Compare commits

...

4 commits

10 changed files with 163 additions and 131 deletions

View file

@ -46,6 +46,7 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/etc/ssh/per-machine"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"
@ -66,5 +67,11 @@
]; ];
files = [ "/var/lib/docker/engine-id" ]; files = [ "/var/lib/docker/engine-id" ];
}; };
"/presistent/ollama" = lib.mkIf config.services.ollama.enable {
hideMounts = true;
directories = [
"/var/lib/private/ollama"
];
};
}; };
} }

View file

@ -26,17 +26,14 @@
################################################################################ ################################################################################
# Programs # Programs
################################################################################ ################################################################################
local.programs.browsers.tor-browser = {
enable = true;
container = {
enable = true;
externalInterface = "wg0";
sshAuthorizedKeys = globalData.publicKeys.users.jan;
};
};
services.ollama = { services.ollama = {
enable = true; enable = true;
package = pkgs.unstable.ollama; package = pkgs.unstable.ollama;
}; };
local.programs.browsers.tor-browser.enable = true;
environment.shellInit = ''
[ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +si:localuser:$USER > /dev/null || true
'';
} }

View file

@ -1,4 +1,4 @@
{ config, globalData, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
@ -12,14 +12,7 @@
################################################################################ ################################################################################
# Programs # Programs
################################################################################ ################################################################################
local.programs.browsers.tor-browser = { local.programs.browsers.tor-browser.enable = true;
enable = true;
container = {
enable = true;
externalInterface = "wg0";
sshAuthorizedKeys = globalData.publicKeys.users.jan;
};
};
################################################################################ ################################################################################
# Services # Services
@ -88,6 +81,7 @@
environment.sessionVariables = { environment.sessionVariables = {
DISPLAY = ":0"; DISPLAY = ":0";
PULSE_SERVER = "tcp:127.0.0.1:4713"; PULSE_SERVER = "tcp:127.0.0.1:4713";
XAUTHORITY = "/home/john/.Xauthority";
WINEPREFIX = "/home/john/.wine"; WINEPREFIX = "/home/john/.wine";
WINEARCH = "win32"; WINEARCH = "win32";

View file

@ -1,4 +1,3 @@
# use nix-build -E (import <system>/misc/wg-client-conf.nix {})
{ pkgs ? import <nixpkgs> { } { pkgs ? import <nixpkgs> { }
, address , address
, privateKey , privateKey

View file

@ -1,8 +1,129 @@
{ ... }: { config, pkgs, lib, ... }:
let
cfg = config.local.programs.browsers;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.11";
hostRunBrowser = pkgs.writeScript "run-browser" ''
host=browsers.containers
if [ -z "$(ssh-keygen -F $host)" ]; then
ssh-keyscan -H $host >> ~/.ssh/known_hosts
fi
ssh -o PubkeyAuthentication=no kira@$host $@
'';
contPackages =
lib.optional cfg.tor-browser.enable cfg.tor-browser.package
++ lib.optional cfg.librewolf.enable cfg.librewolf.package
++ lib.optional cfg.mullvad-browser.enable cfg.mullvad-browser.package;
hostPackages = lib.flip map contPackages (p:
pkgs.writeScriptBin "${p.meta.mainProgram}" ''
${hostRunBrowser} ${p.meta.mainProgram}
''
);
isEnable = cfg.tor-browser.enable
or cfg.librewolf.enable
or cfg.mullvad-browser.enable;
in
{ {
imports = [ imports = [
./tor-browser.nix ./tor-browser.nix
./mullvad-browser.nix ./mullvad-browser.nix
./librewolf.nix ./librewolf.nix
]; ];
config = lib.mkIf isEnable {
environment.systemPackages = hostPackages
++ lib.optional cfg.librewolf.enable cfg.librewolf.package;
hardware.pulseaudio = {
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall = {
allowedTCPPorts = [ 4713 ];
trustedInterfaces = [ "ve-*" ];
};
nat = {
enable = true;
internalInterfaces = [ "ve-browsers" ];
externalInterface = "wg0";
};
};
containers.browsers = {
autoStart = true;
ephemeral = true;
privateNetwork = true;
inherit hostAddress localAddress;
bindMounts = lib.mkMerge [
{
"/tmp/.X11-unix" = { };
"/etc/ssh/keys" = {
isReadOnly = false;
hostPath = "/etc/ssh/per-machine/browsers";
};
"/home/kira/Downloads" = {
isReadOnly = false;
hostPath = "/home/jan/downloads/browser";
};
}
(lib.mkIf cfg.librewolf.enable {
"/home/kira/.librewolf" = {
isReadOnly = false;
hostPath = "/home/jan/.librewolf";
};
})
];
config = { pkgs, ... }: {
system.stateVersion = "23.11";
networking.hosts = config.networking.hosts;
services.openssh = {
enable = true;
settings.PasswordAuthentication = true;
hostKeys = [
{
bits = 4096;
path = "/etc/ssh/keys/ssh_host_rsa_key";
type = "rsa";
}
{
path = "/etc/ssh/keys/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users.users.kira = {
isNormalUser = true;
home = "/home/kira";
password = "hello";
extraGroups = [ "pulse-access" ];
packages = contPackages;
};
environment.sessionVariables = {
DISPLAY = ":0";
PULSE_SERVER = "tcp:${hostAddress}:4713";
XAUTHORITY = "/home/kira/.Xauthority";
DBUS_SESSION_BUS_ADDRESS = "";
};
};
};
};
} }

View file

@ -1,7 +1,6 @@
{ config, pkgs, lib, inputs, ... }: { config, pkgs, lib, inputs, ... }:
let let
cfg = config.local.programs.browsers.librewolf;
isPassEnabled = config.local.programs.pass.enable; isPassEnabled = config.local.programs.pass.enable;
policiesJson = pkgs.callPackage ./policies.nix { policiesJson = pkgs.callPackage ./policies.nix {
@ -20,9 +19,6 @@ in
{ {
options.local.programs.browsers.librewolf = with lib; { options.local.programs.browsers.librewolf = with lib; {
enable = mkEnableOption "librewolf"; enable = mkEnableOption "librewolf";
}; package = mkPackageOption pkgs "librewolf" {} // { default = librewolf'; };
config = lib.mkIf cfg.enable {
environment.systemPackages = [ librewolf' ];
}; };
} }

View file

@ -1,8 +1,6 @@
{ config, pkgs, lib, inputs, ... }: { pkgs, lib, inputs, ... }:
let let
cfg = config.local.programs.browsers.mullvad-browser;
policiesJson = pkgs.callPackage ./policies.nix { policiesJson = pkgs.callPackage ./policies.nix {
firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}"; firefoxAddons = inputs.firefox-addons.packages."${pkgs.system}";
withRedirectorAddon = true; withRedirectorAddon = true;
@ -21,9 +19,6 @@ in
{ {
options.local.programs.browsers.mullvad-browser = with lib; { options.local.programs.browsers.mullvad-browser = with lib; {
enable = mkEnableOption "mullvad-browser"; enable = mkEnableOption "mullvad-browser";
}; package = mkPackageOption pkgs "mullvad-browser" {} // { default = mullvadBrowser; };
config = lib.mkIf cfg.enable {
environment.systemPackages = [ mullvadBrowser ];
}; };
} }

View file

@ -28,7 +28,7 @@ writeText "policies.json" (builtins.toJSON {
SearchEngines = { SearchEngines = {
Add = [ Add = [
{ {
Alias = "sx"; Alias = "@sx";
Name = "SearXNG"; Name = "SearXNG";
Description = "SearXNG a privacy-respecting, open metasearch engine"; Description = "SearXNG a privacy-respecting, open metasearch engine";
IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png"; IconURL = "https://search.sapti.me/static/themes/simple/img/favicon.png";
@ -36,28 +36,28 @@ writeText "policies.json" (builtins.toJSON {
} }
] ++ lib.optionals withAllSearchEngines [ ] ++ lib.optionals withAllSearchEngines [
{ {
Alias = "np"; Alias = "@np";
Name = "NixOS Packages"; Name = "NixOS Packages";
Description = "Search NixOS packages by name or description."; Description = "Search NixOS packages by name or description.";
IconURL = "https://nixos.org/favicon.png"; IconURL = "https://nixos.org/favicon.png";
URLTemplate = "https://search.nixos.org/packages?query={searchTerms}"; URLTemplate = "https://search.nixos.org/packages?query={searchTerms}";
} }
{ {
Alias = "no"; Alias = "@no";
Name = "NixOS Options"; Name = "NixOS Options";
Description = "Search NixOS options by name or description."; Description = "Search NixOS options by name or description.";
IconURL = "https://nixos.org/favicon.png"; IconURL = "https://nixos.org/favicon.png";
URLTemplate = "https://search.nixos.org/options?query={searchTerms}"; URLTemplate = "https://search.nixos.org/options?query={searchTerms}";
} }
{ {
Alias = "ng"; Alias = "@ng";
Name = "Noogle"; Name = "Noogle";
Description = "Search for nix functions by name."; Description = "Search for nix functions by name.";
IconURL = "https://noogle.dev/favicon.png"; IconURL = "https://noogle.dev/favicon.png";
URLTemplate = "https://noogle.dev/q?term={searchTerms}"; URLTemplate = "https://noogle.dev/q?term={searchTerms}";
} }
{ {
Alias = "hg"; Alias = "@hg";
Name = "Hoogle"; Name = "Hoogle";
Description = '' Description = ''
Hoogle is a Haskell API search engine, which allows you to Hoogle is a Haskell API search engine, which allows you to

View file

@ -1,8 +1,6 @@
{ config, pkgs, lib, ... }: { pkgs, lib, ... }:
let let
cfg = config.local.programs.browsers.tor-browser;
policiesJson = pkgs.callPackage ./policies.nix { }; policiesJson = pkgs.callPackage ./policies.nix { };
torBrowser = (pkgs.tor-browser-bundle-bin.override { torBrowser = (pkgs.tor-browser-bundle-bin.override {
@ -18,95 +16,6 @@ in
{ {
options.local.programs.browsers.tor-browser = with lib; { options.local.programs.browsers.tor-browser = with lib; {
enable = mkEnableOption "tor-browser"; enable = mkEnableOption "tor-browser";
container = { package = mkPackageOption pkgs "tor-browser-bundle-bin" {} // { default = torBrowser; };
enable = mkEnableOption "tor-browser inside a container";
externalInterface = mkOption {
type = types.str;
default = "";
};
sshAuthorizedKeys = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
(lib.mkIf (!cfg.container.enable) {
environment.systemPackages = [ torBrowser ];
})
(lib.mkIf cfg.container.enable (
let
hostRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
${pkgs.socat}/bin/socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
${pkgs.xorg.xhost}/bin/xhost +
ssh -X browser@192.168.7.11 tor-browser
${pkgs.xorg.xhost}/bin/xhost -
'';
clientRunTorBrowser = pkgs.writeScriptBin "tor-browser" ''
PULSE_SERVER=tcp:192.168.7.10:4713 \
XAUTHORITY="/home/browser/.Xauthority" \
DBUS_SESSION_BUS_ADDRESS="" \
DISPLAY=192.168.7.10:0.0 \
${pkgs.apulse}/bin/apulse ${torBrowser}/bin/tor-browser $@
'';
in
{
assertions = [
{
assertion = cfg.container.externalInterface != "";
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `externalInterface` with Internet access";
}
{
assertion = cfg.container.sshAuthorizedKeys != [ ];
message = "The `tor-browser` module with the `isContainer` option enabled requires a non-empty `sshAuthorizedKeys` to connect to the container";
}
];
environment.systemPackages = [ hostRunTorBrowser ];
hardware.pulseaudio = {
systemWide = true;
support32Bit = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.7.0/24" ];
};
};
networking = {
firewall.allowedTCPPorts = [ 4713 6000 ];
nat = {
enable = true;
internalInterfaces = [ "ve-browser" ];
externalInterface = cfg.container.externalInterface;
};
};
containers.browser = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.7.10";
localAddress = "192.168.7.11";
config = { ... }: {
system.stateVersion = "23.11";
services.openssh = {
enable = true;
settings.X11Forwarding = true;
};
users.extraUsers.browser = {
isNormalUser = true;
home = "/home/browser";
openssh.authorizedKeys.keys = cfg.container.sshAuthorizedKeys;
extraGroups = [ "pulse-access" ];
packages = [ clientRunTorBrowser ];
};
};
}; };
} }
))
]);
}

View file

@ -8,6 +8,20 @@ wg genkey > ./private
wg pubkey < ./private > ./public wg pubkey < ./private > ./public
``` ```
## Configuration
Then create QR code with configuration using the following command:
```sh
nix build -f ./misc/wg-client-conf.nix \
--argstr address "" \
--argstr dns "" \
--argstr privateKey "$(cat private)" \
--argstr serverPublicKey "" \
--argstr serverEndpoint ""
```
# References: # References:
- https://nixos.wiki/wiki/WireGuard - https://nixos.wiki/wiki/WireGuard