Tor Browser in a Container: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
Klinger (talk | contribs)
trusted
717 edits
Layer-09 (talk | contribs)
78 edits
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
Here are a few steps to run Tor Browser in NixOS Container w/ Pulse, Media Support. Most of the time, ssh -X would have sufficed. Nevertheless, to route audio, the following is required.


<syntaxhighlight lang="nix" start="3">
containers.browser = {
  autoStart = false;
  privateNetwork = true;
  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.11";
  config = {config, pkgs, ... }: {
    services.openssh = {
      enable = true;
      forwardX11 = true;
    };


Here are a few steps to run Tor Browser in NixOS Container w/ Pulse, Media Support. Most of the time, <code>ssh -X</code> would have sufficed. Nevertheless, to route audio, the following is required. There is, probably, an easier way; but I am not aware of it.
     users.extraUsers.browser = {
 
      isNormalUser = true;
Need a few programs beforehand. Install the followings in your user profile.
      home = "/home/browser";
 
      openssh.authorizedKeys.keys = [ SSH-KEYS-GO-HERE ];
<pre>
      extraGroups = ["audio" "video"];
nix-env -iA nixos.socat
</pre>
 
Use the following container conf in <code>configuration.nix</code> or derive your own.
 
<pre>
  containers.browser = {
    autoStart = false;
    privateNetwork = true;
    hostAddress = "192.168.7.10";
    localAddress = "192.168.7.11";
     config = {config, pkgs, ... }: {
      services.openssh = {
        enable = true;
        forwardX11 = true;
      };
 
      users.extraUsers.browser = {
        isNormalUser = true;
        home = "/home/browser";
        openssh.authorizedKeys.keys = [ SSH-KEYS-GO-HERE ];
        extraGroups = ["audio" "video"];
      };
     };
     };
   };
   };
</pre>
};


Mind to fill the SSH keys in. Need to open up ports and pulse audio also:
# Open necessary ports
<pre>
networking.firewall.allowedTCPPorts = [ 4713 6000 ];
  networking.firewall.allowedTCPPorts = [ 4713 6000 ];
hardware.pulseaudio = {
  hardware.pulseaudio = {
  enable = true;
    enable = true;
  systemWide = true;
    systemWide = true;
  support32Bit = true;
    support32Bit = true;
  tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.7.0/24"]; }; };
    tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.7.0/24"]; }; };
};
  };
</pre>


Also, configuring NAT is necessary:
# Configuring NAT
<pre>
networking.nat.enable = true;
  networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-browser"];
  networking.nat.internalInterfaces = ["ve-browser"];
networking.nat.externalInterface = "YOUR-EXTERNAL-INTERFACE";
  networking.nat.externalInterface = "YOUR-EXTERNAL-INTERFACE";
</pre>


# Depending on your use of global or home configuration, you will have to install "socat"
environment.systemPackages = [
  pkgs.socat
];
</syntaxhighlight>


Then, follow the steps:
Mind to fill the SSH keys in. Then, follow the steps:


# Do a usual <code>nixos-rebuild switch</code> and container will be created.
<syntaxhighlight lang="bash">
# Run the container <code>nixos-container start browser</code>.
nixos-rebuild switch
# Root login <code>nixos-container root-login browser</code>
# Update <code>nix-channel --update </code>
# Switch <code> nixos-rebuild switch</code>


nixos-container start browser # switch "start" with "root-login" for root
</syntaxhighlight>


Now the container should be in a sane state to work on. Install the browser and apulse:
Now the container should be in a sane state to work on. Install the browser and apulse:
<pre>
 
<syntaxhighlight lang="bash">
[root@browser:~]$ su - browser
[root@browser:~]$ su - browser
[browser@browser:~]$ nix repl
[browser@browser:~]$ nix repl
Welcome to Nix version 2.2. Type :? for help.
Welcome to Nix version 2.2. Type :? for help.


nix-repl> pkgs = import <nixpkgs> {}                                                                                                                  
nix-repl> pkgs = import <nixpkgs> {}
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/applications/networking/browsers/tor-browser-bundle-bin> { mediaSupport = true; pulseaudioSupport = true; }
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/applications/networking/browsers/tor-browser-bundle-bin> { mediaSupport = true; pulseaudioSupport = true; }
installing 'tor-browser-bundle-bin-8.0.6.drv'
installing 'tor-browser-bundle-bin-8.0.6.drv'
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/misc/apulse> {}  
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/misc/apulse> {}
installing 'apulse-0.1.11.1.drv'
installing 'apulse-0.1.11.1.drv'
these paths will be fetched (0.04 MiB download, 0.20 MiB unpacked):
these paths will be fetched (0.04 MiB download, 0.20 MiB unpacked):
Line 77: Line 67:
building '/nix/store/r00d47r40v7mhblly9rqas434x2d53js-user-environment.drv'...
building '/nix/store/r00d47r40v7mhblly9rqas434x2d53js-user-environment.drv'...
created 121 symlinks in user environment
created 121 symlinks in user environment
nix-repl>  
nix-repl>
</pre>
 
</syntaxhighlight>
 
The following two scripts are needed. Put them in ~/bin or any other directory included in the path.


The following two scripts are needed. Put them in <code>~/bin</code> or any other directory included in the path.
<syntaxhighlight lang="bash">
# run-tor-browser.sh (executed by the host)


This <code>run-tor-browser.sh</code> is executed by the host.
<pre>
#!/bin/sh
#!/bin/sh
socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
xhost +
xhost +
ssh -X browser@192.168.7.11 run-tor-browser.sh
ssh -X browser@192.168.7.11 run-tor-browser.sh
</pre>
</syntaxhighlight>
 
<syntaxhighlight lang="bash">
# run-tor-browser.sh (executed in the container (guest) by the previous one executed on the host)


This <code>run-tor-browser.sh</code> is executed in the container (guest) by the previous one executed on the host.
<pre>
#!/bin/sh
#!/bin/sh
PULSE_SERVER=tcp:192.168.7.10:4713 XAUTHORITY="/home/browser/.Xauthority" DBUS_SESSION_BUS_ADDRESS="" DISPLAY=192.168.7.10:0.0 apulse tor-browser $@
PULSE_SERVER=tcp:192.168.7.10:4713 XAUTHORITY="/home/browser/.Xauthority" DBUS_SESSION_BUS_ADDRESS="" DISPLAY=192.168.7.10:0.0 apulse tor-browser $@
</pre>
</syntaxhighlight>


That's it.  
Now you should be able to run the browser in a container and have media and audio support. Alternatively, you could use Xpra over SSH


Now you should be able to run the browser in a container and have media and audio support.
<syntaxhighlight lang="bash">
 
Alternatively, you could use Xpra over SSH
<pre>
xpra start ssh://browser@192.168.7.11/ --start=tor-browser
xpra start ssh://browser@192.168.7.11/ --start=tor-browser
</pre>
</syntaxhighlight>
 
 
Have a nice day.


[[Category:Cookbook]]
[[Category:Cookbook]]

Latest revision as of 11:35, 6 July 2024

Here are a few steps to run Tor Browser in NixOS Container w/ Pulse, Media Support. Most of the time, ssh -X would have sufficed. Nevertheless, to route audio, the following is required. 

containers.browser = {
  autoStart = false;
  privateNetwork = true;
  hostAddress = "192.168.7.10";
  localAddress = "192.168.7.11";
  config = {config, pkgs, ... }: {
    services.openssh = {
      enable = true;
      forwardX11 = true;
    };

    users.extraUsers.browser = {
      isNormalUser = true;
      home = "/home/browser";
      openssh.authorizedKeys.keys = [ SSH-KEYS-GO-HERE ];
      extraGroups = ["audio" "video"];
    };
  };
};

# Open necessary ports
networking.firewall.allowedTCPPorts = [ 4713 6000 ];
hardware.pulseaudio = {
  enable = true;
  systemWide = true;
  support32Bit = true;
  tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.7.0/24"]; }; };
};

# Configuring NAT
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-browser"];
networking.nat.externalInterface = "YOUR-EXTERNAL-INTERFACE";

# Depending on your use of global or home configuration, you will have to install "socat"
environment.systemPackages = [
  pkgs.socat
];

Mind to fill the SSH keys in. Then, follow the steps: 

nixos-rebuild switch

nixos-container start browser # switch "start" with "root-login" for root

Now the container should be in a sane state to work on. Install the browser and apulse: 

[root@browser:~]$ su - browser
[browser@browser:~]$ nix repl
Welcome to Nix version 2.2. Type :? for help.

nix-repl> pkgs = import <nixpkgs> {}
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/applications/networking/browsers/tor-browser-bundle-bin> { mediaSupport = true; pulseaudioSupport = true; }
installing 'tor-browser-bundle-bin-8.0.6.drv'
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/misc/apulse> {}
installing 'apulse-0.1.11.1.drv'
these paths will be fetched (0.04 MiB download, 0.20 MiB unpacked):
  /nix/store/mi6kyfjymb3bdpwic3hy9y64hv21hflc-apulse-0.1.11.1
copying path '/nix/store/mi6kyfjymb3bdpwic3hy9y64hv21hflc-apulse-0.1.11.1' from 'https://cache.nixos.org'...
building '/nix/store/r00d47r40v7mhblly9rqas434x2d53js-user-environment.drv'...
created 121 symlinks in user environment
nix-repl>

The following two scripts are needed. Put them in ~/bin or any other directory included in the path. 

# run-tor-browser.sh (executed by the host)

#!/bin/sh
socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
xhost +
ssh -X browser@192.168.7.11 run-tor-browser.sh

# run-tor-browser.sh (executed in the container (guest) by the previous one executed on the host)

#!/bin/sh
PULSE_SERVER=tcp:192.168.7.10:4713 XAUTHORITY="/home/browser/.Xauthority" DBUS_SESSION_BUS_ADDRESS="" DISPLAY=192.168.7.10:0.0 apulse tor-browser $@

Now you should be able to run the browser in a container and have media and audio support. Alternatively, you could use Xpra over SSH 

xpra start ssh://browser@192.168.7.11/ --start=tor-browser
Retrieved from "https://wiki.nixos.org/w/index.php?title=Tor_Browser_in_a_Container&oldid=13743"