pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / programs / captive-browser.nix
at 21.11-pre 4.5 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4let 5 cfg = config.programs.captive-browser; 6in 7{ 8 ###### interface 9 10 options = { 11 programs.captive-browser = { 12 enable = mkEnableOption "captive browser"; 13 14 package = mkOption { 15 type = types.package; 16 default = pkgs.captive-browser; 17 defaultText = "pkgs.captive-browser"; 18 description = "Which package to use for captive-browser"; 19 }; 20 21 interface = mkOption { 22 type = types.str; 23 description = "your public network interface (wlp3s0, wlan0, eth0, ...)"; 24 }; 25 26 # the options below are the same as in "captive-browser.toml" 27 browser = mkOption { 28 type = types.str; 29 default = concatStringsSep " " [ 30 ''${pkgs.chromium}/bin/chromium'' 31 ''--user-data-dir=''${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive'' 32 ''--proxy-server="socks5://$PROXY"'' 33 ''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"'' 34 ''--no-first-run'' 35 ''--new-window'' 36 ''--incognito'' 37 ''-no-default-browser-check'' 38 ''http://cache.nixos.org/'' 39 ]; 40 description = '' 41 The shell (/bin/sh) command executed once the proxy starts. 42 When browser exits, the proxy exits. An extra env var PROXY is available. 43 44 Here, we use a separate Chrome instance in Incognito mode, so that 45 it can run (and be waited for) alongside the default one, and that 46 it maintains no state across runs. To configure this browser open a 47 normal window in it, settings will be preserved. 48 49 @volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website. 50 upstream uses http://example.com but I have seen captive portals whose DNS server resolves "example.com" to 127.0.0.1 51 ''; 52 }; 53 54 dhcp-dns = mkOption { 55 type = types.str; 56 description = '' 57 The shell (/bin/sh) command executed to obtain the DHCP 58 DNS server address. The first match of an IPv4 regex is used. 59 IPv4 only, because let's be real, it's a captive portal. 60 ''; 61 }; 62 63 socks5-addr = mkOption { 64 type = types.str; 65 default = "localhost:1666"; 66 description = "the listen address for the SOCKS5 proxy server"; 67 }; 68 69 bindInterface = mkOption { 70 default = true; 71 type = types.bool; 72 description = '' 73 Binds <package>captive-browser</package> to the network interface declared in 74 <literal>cfg.interface</literal>. This can be used to avoid collisions 75 with private subnets. 76 ''; 77 }; 78 }; 79 }; 80 81 ###### implementation 82 83 config = mkIf cfg.enable { 84 85 programs.captive-browser.dhcp-dns = 86 let 87 iface = prefix: 88 optionalString cfg.bindInterface (concatStringsSep " " (map escapeShellArg [ prefix cfg.interface ])); 89 in 90 mkOptionDefault ( 91 if config.networking.networkmanager.enable then 92 "${pkgs.networkmanager}/bin/nmcli dev show ${iface ""} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS" 93 else if config.networking.dhcpcd.enable then 94 "${pkgs.dhcpcd}/bin/dhcpcd ${iface "-U"} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers" 95 else if config.networking.useNetworkd then 96 "${cfg.package}/bin/systemd-networkd-dns ${iface ""}" 97 else 98 "${config.security.wrapperDir}/udhcpc --quit --now -f ${iface "-i"} -O dns --script ${ 99 pkgs.writeShellScript "udhcp-script" '' 100 if [ "$1" = bound ]; then 101 echo "$dns" 102 fi 103 ''}" 104 ); 105 106 security.wrappers.udhcpc = { 107 capabilities = "cap_net_raw+p"; 108 source = "${pkgs.busybox}/bin/udhcpc"; 109 }; 110 111 security.wrappers.captive-browser = { 112 capabilities = "cap_net_raw+p"; 113 source = pkgs.writeShellScript "captive-browser" '' 114 export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' 115 browser = """${cfg.browser}""" 116 dhcp-dns = """${cfg.dhcp-dns}""" 117 socks5-addr = """${cfg.socks5-addr}""" 118 ${optionalString cfg.bindInterface '' 119 bind-device = """${cfg.interface}""" 120 ''} 121 ''} 122 exec ${cfg.package}/bin/captive-browser 123 ''; 124 }; 125 }; 126}