wip
This commit is contained in:
parent
4366a215e6
commit
5afd1d5b53
GPG key ID:
17041163DA10A9A2
3 changed files with 58 additions and 93 deletions
|
|
@ -1,4 +1,4 @@
|
|||
{ globalData, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
|
@ -26,12 +26,5 @@
|
|||
################################################################################
|
||||
# Programs
|
||||
################################################################################
|
||||
local.programs.browsers.tor-browser = {
|
||||
enable = true;
|
||||
container = {
|
||||
enable = true;
|
||||
externalInterface = "wg0";
|
||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
||||
};
|
||||
};
|
||||
local.programs.browsers.tor-browser.enable = true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ config, globalData, pkgs, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
|
@ -12,14 +12,7 @@
|
|||
################################################################################
|
||||
# Programs
|
||||
################################################################################
|
||||
local.programs.browsers.tor-browser = {
|
||||
enable = true;
|
||||
container = {
|
||||
enable = true;
|
||||
externalInterface = "wg0";
|
||||
sshAuthorizedKeys = globalData.publicKeys.users.jan;
|
||||
};
|
||||
};
|
||||
local.programs.browsers.tor-browser.enable = true;
|
||||
|
||||
################################################################################
|
||||
# Services
|
||||
|
|
@ -87,6 +80,7 @@
|
|||
environment.sessionVariables = {
|
||||
DISPLAY = ":0";
|
||||
PULSE_SERVER = "tcp:127.0.0.1:4713";
|
||||
XAUTHORITY = "/home/john/.Xauthority";
|
||||
|
||||
WINEPREFIX = "/home/john/.wine";
|
||||
WINEARCH = "win32";
|
||||
|
|
|
|||
|
|
@ -14,56 +14,19 @@ let
|
|||
install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json
|
||||
'';
|
||||
});
|
||||
|
||||
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
||||
${pkgs.xorg.xhost}/bin/xhost +local:
|
||||
ssh -X browser@${config.containers.browser.localAddress} tor-browser
|
||||
${pkgs.xorg.xhost}/bin/xhost -local:
|
||||
'';
|
||||
in
|
||||
{
|
||||
options.local.programs.browsers.tor-browser = with lib; {
|
||||
enable = mkEnableOption "tor-browser";
|
||||
container = {
|
||||
enable = mkEnableOption "tor-browser inside a container";
|
||||
externalInterface = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
};
|
||||
sshAuthorizedKeys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||
(lib.mkIf (!cfg.container.enable) {
|
||||
environment.systemPackages = [ torBrowser ];
|
||||
})
|
||||
(lib.mkIf cfg.container.enable (
|
||||
let
|
||||
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
||||
${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
|
||||
${pkgs.xorg.xhost}/bin/xhost +
|
||||
ssh -X browser@192.168.7.11 tor-browser
|
||||
${pkgs.xorg.xhost}/bin/xhost -
|
||||
'';
|
||||
|
||||
clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
|
||||
PULSE_SERVER=tcp:192.168.7.10:4713 \
|
||||
XAUTHORITY="/home/browser/.Xauthority" \
|
||||
DBUS_SESSION_BUS_ADDRESS="" \
|
||||
DISPLAY=192.168.7.10:0.0 \
|
||||
${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
|
||||
'';
|
||||
in
|
||||
{
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.container.externalInterface != "";
|
||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access";
|
||||
}
|
||||
{
|
||||
assertion = cfg.container.sshAuthorizedKeys != [ ];
|
||||
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container";
|
||||
}
|
||||
];
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = [ hostRunTorBrowser ];
|
||||
|
||||
hardware.pulseaudio = {
|
||||
|
|
@ -75,6 +38,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
/*
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [ 4713 6000 ];
|
||||
nat = {
|
||||
|
|
@ -83,6 +47,7 @@ in
|
|||
externalInterface = cfg.container.externalInterface;
|
||||
};
|
||||
};
|
||||
*/
|
||||
|
||||
containers.browser = {
|
||||
autoStart = true;
|
||||
|
|
@ -90,23 +55,36 @@ in
|
|||
hostAddress = "192.168.7.10";
|
||||
localAddress = "192.168.7.11";
|
||||
|
||||
bindMounts = {
|
||||
"/tmp/.X11-unix" = { };
|
||||
};
|
||||
|
||||
config = { ... }: {
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings.X11Forwarding = true;
|
||||
settings.PasswordAuthentication = true;
|
||||
};
|
||||
|
||||
users.extraUsers.browser = {
|
||||
isNormalUser = true;
|
||||
home = "/home/browser";
|
||||
openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
|
||||
password = "hello";
|
||||
openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ];
|
||||
# openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
|
||||
extraGroups = [ "pulse-access" ];
|
||||
packages = [ clientRunTorBrowser ];
|
||||
packages = [ torBrowser ];
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
DISPLAY = "${config.containers.browser.hostAddress}:0.0";
|
||||
PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713";
|
||||
XAUTHORITY = "/home/browser/.Xauthority";
|
||||
DBUS_SESSION_BUS_ADDRESS = "";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
))
|
||||
]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue