system/modules/nixos/programs/browsers/tor-browser.nix

{ config, pkgs, lib, ... }:

let
  cfg = config.local.programs.browsers.tor-browser;

  policiesJson = pkgs.callPackage ./policies.nix { };

  torBrowser = (pkgs.tor-browser-bundle-bin.override {
    mediaSupport = true;
    pulseaudioSupport = true;
  }).overrideAttrs (attrs: {
    postInstall = ''
      rm $out/share/tor-browser/distribution/policies.json
      install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
    '';
  });

  hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
    ${pkgs.xorg.xhost}/bin/xhost +local:
    ssh -X browser@${config.containers.browser.localAddress} tor-browser
    ${pkgs.xorg.xhost}/bin/xhost -local:
  '';
in
{
  options.local.programs.browsers.tor-browser = with lib; {
    enable = mkEnableOption "tor-browser";
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ hostRunTorBrowser ];

    hardware.pulseaudio = {
      systemWide = true;
      support32Bit = true;
      tcp = {
        enable = true;
        anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
      };
    };

    /*
        networking = {
          firewall.allowedTCPPorts = [ 4713 6000 ];
          nat = {
            enable = true;
            internalInterfaces = [ "ve-browser" ];
            externalInterface = cfg.container.externalInterface;
          };
        };
        */

    containers.browser = {
      autoStart = true;
      privateNetwork = true;
      hostAddress = "192.168.7.10";
      localAddress = "192.168.7.11";

      bindMounts = {
        "/tmp/.X11-unix" = { };
      };

      config = { ... }: {
        system.stateVersion = "23.11";

        services.openssh = {
          enable = true;
          settings.X11Forwarding = true;
          settings.PasswordAuthentication = true;
        };

        users.extraUsers.browser = {
          isNormalUser = true;
          home = "/home/browser";
          password = "hello";
          openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ];
          # openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
          extraGroups = [ "pulse-access" ];
          packages = [ torBrowser ];
        };

        environment.sessionVariables = {
          DISPLAY = "${config.containers.browser.hostAddress}:0.0";
          PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713";
          XAUTHORITY = "/home/browser/.Xauthority";
          DBUS_SESSION_BUS_ADDRESS = "";
        };
      };
    };
  };
}
modules/nixos: add more search engines 2024-04-18 18:18:53 +03:00			`{ config, pkgs, lib, ... }:`
refac modules 2024-04-16 02:51:46 +03:00
			`let`
			`cfg = config.local.programs.browsers.tor-browser;`

modules/nixos: add more search engines 2024-04-18 18:18:53 +03:00			`policiesJson = pkgs.callPackage ./policies.nix { };`
refac modules 2024-04-16 02:51:46 +03:00
			`torBrowser = (pkgs.tor-browser-bundle-bin.override {`
			`mediaSupport = true;`
			`pulseaudioSupport = true;`
			`}).overrideAttrs (attrs: {`
			`postInstall = ''`
			`rm $out/share/tor-browser/distribution/policies.json`
			`install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json`
			`'';`
			`});`
wip 2024-08-22 22:27:39 +03:00
			`hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''`
			`${pkgs.xorg.xhost}/bin/xhost +local:`
			`ssh -X browser@${config.containers.browser.localAddress} tor-browser`
			`${pkgs.xorg.xhost}/bin/xhost -local:`
			`'';`
refac modules 2024-04-16 02:51:46 +03:00			`in`
			`{`
			`options.local.programs.browsers.tor-browser = with lib; {`
			`enable = mkEnableOption "tor-browser";`
			`};`

wip 2024-08-22 22:27:39 +03:00			`config = lib.mkIf cfg.enable {`
			`environment.systemPackages = [ hostRunTorBrowser ];`
refac modules 2024-04-16 02:51:46 +03:00
wip 2024-08-22 22:27:39 +03:00			`hardware.pulseaudio = {`
			`systemWide = true;`
			`support32Bit = true;`
			`tcp = {`
			`enable = true;`
			`anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];`
			`};`
			`};`
refac modules 2024-04-16 02:51:46 +03:00
wip 2024-08-22 22:27:39 +03:00			`/*`
refac modules 2024-04-16 02:51:46 +03:00			`networking = {`
			`firewall.allowedTCPPorts = [ 4713 6000 ];`
			`nat = {`
			`enable = true;`
			`internalInterfaces = [ "ve-browser" ];`
			`externalInterface = cfg.container.externalInterface;`
			`};`
			`};`
wip 2024-08-22 22:27:39 +03:00			`*/`
refac modules 2024-04-16 02:51:46 +03:00
wip 2024-08-22 22:27:39 +03:00			`containers.browser = {`
			`autoStart = true;`
			`privateNetwork = true;`
			`hostAddress = "192.168.7.10";`
			`localAddress = "192.168.7.11";`
refac modules 2024-04-16 02:51:46 +03:00
wip 2024-08-22 22:27:39 +03:00			`bindMounts = {`
			`"/tmp/.X11-unix" = { };`
			`};`
refac modules 2024-04-16 02:51:46 +03:00
wip 2024-08-22 22:27:39 +03:00			`config = { ... }: {`
			`system.stateVersion = "23.11";`

			`services.openssh = {`
			`enable = true;`
			`settings.X11Forwarding = true;`
			`settings.PasswordAuthentication = true;`
			`};`

			`users.extraUsers.browser = {`
			`isNormalUser = true;`
			`home = "/home/browser";`
			`password = "hello";`
			`openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ];`
			`# openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;`
			`extraGroups = [ "pulse-access" ];`
			`packages = [ torBrowser ];`
refac modules 2024-04-16 02:51:46 +03:00			`};`
wip 2024-08-22 22:27:39 +03:00
			`environment.sessionVariables = {`
			`DISPLAY = "${config.containers.browser.hostAddress}:0.0";`
			`PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713";`
			`XAUTHORITY = "/home/browser/.Xauthority";`
			`DBUS_SESSION_BUS_ADDRESS = "";`
			`};`
			`};`
			`};`
			`};`
refac modules 2024-04-16 02:51:46 +03:00			`}`