From ed6cd33144ebd69b42cd5529c305fa07e4a15ef0 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Thu, 22 Aug 2024 22:27:39 +0300 Subject: [PATCH] modules/browsers: move all browsers to the container --- hosts/asus-gl553vd/configs/imp.nix | 7 + hosts/asus-gl553vd/configuration.nix | 15 +-- hosts/home/configuration.nix | 12 +- modules/nixos/programs/browsers/default.nix | 120 +++++++++++++++++- modules/nixos/programs/browsers/librewolf.nix | 6 +- .../programs/browsers/mullvad-browser.nix | 9 +- modules/nixos/programs/browsers/policies.nix | 10 +- .../nixos/programs/browsers/tor-browser.nix | 95 +------------- 8 files changed, 145 insertions(+), 129 deletions(-) diff --git a/hosts/asus-gl553vd/configs/imp.nix b/hosts/asus-gl553vd/configs/imp.nix index decac3c..722041d 100644 --- a/hosts/asus-gl553vd/configs/imp.nix +++ b/hosts/asus-gl553vd/configs/imp.nix @@ -46,6 +46,7 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" + "/etc/ssh/per-machine" ]; files = [ "/etc/machine-id" @@ -66,5 +67,11 @@ ]; files = [ "/var/lib/docker/engine-id" ]; }; + "/presistent/ollama" = lib.mkIf config.services.ollama.enable { + hideMounts = true; + directories = [ + "/var/lib/private/ollama" + ]; + }; }; } diff --git a/hosts/asus-gl553vd/configuration.nix b/hosts/asus-gl553vd/configuration.nix index b05809e..a426034 100644 --- a/hosts/asus-gl553vd/configuration.nix +++ b/hosts/asus-gl553vd/configuration.nix @@ -26,17 +26,14 @@ ################################################################################ # Programs ################################################################################ - local.programs.browsers.tor-browser = { - enable = true; - container = { - enable = true; - externalInterface = "wg0"; - sshAuthorizedKeys = globalData.publicKeys.users.jan; - }; - }; - services.ollama = { enable = true; package = pkgs.unstable.ollama; }; + + local.programs.browsers.tor-browser.enable = true; + + environment.shellInit = '' + [ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +si:localuser:$USER > /dev/null || true + ''; } diff --git a/hosts/home/configuration.nix b/hosts/home/configuration.nix index 32f6a01..565f188 100644 --- a/hosts/home/configuration.nix +++ b/hosts/home/configuration.nix @@ -1,4 +1,4 @@ -{ config, globalData, pkgs, ... }: +{ config, pkgs, ... }: { imports = [ @@ -12,14 +12,7 @@ ################################################################################ # Programs ################################################################################ - local.programs.browsers.tor-browser = { - enable = true; - container = { - enable = true; - externalInterface = "wg0"; - sshAuthorizedKeys = globalData.publicKeys.users.jan; - }; - }; + local.programs.browsers.tor-browser.enable = true; ################################################################################ # Services @@ -88,6 +81,7 @@ environment.sessionVariables = { DISPLAY = ":0"; PULSE_SERVER = "tcp:127.0.0.1:4713"; + XAUTHORITY = "/home/john/.Xauthority"; WINEPREFIX = "/home/john/.wine"; WINEARCH = "win32"; diff --git a/modules/nixos/programs/browsers/default.nix b/modules/nixos/programs/browsers/default.nix index 9ce94a8..12bb016 100644 --- a/modules/nixos/programs/browsers/default.nix +++ b/modules/nixos/programs/browsers/default.nix @@ -1,8 +1,126 @@ -{ ... }: +{ config, pkgs, lib, ... }: + +let + cfg = config.local.programs.browsers; + + hostAddress = "192.168.7.10"; + localAddress = "192.168.7.11"; + + hostRunBrowser = pkgs.writeScript "run-browser" '' + host=browsers.containers + if [ -z "$(ssh-keygen -F $host)" ]; then + ssh-keyscan -H $host >> ~/.ssh/known_hosts + fi + ssh -o PubkeyAuthentication=no kira@$host $@ + ''; + + contPackages = + lib.optional cfg.tor-browser.enable cfg.tor-browser.package + ++ lib.optional cfg.librewolf.enable cfg.librewolf.package + ++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.package; + + hostPackages = lib.flip map contPackages (p: + pkgs.writeScriptBin "${p.meta.mainProgram}" '' + ${hostRunBrowser} ${p.meta.mainProgram} + '' + ); + + isEnable = cfg.tor-browser.enable + or cfg.librewolf.enable + or cfg.mullvad-browser.enable; +in { imports = [ ./tor-browser.nix ./mullvad-browser.nix ./librewolf.nix ]; + + config = lib.mkIf isEnable { + environment.systemPackages = hostPackages; + + hardware.pulseaudio = { + systemWide = true; + support32Bit = true; + tcp = { + enable = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; + }; + }; + + networking = { + firewall = { + allowedTCPPorts = [ 4713 ]; + trustedInterfaces = [ "ve-*" ]; + }; + nat = { + enable = true; + internalInterfaces = [ "ve-browsers" ]; + externalInterface = "wg0"; + }; + }; + + containers.browsers = { + autoStart = true; + ephemeral = true; + + privateNetwork = true; + inherit hostAddress localAddress; + + bindMounts = lib.mkMerge [ + { + "/tmp/.X11-unix" = { }; + "/etc/ssh/keys" = { + isReadOnly = false; + hostPath = "/etc/ssh/per-machine/browsers"; + }; + "/home/kira/Downloads" = { + isReadOnly = false; + hostPath = "/home/jan/downloads/browser"; + }; + } + (lib.mkIf cfg.librewolf.enable { + "/home/kira/.librewolf" = { + isReadOnly = false; + hostPath = "/home/jan/.librewolf"; + }; + }) + ]; + + config = { pkgs, ... }: { + system.stateVersion = "23.11"; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = true; + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/keys/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + ]; + }; + + users.users.kira = { + isNormalUser = true; + home = "/home/kira"; + password = "hello"; + extraGroups = [ "pulse-access" ]; + packages = contPackages; + }; + + environment.sessionVariables = { + DISPLAY = ":0"; + PULSE_SERVER = "tcp:${hostAddress}:4713"; + XAUTHORITY = "/home/kira/.Xauthority"; + DBUS_SESSION_BUS_ADDRESS = ""; + }; + }; + }; + }; } diff --git a/modules/nixos/programs/browsers/librewolf.nix b/modules/nixos/programs/browsers/librewolf.nix index 2b7ee40..fe75193 100644 --- a/modules/nixos/programs/browsers/librewolf.nix +++ b/modules/nixos/programs/browsers/librewolf.nix @@ -1,7 +1,6 @@ { config, pkgs, lib, inputs, ... }: let - cfg = config.local.programs.browsers.librewolf; isPassEnabled = config.local.programs.pass.enable; policiesJson = pkgs.callPackage ./policies.nix { @@ -20,9 +19,6 @@ in { options.local.programs.browsers.librewolf = with lib; { enable = mkEnableOption "librewolf"; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ librewolf' ]; + package = mkPackageOption pkgs "librewolf" {} // { default = librewolf'; }; }; } diff --git a/modules/nixos/programs/browsers/mullvad-browser.nix b/modules/nixos/programs/browsers/mullvad-browser.nix index b85b053..b0d90fe 100644 --- a/modules/nixos/programs/browsers/mullvad-browser.nix +++ b/modules/nixos/programs/browsers/mullvad-browser.nix @@ -1,8 +1,6 @@ -{ config, pkgs, lib, inputs, ... }: +{ pkgs, lib, inputs, ... }: let - cfg = config.local.programs.browsers.mullvad-browser; - policiesJson = pkgs.callPackage ./policies.nix { firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}"; withRedirectorAddon = true; @@ -21,9 +19,6 @@ in { options.local.programs.browsers.mullvad-browser = with lib; { enable = mkEnableOption "mullvad-browser"; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ mullvadBrowser ]; + package = mkPackageOption pkgs "mullvad-browser" {} // { default = mullvadBrowser; }; }; } diff --git a/modules/nixos/programs/browsers/policies.nix b/modules/nixos/programs/browsers/policies.nix index 53ab72e..bdddd4b 100644 --- a/modules/nixos/programs/browsers/policies.nix +++ b/modules/nixos/programs/browsers/policies.nix @@ -28,7 +28,7 @@ writeText "policies.json" (builtins.toJSON { SearchEngines = { Add = [ { - Alias = "sx"; + Alias = "@sx"; Name = "SearXNG"; Description = "SearXNG — a privacy-respecting, open metasearch engine"; IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png"; @@ -36,28 +36,28 @@ writeText "policies.json" (builtins.toJSON { } ] ++ lib.optionals withAllSearchEngines [ { - Alias = "np"; + Alias = "@np"; Name = "NixOS Packages"; Description = "Search NixOS packages by name or description."; IconURL = "https://nixos.org/favicon.png"; URLTemplate = "https://search.nixos.org/packages?query={searchTerms}"; } { - Alias = "no"; + Alias = "@no"; Name = "NixOS Options"; Description = "Search NixOS options by name or description."; IconURL = "https://nixos.org/favicon.png"; URLTemplate = "https://search.nixos.org/options?query={searchTerms}"; } { - Alias = "ng"; + Alias = "@ng"; Name = "Noogle"; Description = "Search for nix functions by name."; IconURL = "https://noogle.dev/favicon.png"; URLTemplate = "https://noogle.dev/q?term={searchTerms}"; } { - Alias = "hg"; + Alias = "@hg"; Name = "Hoogle"; Description = '' Hoogle is a Haskell API search engine, which allows you to diff --git a/modules/nixos/programs/browsers/tor-browser.nix b/modules/nixos/programs/browsers/tor-browser.nix index ba79f2e..6b51184 100644 --- a/modules/nixos/programs/browsers/tor-browser.nix +++ b/modules/nixos/programs/browsers/tor-browser.nix @@ -1,8 +1,6 @@ -{ config, pkgs, lib, ... }: +{ pkgs, lib, ... }: let - cfg = config.local.programs.browsers.tor-browser; - policiesJson = pkgs.callPackage ./policies.nix { }; torBrowser = (pkgs.tor-browser-bundle-bin.override { @@ -18,95 +16,6 @@ in { options.local.programs.browsers.tor-browser = with lib; { enable = mkEnableOption "tor-browser"; - container = { - enable = mkEnableOption "tor-browser inside a container"; - externalInterface = mkOption { - type = types.str; - default = ""; - }; - sshAuthorizedKeys = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - }; + package = mkPackageOption pkgs "tor-browser-bundle-bin" {} // { default = torBrowser; }; }; - - config = lib.mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf (!cfg.container.enable) { - environment.systemPackages = [ torBrowser ]; - }) - (lib.mkIf cfg.container.enable ( - let - hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' - ${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 & - ${pkgs.xorg.xhost}/bin/xhost + - ssh -X browser@192.168.7.11 tor-browser - ${pkgs.xorg.xhost}/bin/xhost - - ''; - - clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" '' - PULSE_SERVER=tcp:192.168.7.10:4713 \ - XAUTHORITY="/home/browser/.Xauthority" \ - DBUS_SESSION_BUS_ADDRESS="" \ - DISPLAY=192.168.7.10:0.0 \ - ${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@ - ''; - in - { - assertions = [ - { - assertion = cfg.container.externalInterface != ""; - message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access"; - } - { - assertion = cfg.container.sshAuthorizedKeys != [ ]; - message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container"; - } - ]; - - environment.systemPackages = [ hostRunTorBrowser ]; - - hardware.pulseaudio = { - systemWide = true; - support32Bit = true; - tcp = { - enable = true; - anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ]; - }; - }; - - networking = { - firewall.allowedTCPPorts = [ 4713 6000 ]; - nat = { - enable = true; - internalInterfaces = [ "ve-browser" ]; - externalInterface = cfg.container.externalInterface; - }; - }; - - containers.browser = { - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.7.10"; - localAddress = "192.168.7.11"; - - config = { ... }: { - system.stateVersion = "23.11"; - services.openssh = { - enable = true; - settings.X11Forwarding = true; - }; - - users.extraUsers.browser = { - isNormalUser = true; - home = "/home/browser"; - openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys; - extraGroups = [ "pulse-access" ]; - packages = [ clientRunTorBrowser ]; - }; - }; - }; - } - )) - ]); }