From 5d6b5ad7ddd1db78083303f9e49fc878e7647591 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Fri, 23 Aug 2024 02:04:56 +0300 Subject: [PATCH] modules/browsers: move all browsers to the container --- hosts/asus-gl553vd/configs/imp.nix | 7 ++ hosts/asus-gl553vd/configuration.nix | 6 +- modules/nixos/programs/browsers/default.nix | 116 +++++++++++++++++- modules/nixos/programs/browsers/librewolf.nix | 6 +- .../programs/browsers/mullvad-browser.nix | 9 +- .../nixos/programs/browsers/tor-browser.nix | 73 +---------- 6 files changed, 132 insertions(+), 85 deletions(-) diff --git a/hosts/asus-gl553vd/configs/imp.nix b/hosts/asus-gl553vd/configs/imp.nix index decac3c..722041d 100644 --- a/hosts/asus-gl553vd/configs/imp.nix +++ b/hosts/asus-gl553vd/configs/imp.nix @@ -46,6 +46,7 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" + "/etc/ssh/per-machine" ]; files = [ "/etc/machine-id" @@ -66,5 +67,11 @@ ]; files = [ "/var/lib/docker/engine-id" ]; }; + "/presistent/ollama" = lib.mkIf config.services.ollama.enable { + hideMounts = true; + directories = [ + "/var/lib/private/ollama" + ]; + }; }; } diff --git a/hosts/asus-gl553vd/configuration.nix b/hosts/asus-gl553vd/configuration.nix index f90ecd9..5da031b 100644 --- a/hosts/asus-gl553vd/configuration.nix +++ b/hosts/asus-gl553vd/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { imports = [ @@ -27,4 +27,8 @@ # Programs ################################################################################ local.programs.browsers.tor-browser.enable = true; + + environment.shellInit = '' + [ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +si:localuser:$USER > /dev/null || true + ''; } diff --git a/modules/nixos/programs/browsers/default.nix b/modules/nixos/programs/browsers/default.nix index 9ce94a8..a8cb88d 100644 --- a/modules/nixos/programs/browsers/default.nix +++ b/modules/nixos/programs/browsers/default.nix @@ -1,8 +1,122 @@ -{ ... }: +{ config, pkgs, lib, ... }: + +let + cfg = config.local.programs.browsers; + + hostAddress = "192.168.7.10"; + localAddress = "192.168.7.11"; + + hostRunBrowser = pkgs.writeScript "run-browser" '' + host=${localAddress} + if [ -z "$(ssh-keygen -F $host)" ]; then + ssh-keyscan -H $host >> ~/.ssh/known_hosts + fi + ssh -o PubkeyAuthentication=no kira@$host $@ + ''; + + contPackages = + lib.optional cfg.tor-browser.enable cfg.tor-browser.package + ++ lib.optional cfg.librewolf.enable cfg.librewolf.package + ++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.package; + + hostPackages = lib.flip map contPackages (p: + pkgs.writeScriptBin p.meta.mainProgram "${hostRunBrowser} ${p.meta.mainProgram}" + ); + + isEnable = cfg.tor-browser.enable or cfg.librewolf.enable; +in { imports = [ ./tor-browser.nix ./mullvad-browser.nix ./librewolf.nix ]; + + config = lib.mkIf isEnable { + environment.systemPackages = hostPackages; + + hardware.pulseaudio = { + systemWide = true; + support32Bit = true; + tcp = { + enable = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; + }; + }; + + networking = { + firewall = { + allowedTCPPorts = [ 4713 ]; + trustedInterfaces = [ "ve-*" ]; + }; + nat = { + enable = true; + internalInterfaces = [ "ve-browsers" ]; + externalInterface = "wg0"; + }; + }; + + containers.browsers = { + autoStart = true; + ephemeral = true; + + privateNetwork = true; + inherit hostAddress localAddress; + + bindMounts = lib.mkMerge [ + { + "/tmp/.X11-unix" = { }; + "/etc/ssh/keys" = { + isReadOnly = false; + hostPath = "/etc/ssh/per-machine/browsers"; + }; + "/home/kira/Downloads" = { + isReadOnly = false; + hostPath = "/home/jan/downloads/browser"; + }; + } + (lib.mkIf cfg.librewolf.enable { + "/home/kira/.librewolf" = { + isReadOnly = false; + hostPath = "/home/jan/.librewolf"; + }; + }) + ]; + + config = { pkgs, ... }: { + system.stateVersion = "23.11"; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = true; + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/keys/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + users.users.kira = { + isNormalUser = true; + home = "/home/kira"; + password = "hello"; + extraGroups = [ "pulse-access" ]; + packages = contPackages ++ [ pkgs.gnome.nautilus ]; + }; + + environment.sessionVariables = { + DISPLAY = ":0"; + PULSE_SERVER = "tcp:${hostAddress}:4713"; + XAUTHORITY = "/home/kira/.Xauthority"; + DBUS_SESSION_BUS_ADDRESS = ""; + }; + }; + }; + }; } diff --git a/modules/nixos/programs/browsers/librewolf.nix b/modules/nixos/programs/browsers/librewolf.nix index 2b7ee40..fe75193 100644 --- a/modules/nixos/programs/browsers/librewolf.nix +++ b/modules/nixos/programs/browsers/librewolf.nix @@ -1,7 +1,6 @@ { config, pkgs, lib, inputs, ... }: let - cfg = config.local.programs.browsers.librewolf; isPassEnabled = config.local.programs.pass.enable; policiesJson = pkgs.callPackage ./policies.nix { @@ -20,9 +19,6 @@ in { options.local.programs.browsers.librewolf = with lib; { enable = mkEnableOption "librewolf"; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ librewolf' ]; + package = mkPackageOption pkgs "librewolf" {} // { default = librewolf'; }; }; } diff --git a/modules/nixos/programs/browsers/mullvad-browser.nix b/modules/nixos/programs/browsers/mullvad-browser.nix index b85b053..b0d90fe 100644 --- a/modules/nixos/programs/browsers/mullvad-browser.nix +++ b/modules/nixos/programs/browsers/mullvad-browser.nix @@ -1,8 +1,6 @@ -{ config, pkgs, lib, inputs, ... }: +{ pkgs, lib, inputs, ... }: let - cfg = config.local.programs.browsers.mullvad-browser; - policiesJson = pkgs.callPackage ./policies.nix { firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}"; withRedirectorAddon = true; @@ -21,9 +19,6 @@ in { options.local.programs.browsers.mullvad-browser = with lib; { enable = mkEnableOption "mullvad-browser"; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ mullvadBrowser ]; + package = mkPackageOption pkgs "mullvad-browser" {} // { default = mullvadBrowser; }; }; } diff --git a/modules/nixos/programs/browsers/tor-browser.nix b/modules/nixos/programs/browsers/tor-browser.nix index f015979..6b51184 100644 --- a/modules/nixos/programs/browsers/tor-browser.nix +++ b/modules/nixos/programs/browsers/tor-browser.nix @@ -1,8 +1,6 @@ -{ config, pkgs, lib, ... }: +{ pkgs, lib, ... }: let - cfg = config.local.programs.browsers.tor-browser; - policiesJson = pkgs.callPackage ./policies.nix { }; torBrowser = (pkgs.tor-browser-bundle-bin.override { @@ -14,77 +12,10 @@ let install -Dvm644 ${policiesJson} $out/share/tor-browser/distribution/policies.json ''; }); - - hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' - ${pkgs.xorg.xhost}/bin/xhost +local: - ssh -X browser@${config.containers.browser.localAddress} tor-browser - ${pkgs.xorg.xhost}/bin/xhost -local: - ''; in { options.local.programs.browsers.tor-browser = with lib; { enable = mkEnableOption "tor-browser"; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ hostRunTorBrowser ]; - - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; - - /* - networking = { - firewall.allowedTCPPorts = [ 4713 6000 ]; - nat = { - enable = true; - internalInterfaces = [ "ve-browser" ]; - externalInterface = cfg.container.externalInterface; - }; - }; - */ - - containers.browser = { - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.11"; - - bindMounts = { - "/tmp/.X11-unix" = { }; - }; - - config = { ... }: { - system.stateVersion = "23.11"; - - services.openssh = { - enable = true; - settings.X11Forwarding = true; - settings.PasswordAuthentication = true; - }; - - users.extraUsers.browser = { - isNormalUser = true; - home = "/home/browser"; - password = "hello"; - openssh.authorizedPrincipals = [ "jan@${config.containers.browser.hostAddress}" ]; - # openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys; - extraGroups = [ "pulse-access" ]; - packages = [ torBrowser ]; - }; - - environment.sessionVariables = { - DISPLAY = "${config.containers.browser.hostAddress}:0.0"; - PULSE_SERVER = "tcp:${config.containers.browser.hostAddress}:4713"; - XAUTHORITY = "/home/browser/.Xauthority"; - DBUS_SESSION_BUS_ADDRESS = ""; - }; - }; - }; + package = mkPackageOption pkgs "tor-browser-bundle-bin" {} // { default = torBrowser; }; }; }