host/shared: move tor-browser to the container

2024-04-07 02:35:53 +03:00 · 2024-04-07 02:35:53 +03:00 · 5ae4c7f83a
commit 5ae4c7f83a
parent d7a8402507
3 changed files with 72 additions and 4 deletions
--- a/home/users/jan/home.nix
+++ b/home/users/jan/home.nix
@ -71,10 +71,6 @@
    bind.dnsutils
    kubo # ipfs

-    # browsers
-    # ungoogled-chromium
-    tor-browser-bundle-bin
-
    woodpecker-cli

    # games
--- a/nixos/hosts/home/default.nix
+++ b/nixos/hosts/home/default.nix
@ -14,6 +14,7 @@
    ../../shared/garbage-collector.nix
    ../../shared/networking.secret.nix
    ../../shared/encrypted-dns.nix
+    ../../shared/tor-browser.nix
  ];

  boot.extraModulePackages = with config.boot.kernelPackages; [
--- a/nixos/shared/tor-browser.nix
+++ b/nixos/shared/tor-browser.nix
@ -0,0 +1,71 @@
+{ pkgs, ... }:
+
+let
+  data = import ../../data.nix;
+
+  torBrowser = pkgs.tor-browser-bundle-bin.override {
+    mediaSupport = true;
+    pulseaudioSupport = true;
+  };
+
+  hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
+    set -x
+    ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
+    ${pkgs.xorg.xhost}/bin/xhost +
+    ssh -X browser@192.168.7.11 run-tor-browser
+  '';
+
+  clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
+    set -x
+    PULSE_SERVER=tcp:192.168.7.10:4713 \
+    XAUTHORITY="/home/browser/.Xauthority" \
+    DBUS_SESSION_BUS_ADDRESS="" \
+    DISPLAY=192.168.7.10:0.0 \
+    ${pkgs.apulse}/bin/apulse tor-browser $@
+  '';
+in
+{
+  environment.systemPackages = [ hostRunTorBrowser ];
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+    support32Bit = true;
+    tcp = {
+      enable = true;
+      anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
+    };
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [ 4713 6000 ];
+    nat = {
+      enable = true;
+      internalInterfaces = [ "ve-browser" ];
+      externalInterface = "wg0";
+    };
+  };
+
+  containers.browser = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.7.10";
+    localAddress = "192.168.7.11";
+
+    config = { config, pkgs, ... }: {
+      system.stateVersion = "23.11";
+      services.openssh = {
+        enable = true;
+        settings.X11Forwarding = true;
+      };
+
+      users.extraUsers.browser = {
+        isNormalUser = true;
+        home = "/home/browser";
+        openssh.authorizedKeys.keys = data.publicKeys.users.jan;
+        extraGroups = [ "audio" "video" ];
+        packages = [ clientRunTorBrowser torBrowser ];
+      };
+    };
+  };
+}