.7.11";

    config = { config, pkgs, ... }: {
      system.stateVersion = "23.11";
      services.openssh = {
        enable = true;
        settings.X11Forwarding = true;
      };

      users.extraUsers.browser = {
        isNormalUser = true;
        home = "/home/browser";
        openssh.authorizedKeys.keys = data.publicKeys.users.jan;
        extraGroups = [ "audio" "video" ];
        packages = [ clientRunTorBrowser torBrowser ];
      };
    };
  };
}
host/shared: move tor-browser to the container 2024-04-07 02:35:53 +03:00			`{ pkgs, ... }:`

			`let`
			`data = import ../../data.nix;`

			`torBrowser = pkgs.tor-browser-bundle-bin.override {`
			`mediaSupport = true;`
			`pulseaudioSupport = true;`
			`};`

			`hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''`
			`set -x`
			`${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &`
			`${pkgs.xorg.xhost}/bin/xhost +`
			`ssh -X browser@192.168.7.11 run-tor-browser`
			`'';`

			`clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''`
			`set -x`
			`PULSE_SERVER=tcp:192.168.7.10:4713 \`
			`XAUTHORITY="/home/browser/.Xauthority" \`
			`DBUS_SESSION_BUS_ADDRESS="" \`
			`DISPLAY=192.168.7.10:0.0 \`
			`${pkgs.apulse}/bin/apulse tor-browser $@`
			`'';`
			`in`
			`{`
			`environment.systemPackages = [ hostRunTorBrowser ];`

			`hardware.pulseaudio = {`
			`enable = true;`
			`systemWide = true;`
			`support32Bit = true;`
			`tcp = {`
			`enable = true;`
			`anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];`
			`};`
			`};`

			`networking = {`
			`firewall.allowedTCPPorts = [ 4713 6000 ];`
			`nat = {`
			`enable = true;`
			`internalInterfaces = [ "ve-browser" ];`
			`externalInterface = "wg0";`
			`};`
			`};`

			`containers.browser = {`
			`autoStart = true;`
			`privateNetwork = true;`
			`hostAddress = "192.168.7.10";`
			`localAddress = "192.168.7.11";`

			`config = { config, pkgs, ... }: {`
			`system.stateVersion = "23.11";`
			`services.openssh = {`
			`enable = true;`
			`settings.X11Forwarding = true;`
			`};`

			`users.extraUsers.browser = {`
			`isNormalUser = true;`
			`home = "/home/browser";`
			`openssh.authorizedKeys.keys = data.publicKeys.users.jan;`
			`extraGroups = [ "audio" "video" ];`
			`packages = [ clientRunTorBrowser torBrowser ];`
			`};`
			`};`
			`};`
			`}`