modules/browsers: move all browsers to the container
This commit is contained in:
parent
4016eb1b71
commit
4dcbaa3656
8 changed files with 145 additions and 129 deletions
|
@ -46,6 +46,7 @@
|
||||||
"/var/lib/nixos"
|
"/var/lib/nixos"
|
||||||
"/var/lib/systemd/coredump"
|
"/var/lib/systemd/coredump"
|
||||||
"/etc/NetworkManager/system-connections"
|
"/etc/NetworkManager/system-connections"
|
||||||
|
"/etc/ssh/per-machine"
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
|
@ -66,5 +67,11 @@
|
||||||
];
|
];
|
||||||
files = [ "/var/lib/docker/engine-id" ];
|
files = [ "/var/lib/docker/engine-id" ];
|
||||||
};
|
};
|
||||||
|
"/presistent/ollama" = lib.mkIf config.services.ollama.enable {
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/var/lib/private/ollama"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,17 +26,14 @@
|
||||||
################################################################################
|
################################################################################
|
||||||
# Programs
|
# Programs
|
||||||
################################################################################
|
################################################################################
|
||||||
local.programs.browsers.tor-browser = {
|
|
||||||
enable = true;
|
|
||||||
container = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = "wg0";
|
|
||||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.ollama = {
|
services.ollama = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.unstable.ollama;
|
package = pkgs.unstable.ollama;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
local.programs.browsers.tor-browser.enable = true;
|
||||||
|
|
||||||
|
environment.shellInit = ''
|
||||||
|
[ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +si:localuser:$USER > /dev/null || true
|
||||||
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, globalData, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -12,14 +12,7 @@
|
||||||
################################################################################
|
################################################################################
|
||||||
# Programs
|
# Programs
|
||||||
################################################################################
|
################################################################################
|
||||||
local.programs.browsers.tor-browser = {
|
local.programs.browsers.tor-browser.enable = true;
|
||||||
enable = true;
|
|
||||||
container = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = "wg0";
|
|
||||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Services
|
# Services
|
||||||
|
@ -88,6 +81,7 @@
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
DISPLAY = ":0";
|
DISPLAY = ":0";
|
||||||
PULSE_SERVER = "tcp:127.0.0.1:4713";
|
PULSE_SERVER = "tcp:127.0.0.1:4713";
|
||||||
|
XAUTHORITY = "/home/john/.Xauthority";
|
||||||
|
|
||||||
WINEPREFIX = "/home/john/.wine";
|
WINEPREFIX = "/home/john/.wine";
|
||||||
WINEARCH = "win32";
|
WINEARCH = "win32";
|
||||||
|
|
|
@ -1,8 +1,126 @@
|
||||||
{ ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.local.programs.browsers;
|
||||||
|
|
||||||
|
hostAddress = "192.168.7.10";
|
||||||
|
localAddress = "192.168.7.11";
|
||||||
|
|
||||||
|
hostRunBrowser = pkgs.writeScript "run-browser" ''
|
||||||
|
host=browsers.containers
|
||||||
|
if [ -z "$(ssh-keygen -F $host)" ]; then
|
||||||
|
ssh-keyscan -H $host >> ~/.ssh/known_hosts
|
||||||
|
fi
|
||||||
|
ssh -o PubkeyAuthentication=no kira@$host $@
|
||||||
|
'';
|
||||||
|
|
||||||
|
contPackages =
|
||||||
|
lib.optional cfg.tor-browser.enable cfg.tor-browser.package
|
||||||
|
++ lib.optional cfg.librewolf.enable cfg.librewolf.package
|
||||||
|
++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.package;
|
||||||
|
|
||||||
|
hostPackages = lib.flip map contPackages (p:
|
||||||
|
pkgs.writeScriptBin "${p.meta.mainProgram}" ''
|
||||||
|
${hostRunBrowser} ${p.meta.mainProgram}
|
||||||
|
''
|
||||||
|
);
|
||||||
|
|
||||||
|
isEnable = cfg.tor-browser.enable
|
||||||
|
or cfg.librewolf.enable
|
||||||
|
or cfg.mullvad-browser.enable;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./tor-browser.nix
|
./tor-browser.nix
|
||||||
./mullvad-browser.nix
|
./mullvad-browser.nix
|
||||||
./librewolf.nix
|
./librewolf.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
config = lib.mkIf isEnable {
|
||||||
|
environment.systemPackages = hostPackages;
|
||||||
|
|
||||||
|
hardware.pulseaudio = {
|
||||||
|
systemWide = true;
|
||||||
|
support32Bit = true;
|
||||||
|
tcp = {
|
||||||
|
enable = true;
|
||||||
|
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
allowedTCPPorts = [ 4713 ];
|
||||||
|
trustedInterfaces = [ "ve-*" ];
|
||||||
|
};
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
internalInterfaces = [ "ve-browsers" ];
|
||||||
|
externalInterface = "wg0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
containers.browsers = {
|
||||||
|
autoStart = true;
|
||||||
|
ephemeral = true;
|
||||||
|
|
||||||
|
privateNetwork = true;
|
||||||
|
inherit hostAddress localAddress;
|
||||||
|
|
||||||
|
bindMounts = lib.mkMerge [
|
||||||
|
{
|
||||||
|
"/tmp/.X11-unix" = { };
|
||||||
|
"/etc/ssh/keys" = {
|
||||||
|
isReadOnly = false;
|
||||||
|
hostPath = "/etc/ssh/per-machine/browsers";
|
||||||
|
};
|
||||||
|
"/home/kira/Downloads" = {
|
||||||
|
isReadOnly = false;
|
||||||
|
hostPath = "/home/jan/downloads/browser";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
(lib.mkIf cfg.librewolf.enable {
|
||||||
|
"/home/kira/.librewolf" = {
|
||||||
|
isReadOnly = false;
|
||||||
|
hostPath = "/home/jan/.librewolf";
|
||||||
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
|
config = { pkgs, ... }: {
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings.PasswordAuthentication = true;
|
||||||
|
hostKeys = [
|
||||||
|
{
|
||||||
|
bits = 4096;
|
||||||
|
path = "/etc/ssh/keys/ssh_host_rsa_key";
|
||||||
|
type = "rsa";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
path = "/etc/ssh/keys/ssh_host_ed25519_key";
|
||||||
|
type = "ed25519";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.kira = {
|
||||||
|
isNormalUser = true;
|
||||||
|
home = "/home/kira";
|
||||||
|
password = "hello";
|
||||||
|
extraGroups = [ "pulse-access" ];
|
||||||
|
packages = contPackages;
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.sessionVariables = {
|
||||||
|
DISPLAY = ":0";
|
||||||
|
PULSE_SERVER = "tcp:${hostAddress}:4713";
|
||||||
|
XAUTHORITY = "/home/kira/.Xauthority";
|
||||||
|
DBUS_SESSION_BUS_ADDRESS = "";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
{ config, pkgs, lib, inputs, ... }:
|
{ config, pkgs, lib, inputs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.local.programs.browsers.librewolf;
|
|
||||||
isPassEnabled = config.local.programs.pass.enable;
|
isPassEnabled = config.local.programs.pass.enable;
|
||||||
|
|
||||||
policiesJson = pkgs.callPackage ./policies.nix {
|
policiesJson = pkgs.callPackage ./policies.nix {
|
||||||
|
@ -20,9 +19,6 @@ in
|
||||||
{
|
{
|
||||||
options.local.programs.browsers.librewolf = with lib; {
|
options.local.programs.browsers.librewolf = with lib; {
|
||||||
enable = mkEnableOption "librewolf";
|
enable = mkEnableOption "librewolf";
|
||||||
};
|
package = mkPackageOption pkgs "librewolf" {} // { default = librewolf'; };
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
environment.systemPackages = [ librewolf' ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
{ config, pkgs, lib, inputs, ... }:
|
{ pkgs, lib, inputs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.local.programs.browsers.mullvad-browser;
|
|
||||||
|
|
||||||
policiesJson = pkgs.callPackage ./policies.nix {
|
policiesJson = pkgs.callPackage ./policies.nix {
|
||||||
firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}";
|
firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}";
|
||||||
withRedirectorAddon = true;
|
withRedirectorAddon = true;
|
||||||
|
@ -21,9 +19,6 @@ in
|
||||||
{
|
{
|
||||||
options.local.programs.browsers.mullvad-browser = with lib; {
|
options.local.programs.browsers.mullvad-browser = with lib; {
|
||||||
enable = mkEnableOption "mullvad-browser";
|
enable = mkEnableOption "mullvad-browser";
|
||||||
};
|
package = mkPackageOption pkgs "mullvad-browser" {} // { default = mullvadBrowser; };
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
environment.systemPackages = [ mullvadBrowser ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -28,7 +28,7 @@ writeText "policies.json" (builtins.toJSON {
|
||||||
SearchEngines = {
|
SearchEngines = {
|
||||||
Add = [
|
Add = [
|
||||||
{
|
{
|
||||||
Alias = "sx";
|
Alias = "@sx";
|
||||||
Name = "SearXNG";
|
Name = "SearXNG";
|
||||||
Description = "SearXNG — a privacy-respecting, open metasearch engine";
|
Description = "SearXNG — a privacy-respecting, open metasearch engine";
|
||||||
IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
|
IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
|
||||||
|
@ -36,28 +36,28 @@ writeText "policies.json" (builtins.toJSON {
|
||||||
}
|
}
|
||||||
] ++ lib.optionals withAllSearchEngines [
|
] ++ lib.optionals withAllSearchEngines [
|
||||||
{
|
{
|
||||||
Alias = "np";
|
Alias = "@np";
|
||||||
Name = "NixOS Packages";
|
Name = "NixOS Packages";
|
||||||
Description = "Search NixOS packages by name or description.";
|
Description = "Search NixOS packages by name or description.";
|
||||||
IconURL = "https://nixos.org/favicon.png";
|
IconURL = "https://nixos.org/favicon.png";
|
||||||
URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
|
URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
Alias = "no";
|
Alias = "@no";
|
||||||
Name = "NixOS Options";
|
Name = "NixOS Options";
|
||||||
Description = "Search NixOS options by name or description.";
|
Description = "Search NixOS options by name or description.";
|
||||||
IconURL = "https://nixos.org/favicon.png";
|
IconURL = "https://nixos.org/favicon.png";
|
||||||
URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
|
URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
Alias = "ng";
|
Alias = "@ng";
|
||||||
Name = "Noogle";
|
Name = "Noogle";
|
||||||
Description = "Search for nix functions by name.";
|
Description = "Search for nix functions by name.";
|
||||||
IconURL = "https://noogle.dev/favicon.png";
|
IconURL = "https://noogle.dev/favicon.png";
|
||||||
URLTemplate = "https://noogle.dev/q?term={searchTerms}";
|
URLTemplate = "https://noogle.dev/q?term={searchTerms}";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
Alias = "hg";
|
Alias = "@hg";
|
||||||
Name = "Hoogle";
|
Name = "Hoogle";
|
||||||
Description = ''
|
Description = ''
|
||||||
Hoogle is a Haskell API search engine, which allows you to
|
Hoogle is a Haskell API search engine, which allows you to
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.local.programs.browsers.tor-browser;
|
|
||||||
|
|
||||||
policiesJson = pkgs.callPackage ./policies.nix { };
|
policiesJson = pkgs.callPackage ./policies.nix { };
|
||||||
|
|
||||||
torBrowser = (pkgs.tor-browser-bundle-bin.override {
|
torBrowser = (pkgs.tor-browser-bundle-bin.override {
|
||||||
|
@ -18,95 +16,6 @@ in
|
||||||
{
|
{
|
||||||
options.local.programs.browsers.tor-browser = with lib; {
|
options.local.programs.browsers.tor-browser = with lib; {
|
||||||
enable = mkEnableOption "tor-browser";
|
enable = mkEnableOption "tor-browser";
|
||||||
container = {
|
package = mkPackageOption pkgs "tor-browser-bundle-bin" {} // { default = torBrowser; };
|
||||||
enable = mkEnableOption "tor-browser inside a container";
|
|
||||||
externalInterface = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "";
|
|
||||||
};
|
};
|
||||||
sshAuthorizedKeys = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
||||||
(lib.mkIf (!cfg.container.enable) {
|
|
||||||
environment.systemPackages = [ torBrowser ];
|
|
||||||
})
|
|
||||||
(lib.mkIf cfg.container.enable (
|
|
||||||
let
|
|
||||||
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
|
||||||
${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
|
|
||||||
${pkgs.xorg.xhost}/bin/xhost +
|
|
||||||
ssh -X browser@192.168.7.11 tor-browser
|
|
||||||
${pkgs.xorg.xhost}/bin/xhost -
|
|
||||||
'';
|
|
||||||
|
|
||||||
clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
|
||||||
PULSE_SERVER=tcp:192.168.7.10:4713 \
|
|
||||||
XAUTHORITY="/home/browser/.Xauthority" \
|
|
||||||
DBUS_SESSION_BUS_ADDRESS="" \
|
|
||||||
DISPLAY=192.168.7.10:0.0 \
|
|
||||||
${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
assertion = cfg.container.externalInterface != "";
|
|
||||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = cfg.container.sshAuthorizedKeys != [ ];
|
|
||||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
environment.systemPackages = [ hostRunTorBrowser ];
|
|
||||||
|
|
||||||
hardware.pulseaudio = {
|
|
||||||
systemWide = true;
|
|
||||||
support32Bit = true;
|
|
||||||
tcp = {
|
|
||||||
enable = true;
|
|
||||||
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
firewall.allowedTCPPorts = [ 4713 6000 ];
|
|
||||||
nat = {
|
|
||||||
enable = true;
|
|
||||||
internalInterfaces = [ "ve-browser" ];
|
|
||||||
externalInterface = cfg.container.externalInterface;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
containers.browser = {
|
|
||||||
autoStart = true;
|
|
||||||
privateNetwork = true;
|
|
||||||
hostAddress = "192.168.7.10";
|
|
||||||
localAddress = "192.168.7.11";
|
|
||||||
|
|
||||||
config = { ... }: {
|
|
||||||
system.stateVersion = "23.11";
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
settings.X11Forwarding = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.extraUsers.browser = {
|
|
||||||
isNormalUser = true;
|
|
||||||
home = "/home/browser";
|
|
||||||
openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
|
|
||||||
extraGroups = [ "pulse-access" ];
|
|
||||||
packages = [ clientRunTorBrowser ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
))
|
|
||||||
]);
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue