Tor Browser in a Container

From NixOS Wiki
Revision as of 12:12, 14 March 2019 by imported>Evrim

Tor Browser in a NixOS Container w/ Pulse, Media

Warning: This is a WIP.

Here is a few steps to run Tor Browser in a Nixos Container.

Need a few programs beforehand. Install the followings in your user profile. 

nix-env -iA nixos.socat

Use the following container conf in configuration.nix or derive your own. 

  containers.browser = {
    autoStart = false;
    privateNetwork = true;
    hostAddress = "192.168.7.10";
    localAddress = "192.168.7.11";
    config = {config, pkgs, ... }: {
      services.openssh = {
        enable = true;
        forwardX11 = true;
      };

      users.extraUsers.browser = {
        isNormalUser = true;
        home = "/home/browser";
        openssh.authorizedKeys.keys = [ SSH-KEYS-GO-HERE ];
        extraGroups = ["audio" "video"];
      };
    };
  };

Mind to fill the SSH keys in. Need to open up ports and pulse audio also: 

  networking.firewall.allowedTCPPorts = [ 4713 6000 ];
  hardware.pulseaudio = {
    enable = true;
    systemWide = true;
    support32Bit = true;
    tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.7.0/24"]; }; };
  };

Then, follow the steps:

  1. Do a usual nixos-rebuild switch and container will be created.
  2. Run the container nixos-container start browser.
  3. Root login nixos-container root-login browser
  4. Update nix-channel --update
  5. Switch nixos-rebuild switch


Now the container should be in a sane state to work on. Install the browser: 

[root@browser:~]$ su - browser
[browser@browser:~]$ nix repl
Welcome to Nix version 2.2. Type :? for help.

nix-repl> pkgs = import <nixpkgs> {}                                                                                                                    
nix-repl> :i pkgs.callPackage <nixpkgs/pkgs/applications/networking/browsers/tor-browser-bundle-bin> { mediaSupport = true; pulseaudioSupport = true; }
installing 'tor-browser-bundle-bin-8.0.6.drv'
nix-repl>

The following two scripts are needed. Put them in ~/bin directories or any other directory included in the path.

This run-tor-browser.sh is executed by the host. 

#!/bin/sh
socat -d TCP-LISTEN:6000,fork,bind=192.168.7.10 UNIX-CONNECT:/tmp/.X11-unix/X0 &
pax11publish -e
xhost +
ssh -X browser@192.168.7.11 run-tor-browser.sh

This run-tor-browser.sh is executed in the container (guest). 

#!/bin/sh
pax11publish -i
PULSE_SERVER=tcp:192.168.7.10:4713 XAUTHORITY="/home/browser/.Xauthority" DBUS_SESSION_BUS_ADDRESS="" DISPLAY=192.168.7.10:0.0 apulse tor-browser $@
Retrieved from "https://wiki.nixos.org/w/index.php?title=Tor_Browser_in_a_Container&oldid=6664"