# Privacy stack assets This directory vendors the privacy-desktop infrastructure previously kept under `~/dotfiles` and makes it project-local. Contents: - `vendor/home-manager/...` — source copies of the original Home Manager modules/artifacts - `secrets/secrets.yaml` — SOPS-encrypted secrets moved from dotfiles - `.sops.yaml` — SOPS key policy moved from dotfiles - `cultguard-chromium.ref` — historical filename for the pinned privacy-browser flake ref; it now points at `cultguard-chrome` The runtime currently defaults to the browser package exposed by `cultguard-chrome`. The ref filename stays unchanged for compatibility with existing local tooling. Project-local runtime entrypoints are exposed through `devenv`: - `privacy-profile-create` - `privacy-profile-list` - `privacy-profile-show` - `privacy-profile-delete` - `privacy-profile-attach` - `privacy-profile-detach` - `privacy-browser-up` - `privacy-browser-down` - `privacy-browser-status` - `privacy-browser-test` - `privacy-browser-test-all` - `privacy-secrets-render` - `sops-add-machine` Typical flow: 1. `devenv up` 2. `devenv shell` 3. `privacy-profile-create analyst-1` 4. `privacy-profile-attach analyst-1 1` 5. `privacy-browser-test-all` 6. `privacy-browser-up --instance 1 --wg-config /path/to/mullvad.conf` Notes: - The packaged runtime does not force parallel desktops; instance/port/display selection is runtime-configurable. - The packaged runtime does not expose CDP; it is browser + Mullvad + remote desktop only. - The active unprivileged path uses `wireproxy`, which imports a Mullvad WireGuard config and exposes a local SOCKS5 proxy without namespaces or host routing changes. - `privacy-browser-up` starts wireproxy, Xvfb, optional x11vnc, and the packaged Chromium with the SOCKS proxy forced into the browser automatically. - `privacy-browser-test` and `privacy-browser-test-all` verify exits using the browser itself, not curl-over-SOCKS. - Browser profiles are self-contained under `.devenv/state/privacy-stack/profiles/`. - `privacy-profile-attach ` makes a numbered browser instance reuse the same persistent profile across runs. - Older GotaTun/netns helpers still exist internally, but they are no longer exposed as the main workflow. - Mullvad WireGuard configs are still supplied at runtime via `--wg-config` or `PRIVACY_MULLVAD_WG_CONFIG`.