From 5ae4c7f83acd50da5f59e22a9da701f1f70e04c4 Mon Sep 17 00:00:00 2001
From: Dmitriy Pleshevskiy <dmitriy@pleshevski.ru>
Date: Sun, 7 Apr 2024 02:35:53 +0300
Subject: [PATCH] host/shared: move tor-browser to the container

---
 home/users/jan/home.nix      |  4 --
 nixos/hosts/home/default.nix |  1 +
 nixos/shared/tor-browser.nix | 71 ++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 nixos/shared/tor-browser.nix

diff --git a/home/users/jan/home.nix b/home/users/jan/home.nix
index d34a6d2..bcc77fd 100644
--- a/home/users/jan/home.nix
+++ b/home/users/jan/home.nix
@@ -71,10 +71,6 @@
     bind.dnsutils
     kubo # ipfs
 
-    # browsers
-    # ungoogled-chromium
-    tor-browser-bundle-bin
-
     woodpecker-cli
 
     # games
diff --git a/nixos/hosts/home/default.nix b/nixos/hosts/home/default.nix
index 93f87d2..8ff1ff2 100644
--- a/nixos/hosts/home/default.nix
+++ b/nixos/hosts/home/default.nix
@@ -14,6 +14,7 @@
     ../../shared/garbage-collector.nix
     ../../shared/networking.secret.nix
     ../../shared/encrypted-dns.nix
+    ../../shared/tor-browser.nix
   ];
 
   boot.extraModulePackages = with config.boot.kernelPackages; [
diff --git a/nixos/shared/tor-browser.nix b/nixos/shared/tor-browser.nix
new file mode 100644
index 0000000..074a736
--- /dev/null
+++ b/nixos/shared/tor-browser.nix
@@ -0,0 +1,71 @@
+{ pkgs, ... }:
+
+let
+  data = import ../../data.nix;
+
+  torBrowser = pkgs.tor-browser-bundle-bin.override {
+    mediaSupport = true;
+    pulseaudioSupport = true;
+  };
+
+  hostRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
+    set -x
+    ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
+    ${pkgs.xorg.xhost}/bin/xhost +
+    ssh -X browser@192.168.7.11 run-tor-browser
+  '';
+
+  clientRunTorBrowser = pkgs.writeScriptBin "run-tor-browser" ''
+    set -x
+    PULSE_SERVER=tcp:192.168.7.10:4713 \
+    XAUTHORITY="/home/browser/.Xauthority" \
+    DBUS_SESSION_BUS_ADDRESS="" \
+    DISPLAY=192.168.7.10:0.0 \
+    ${pkgs.apulse}/bin/apulse tor-browser $@
+  '';
+in
+{
+  environment.systemPackages = [ hostRunTorBrowser ];
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+    support32Bit = true;
+    tcp = {
+      enable = true;
+      anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
+    };
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [ 4713 6000 ];
+    nat = {
+      enable = true;
+      internalInterfaces = [ "ve-browser" ];
+      externalInterface = "wg0";
+    };
+  };
+
+  containers.browser = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.7.10";
+    localAddress = "192.168.7.11";
+
+    config = { config, pkgs, ... }: {
+      system.stateVersion = "23.11";
+      services.openssh = {
+        enable = true;
+        settings.X11Forwarding = true;
+      };
+
+      users.extraUsers.browser = {
+        isNormalUser = true;
+        home = "/home/browser";
+        openssh.authorizedKeys.keys = data.publicKeys.users.jan;
+        extraGroups = [ "audio" "video" ];
+        packages = [ clientRunTorBrowser torBrowser ];
+      };
+    };
+  };
+}