wip
This commit is contained in:
parent
4366a215e6
commit
5afd1d5b53
GPG key ID:
17041163DA10A9A2
3 changed files with 58 additions and 93 deletions
|
|
@ -1,4 +1,4 @@
|
||||||
{ globalData, ... }:
|
{ ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -26,12 +26,5 @@
|
||||||
################################################################################
|
################################################################################
|
||||||
# Programs
|
# Programs
|
||||||
################################################################################
|
################################################################################
|
||||||
local.programs.browsers.tor-browser = {
|
local.programs.browsers.tor-browser.enable = true;
|
||||||
enable = true;
|
|
||||||
container = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = "wg0";
|
|
||||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, globalData, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -12,14 +12,7 @@
|
||||||
################################################################################
|
################################################################################
|
||||||
# Programs
|
# Programs
|
||||||
################################################################################
|
################################################################################
|
||||||
local.programs.browsers.tor-browser = {
|
local.programs.browsers.tor-browser.enable = true;
|
||||||
enable = true;
|
|
||||||
container = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = "wg0";
|
|
||||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Services
|
# Services
|
||||||
|
|
@ -87,6 +80,7 @@
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
DISPLAY = ":0";
|
DISPLAY = ":0";
|
||||||
PULSE_SERVER = "tcp:127.0.0.1:4713";
|
PULSE_SERVER = "tcp:127.0.0.1:4713";
|
||||||
|
XAUTHORITY = "/home/john/.Xauthority";
|
||||||
|
|
||||||
WINEPREFIX = "/home/john/.wine";
|
WINEPREFIX = "/home/john/.wine";
|
||||||
WINEARCH = "win32";
|
WINEARCH = "win32";
|
||||||
|
|
|
||||||
|
|
@ -14,67 +14,31 @@ let
|
||||||
install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
|
install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
|
|
||||||
|
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
||||||
|
${pkgs.xorg.xhost}/bin/xhost +local:
|
||||||
|
ssh -X browser@${config.containers.browser.localAddress} tor-browser
|
||||||
|
${pkgs.xorg.xhost}/bin/xhost -local:
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.local.programs.browsers.tor-browser = with lib; {
|
options.local.programs.browsers.tor-browser = with lib; {
|
||||||
enable = mkEnableOption "tor-browser";
|
enable = mkEnableOption "tor-browser";
|
||||||
container = {
|
|
||||||
enable = mkEnableOption "tor-browser inside a container";
|
|
||||||
externalInterface = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
sshAuthorizedKeys = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
config = lib.mkIf cfg.enable {
|
||||||
(lib.mkIf (!cfg.container.enable) {
|
environment.systemPackages = [ hostRunTorBrowser ];
|
||||||
environment.systemPackages = [ torBrowser ];
|
|
||||||
})
|
|
||||||
(lib.mkIf cfg.container.enable (
|
|
||||||
let
|
|
||||||
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
|
||||||
${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
|
|
||||||
${pkgs.xorg.xhost}/bin/xhost +
|
|
||||||
ssh -X browser@192.168.7.11 tor-browser
|
|
||||||
${pkgs.xorg.xhost}/bin/xhost -
|
|
||||||
'';
|
|
||||||
|
|
||||||
clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
hardware.pulseaudio = {
|
||||||
PULSE_SERVER=tcp:192.168.7.10:4713 \
|
systemWide = true;
|
||||||
XAUTHORITY="/home/browser/.Xauthority" \
|
support32Bit = true;
|
||||||
DBUS_SESSION_BUS_ADDRESS="" \
|
tcp = {
|
||||||
DISPLAY=192.168.7.10:0.0 \
|
enable = true;
|
||||||
${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
|
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
|
||||||
'';
|
};
|
||||||
in
|
};
|
||||||
{
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
assertion = cfg.container.externalInterface != "";
|
|
||||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = cfg.container.sshAuthorizedKeys != [ ];
|
|
||||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
environment.systemPackages = [ hostRunTorBrowser ];
|
|
||||||
|
|
||||||
hardware.pulseaudio = {
|
|
||||||
systemWide = true;
|
|
||||||
support32Bit = true;
|
|
||||||
tcp = {
|
|
||||||
enable = true;
|
|
||||||
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
/*
|
||||||
networking = {
|
networking = {
|
||||||
firewall.allowedTCPPorts = [ 4713 6000 ];
|
firewall.allowedTCPPorts = [ 4713 6000 ];
|
||||||
nat = {
|
nat = {
|
||||||
|
|
@ -83,30 +47,44 @@ in
|
||||||
externalInterface = cfg.container.externalInterface;
|
externalInterface = cfg.container.externalInterface;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
*/
|
||||||
|
|
||||||
containers.browser = {
|
containers.browser = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = "192.168.7.10";
|
hostAddress = "192.168.7.10";
|
||||||
localAddress = "192.168.7.11";
|
localAddress = "192.168.7.11";
|
||||||
|
|
||||||
config = { ... }: {
|
bindMounts = {
|
||||||
system.stateVersion = "23.11";
|
"/tmp/.X11-unix" = { };
|
||||||
services.openssh = {
|
};
|
||||||
enable = true;
|
|
||||||
settings.X11Forwarding = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.extraUsers.browser = {
|
config = { ... }: {
|
||||||
isNormalUser = true;
|
system.stateVersion = "23.11";
|
||||||
home = "/home/browser";
|
|
||||||
openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
|
services.openssh = {
|
||||||
extraGroups = [ "pulse-access" ];
|
enable = true;
|
||||||
packages = [ clientRunTorBrowser ];
|
settings.X11Forwarding = true;
|
||||||
};
|
settings.PasswordAuthentication = true;
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
|
||||||
))
|
users.extraUsers.browser = {
|
||||||
]);
|
isNormalUser = true;
|
||||||
|
home = "/home/browser";
|
||||||
|
password = "hello";
|
||||||
|
openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ];
|
||||||
|
# openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
|
||||||
|
extraGroups = [ "pulse-access" ];
|
||||||
|
packages = [ torBrowser ];
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.sessionVariables = {
|
||||||
|
DISPLAY = "${config.containers.browser.hostAddress}:0.0";
|
||||||
|
PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713";
|
||||||
|
XAUTHORITY = "/home/browser/.Xauthority";
|
||||||
|
DBUS_SESSION_BUS_ADDRESS = "";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue