host/shared: move tor-browser to the container

This commit is contained in:
Dmitriy Pleshevskiy 2024-04-07 02:35:53 +03:00
parent d7a8402507
commit 5ae4c7f83a
Signed by: pleshevskiy
GPG key ID: 17041163DA10A9A2
3 changed files with 72 additions and 4 deletions

View file

@ -71,10 +71,6 @@
bind.dnsutils
kubo # ipfs
# browsers
# ungoogled-chromium
tor-browser-bundle-bin
woodpecker-cli
# games

View file

@ -14,6 +14,7 @@
../../shared/garbage-collector.nix
../../shared/networking.secret.nix
../../shared/encrypted-dns.nix
../../shared/tor-browser.nix
];
boot.extraModulePackages = with config.boot.kernelPackages; [

View file

@ -0,0 +1,71 @@
{ pkgs, ... }:
let
data = import ../../data.nix;
torBrowser = pkgs.tor-browser-bundle-bin.override {
mediaSupport = true;
pulseaudioSupport = true;
};
hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
set -x
${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
${pkgs.xorg.xhost}/bin/xhost +
ssh -X browser@192.168.7.11 run-tor-browser
'';
clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
set -x
PULSE_SERVER=tcp:192.168.7.10:4713 \
XAUTHORITY="/home/browser/.Xauthority" \
DBUS_SESSION_BUS_ADDRESS="" \
DISPLAY=192.168.7.10:0.0 \
${pkgs.apulse}/bin/apulse tor-browser $@
'';
in
{
environment.systemPackages = [ hostRunTorBrowser ];
hardware.pulseaudio = {
enable = true;
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall.allowedTCPPorts = [ 4713 6000 ];
nat = {
enable = true;
internalInterfaces = [ "ve-browser" ];
externalInterface = "wg0";
};
};
containers.browser = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.11";
config = { config, pkgs, ... }: {
system.stateVersion = "23.11";
services.openssh = {
enable = true;
settings.X11Forwarding = true;
};
users.extraUsers.browser = {
isNormalUser = true;
home = "/home/browser";
openssh.authorizedKeys.keys = data.publicKeys.users.jan;
extraGroups = [ "audio" "video" ];
packages = [ clientRunTorBrowser torBrowser ];
};
};
};
}