From 5afd1d5b53449055b4c9192c9079b6e5037414b3 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Thu, 22 Aug 2024 22:27:39 +0300 Subject: [PATCH] wip --- hosts/asus-gl553vd/configuration.nix | 11 +- hosts/home/configuration.nix | 12 +- .../nixos/programs/browsers/tor-browser.nix | 128 ++++++++---------- 3 files changed, 58 insertions(+), 93 deletions(-) diff --git a/hosts/asus-gl553vd/configuration.nix b/hosts/asus-gl553vd/configuration.nix index 9da537f..f90ecd9 100644 --- a/hosts/asus-gl553vd/configuration.nix +++ b/hosts/asus-gl553vd/configuration.nix @@ -1,4 +1,4 @@ -{ globalData, ... }: +{ ... }: { imports = [ @@ -26,12 +26,5 @@ ################################################################################ # Programs ################################################################################ - local.programs.browsers.tor-browser = { - enable = true; - container = { - enable = true; - externalInterface = "wg0"; - sshAuthorizedKeys = globalData.publicKeys.users.jan; - }; - }; + local.programs.browsers.tor-browser.enable = true; } diff --git a/hosts/home/configuration.nix b/hosts/home/configuration.nix index 3b763be..15de459 100644 --- a/hosts/home/configuration.nix +++ b/hosts/home/configuration.nix @@ -1,4 +1,4 @@ -{ config, globalData, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ @@ -12,14 +12,7 @@ ################################################################################ # Programs ################################################################################ - local.programs.browsers.tor-browser = { - enable = true; - container = { - enable = true; - externalInterface = "wg0"; - sshAuthorizedKeys = globalData.publicKeys.users.jan; - }; - }; + local.programs.browsers.tor-browser.enable = true; ################################################################################ # Services @@ -87,6 +80,7 @@ environment.sessionVariables = { DISPLAY = ":0"; PULSE_SERVER = "tcp:127.0.0.1:4713"; + XAUTHORITY = "/home/john/.Xauthority"; WINEPREFIX = "/home/john/.wine"; WINEARCH = "win32"; diff --git a/modules/nixos/programs/browsers/tor-browser.nix b/modules/nixos/programs/browsers/tor-browser.nix index ba79f2e..f015979 100644 --- a/modules/nixos/programs/browsers/tor-browser.nix +++ b/modules/nixos/programs/browsers/tor-browser.nix @@ -14,67 +14,31 @@ let install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json ''; }); + + hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' + ${pkgs.xorg.xhost}/bin/xhost +local: + ssh -X browser@${config.containers.browser.localAddress} tor-browser + ${pkgs.xorg.xhost}/bin/xhost -local: + ''; in { options.local.programs.browsers.tor-browser = with lib; { enable = mkEnableOption "tor-browser"; - container = { - enable = mkEnableOption "tor-browser inside a container"; - externalInterface = mkOption { - type = types.str; - default = ""; - }; - sshAuthorizedKeys = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - }; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf (!cfg.container.enable) { - environment.systemPackages = [ torBrowser ]; - }) - (lib.mkIf cfg.container.enable ( - let - hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' - ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 & - ${pkgs.xorg.xhost}/bin/xhost + - ssh -X browser@192.168.7.11 tor-browser - ${pkgs.xorg.xhost}/bin/xhost - - ''; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ hostRunTorBrowser ]; - clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' - PULSE_SERVER=tcp:192.168.7.10:4713 \ - XAUTHORITY="/home/browser/.Xauthority" \ - DBUS_SESSION_BUS_ADDRESS="" \ - DISPLAY=192.168.7.10:0.0 \ - ${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@ - ''; - in - { - assertions = [ - { - assertion = cfg.container.externalInterface != ""; - message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access"; - } - { - assertion = cfg.container.sshAuthorizedKeys != [ ]; - message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container"; - } - ]; - - environment.systemPackages = [ hostRunTorBrowser ]; - - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; + hardware.pulseaudio = { + systemWide = true; + support32Bit = true; + tcp = { + enable = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; + }; + }; + /* networking = { firewall.allowedTCPPorts = [ 4713 6000 ]; nat = { @@ -83,30 +47,44 @@ in externalInterface = cfg.container.externalInterface; }; }; + */ - containers.browser = { - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.11"; + containers.browser = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.7.10"; + localAddress = "192.168.7.11"; - config = { ... }: { - system.stateVersion = "23.11"; - services.openssh = { - enable = true; - settings.X11Forwarding = true; - }; + bindMounts = { + "/tmp/.X11-unix" = { }; + }; - users.extraUsers.browser = { - isNormalUser = true; - home = "/home/browser"; - openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys; - extraGroups = [ "pulse-access" ]; - packages = [ clientRunTorBrowser ]; - }; - }; + config = { ... }: { + system.stateVersion = "23.11"; + + services.openssh = { + enable = true; + settings.X11Forwarding = true; + settings.PasswordAuthentication = true; }; - } - )) - ]); + + users.extraUsers.browser = { + isNormalUser = true; + home = "/home/browser"; + password = "hello"; + openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ]; + # openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys; + extraGroups = [ "pulse-access" ]; + packages = [ torBrowser ]; + }; + + environment.sessionVariables = { + DISPLAY = "${config.containers.browser.hostAddress}:0.0"; + PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713"; + XAUTHORITY = "/home/browser/.Xauthority"; + DBUS_SESSION_BUS_ADDRESS = ""; + }; + }; + }; + }; }